Open-source intelligence (OSINT) collection is a powerful tool commonly used by organisations and businesses to gather information about their competitors, customers, and the overall industry for due diligence purposes, or as an intelligence product. However, in the UK, it’s important for these organisations and businesses to be aware of and comply with the laws and regulations that govern data protection and privacy.
Data Privacy Legislation
We commonly hear that ‘GDPR doesn’t apply’. Very significant to OSINT collection is the Data Protection Act 2018 and the UK GDPR. The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that came into effect on 25 May 2018. The regulation was designed in order to harmonize data protection laws across the EU and to give individuals more control over their personal data. GDPR applies to any company that processes the personal data of EU citizens, regardless of where the company is based.
In the United Kingdom, GDPR was incorporated into UK law through the Data Protection Act 2018 (DPA). The withdrawal of the UK from the EU led to the formation of the new domestic data privacy law known as ‘UK GDPR’. The DPA 2018 sets out the data protection framework in the UK. It contains three separate data protection regimes. Part 2 of the DPA sets out a general processing regime (the UK GDPR) and Part 3 of the DPA sets out a separate regime for law enforcement authorities.
The UK GDPR essentially does not differ much from GDPR. It is made in line with the GDPR law text but amended to substitute the parts of the text that read ‘EU’ and ‘Union law’ with ‘UK’ and ‘domestic law’. Most importantly, the core provisions of the GDPR remain the same under UK-GDPR. Both the DPA and UK GDPR work in tandem and affect all organisations processing personal data on UK citizens, whilst the EU GDPR relates to the processing of personal data in the EU.
The DPA and UK GDPR set out rules for the handling and processing of personal data, which may be relevant to OSINT collection if it involves the gathering of personal information relating to data subjects (defined as ‘an identified or identifiable natural person’ Section 3(5) DPA 2018). The legislation outlines that organisations must have a lawful basis before collecting and processing personal data and must take steps to protect the security of that data. This means that organisations must be transparent about their data collection practices or risk substantial regulatory fines from the Information Commissioners Office (ICO) – up to £17.5 million or 4% of the breaching companies’ global turnover.
It is therefore important for organisations to have a clear understanding of the legal and regulatory requirements for OSINT collection under data protection legislation. This includes conducting regular audits of their data collection practices as well as implementing policies and procedures in accordance with ICO guidance and data protection legislation.
Investigatory Powers and RIPA
Also relevant to OSINT collection is the Investigatory Powers Act 2016 (also known as the “Snooper’s Charter”) and Regulation of Investigatory Powers Act 2000 (RIPA). Both legislation provide legal oversight for the use of investigatory powers by law enforcement and intelligence agencies. They regulate the use of certain types of surveillance and intelligence-gathering techniques, including those that may be used in OSINT collection.
RIPA was originally enacted to legislate the way in which public bodies, such as the police, GCHQ,
and the Government itself, intercepted and monitored communications. Increasingly we are seeing private companies supporting these agencies and falling under RIPA.
RIPA is enhanced through a Code of Practice which explains how RIPA is to be used by those exercising the powers available to them through the Act. The Code requires that authorities using the powers under RIPA must justify their surveillance actives to be necessary and proportionate.
The types of activities covered by RIPA are:
- Conducting covert surveillance in public places.
- Collecting communications data.
- Intercepting communications.
- Using covert human intelligence.
Businesses, too, can be subjected to the powers under RIPA. Public bodies may use private
contractors for activities that may be authorised to act under RIPA