Audit Committee – 27 March 2026

Regulation of Investigatory Powers Act 2000 and Investigatory Powers Act 2016

Purpose

For Review

Classification

Public

Executive Summary

This report provides Audit Committee with an update on the Council’s use of its powers under the Regulation of Investigatory Powers Act 2000 (‘RIPA’) and the Investigatory Powers Act 2016 (‘IPA’).

 

It also includes an update on training provided to officers on RIPA and the IPA.

 

Appended to this report is the recently updated Surveillance Policy for members to review to ensure that it is fit for purpose.

 

This report also provides an update on the Council’s current review by the Investigatory Powers Commissioner’s Office (‘IPCO’).

Recommendations

That Audit Committee:

1.  Notes the use made by the Council of its powers under RIPA and the IPA;

2.  Notes the update provided; and

3.  Endorses the Surveillance Policy.

Reasons for recommendations

In accordance with the Surveillance Policy the Audit Committee should be updated on an annual basis on the Council’s use of its powers under RIPA/IPA and should review the Council’s policy to ensure that it is fit for purpose.  

This report ensures that the Audit Committee is so updated in accordance with these requirements.

Wards

All

Portfolio Holder

Councillor Jeremy Heron – Finance and Corporate

Strategic Directors

Alan Bethune – Strategic Director Corporate Resources (Section 151 Officer)

Officer Contact

Amanda Wilson

Service Manager – Legal and Information Governance

02380 285306

amanda.wilson@nfdc.gov.uk

 

Introduction and background

1.           The purpose of this report is to provide the Audit Committee with a summary of the Council’s use of its powers under RIPA and the IPA.

 

2.           RIPA and the IPA provide a statutory framework whereby certain surveillance and information gathering activities can be authorised and conducted by the Council in a lawful manner where they are carried out for the prevention and detection of crime and, in some cases, for the prevention of disorder.

 

3.           When the Human Rights Act 1998 came into force in 2000 it made the fundamental rights and freedoms contained in the European Convention on Human Rights (‘ECHR’) enforceable in the UK.

 

4.           Article 8 of the ECHR provides that individuals have the right to respect for private and family life and Article 6 of the ECHR provides that individuals have the right to a fair trial.

 

5.           The use of covert surveillance techniques is considered to be an interference with this Article 8 right and therefore RIPA provides a framework to render lawful surveillance activities which might otherwise be in breach of the ECHR. It is also aimed at ensuring that evidence obtained against a person to be used in criminal proceedings is obtained in a fair manner.

 

6.           There are three separate investigatory powers available to the Council, two of which are under RIPA:

·         Directed surveillance – which includes covert surveillance in public areas (not including residential premises or private vehicles, which is never permissible) which is likely to result in the obtaining of private information.

·         Use of Covert Human Intelligence Sources (‘CHIS’) – where a person establishes or maintains a personal or other relationship with a person for the covert purpose of using the relationship to obtain information or to provide access to any information to another person or to covertly disclose information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship. This includes undercover officers/ public informants.

And the third under the IPA:

·         Obtaining communications data from telecommunications and postal operators – this includes service use or subscriber information (but not the content of a communication).

7.           Before the Council may undertake these surveillance activities, there are various criteria which must be met including only carrying out covert surveillance where the criminal offence under investigation ordinarily carries a term of imprisonment of 6 months or more, its use is authorised internally by a senior officer (known as an Authorising Officer) and the external approval of the application by a Magistrate. Magistrates’ approval also applies for the use and conduct relating to CHIS operatives.

 

8.           For obtaining communications data under the IPA, authorisations involve scrutiny by the National Anti-Fraud Network, a body which acts as a Single Point of Contact on behalf of the Council to obtain external authorisation from the IPCO and obtaining the relevant data from communication providers.

 

9.           The information obtained as a result of surveillance operations or acquired from telecommunications and postal operators can be relied on in court proceedings providing RIPA or the IPA is complied with.

 

The Council’s use of RIPA and the IPA

10.       The Council rarely uses its powers under RIPA and the IPA. The Council has not authorised any surveillance activities under RIPA or the IPA since the last report to the Audit Committee in March 2025, and members will note that no activity was recorded in the year before March 2025.

 

11.       The Council provides a statistical return annually to the IPCO confirming its use of powers for the preceding calendar year. Accordingly, for 2025, this was a nil return.

 

IPCO Inspection

12.       The IPCO provides independent oversight of all public authorities using covert investigatory powers under RIPA and the IPA. Its statutory role includes ensuring that any use of surveillance, CHIS, or communications data is lawful, necessary and proportionate. As set out above, it also has a role in the approval process for the acquisition of communications data.

 

13.       The IPCO also exercises robust inspection powers, granting inspectors access to systems, records and staff to review the full chain of decisionmaking and compliance. Inspection outcomes guide continuous improvement.

 

14.       The IPCO’s current approach is to no longer routinely undertake physical inspections of all local authorities. Instead, each local authority is required to provide a written update on its compliance with the legislation. Following the response to this written update, the IPCO will assess whether a further remote or on-site inspection is required.

 

15.       The Council’s last inspection was carried out in 2022. There were no areas of non-compliance identified. The inspection did identify several observations and recommendations to improve the Council’s compliance.

 

16.       On 10 July 2025, the IPCO wrote to the Council to request a written update. Officers have engaged with the IPCO, reviewed RIPA/IPA policies and documentation and taken steps to address the observations and recommendations previously made.  A final update was provided to the IPCO on 4 March 2026. The Council is waiting to hear from the IPCO regarding the next steps.

Updated Surveillance Policy

17.       Previously, the Council had separate policies for surveillance, comprising a directed surveillance policy, CHIS policy, and acquisition of communications data policy. The directed surveillance and CHIS policies were consolidated several years ago.

 

18.       In keeping with the approach of other local authorities, and as part of the recent review, it was identified that it was appropriate to consolidate the acquisition of communications data policy into the principal Surveillance Policy.

 

19.       The updated Surveillance Policy was agreed by the Council’s Executive Management Team on 27 January 2026. This is included at Appendix 1. The updates to the Surveillance Policy include:

 

o   Reflecting the requirements of the current Home Office Codes of Practice issued under RIPA/IPA.

o   Additions regarding use of social media.

o   Further guidance on non-RIPA surveillance activity.

o   Changing the role of Senior Responsible Officer from the Chief Executive to the Council’s Monitoring Officer.

o   Updates to job titles of Authorising Officers.

o   The requirement for Authorising and Investigating Officers to attend training every 2 years.

 

20.       There is no change to the Council’s approach to the powers available under RIPA and IPA and the existing governance arrangements in respect of these powers remain in place.

Training and awareness

21.       In accordance with the Surveillance Policy all Authorising Officers and Investigating Officers should attend at least one training session every two years and further sessions as and when required.

 

22.       Any officer contemplating the use of RIPA/IPA is required to seek advice from the Council’s Legal Team prior to taking any action.

 

23.       Over 40 employees with responsibilities related to RIPA/IPA, as Investigating Officers, Authorising Officers, or Legal Advisers were provided with training on RIPA/IPA and the Council’s Surveillance Policy during January/ February 2026. This training is recorded centrally by the Legal Team and recorded on each employee’s learning record.

 

24.       Further training is due to take place in 2028.

 

25.       Corporate awareness will be raised through annual updates being provided to all staff through the all staff communications email. The last update was provided on 6 March 2026.

Corporate plan priorities

26.       The updated Surveillance Policy and steps taken to ensure compliance with RIPA and the IPA support the Council’s Corporate Plan 2024 to 2028 for people, place and prosperity.

 

27.       The steps taken support good governance and the Council’s lawful approach to enforcement and keeping communities safe.

Consultation undertaken

28.       The Executive Management Team were provided with an update on RIPA/IPA, and approved the updated Surveillance Policy, on 27 January 2026.

 

29.       The Service Manager for Community Safety and Support was consulted on the CCTV elements of the Surveillance Policy.

Financial and resource implications

30.       There are none arising directly from this report.

 

Legal implications

31.       The Council must ensure that any use of investigatory powers under RIPA and the IPA is lawful, necessary, and proportionate, in line with statutory requirements and the Home Office Codes of Practice. Failure to comply may result in legal challenge, evidential issues in enforcement activity, and criticism from the IPCO, which has powers to inspect, review compliance, and issue recommendations.

 

32.       An updated policy, regular training and reporting help maintain strong governance.

Risk assessment

33.       A formal risk assessment is not deemed to be required.

Environmental / Climate and nature implications

34.       There are none arising directly from this report.

Equalities implications

35.       There are none arising directly from this report.

 

36.       Enforcement activities to promote and protect the environment are undertaken by the Council but have not required the use of covert surveillance.

Crime and disorder implications

37.       Ensuring compliance with RIPA and IPA safeguards strengthens the Council’s ability to undertake lawful and proportionate enforcement activity, supporting effective prevention and detection of crime and disorder.

Data protection / Information governance / ICT implications

38.       There are data protection implications associated with surveillance activity, as well as other enforcement activity. These are covered within the updated Surveillance Policy.

 

39.       RIPA/IPA is designed to ensure that individual’s rights to privacy are protected and interference with Article 8 rights under the EHCR is limited by way of specific authorisation and in very specific cases. The Council’s use of RIPA/IPA and understanding of the requirements supports the protection of individual rights.

 

 

Appendices:

Background Papers:

Appendix 1–Surveillance Policy

 

 

Published documents as referred to within report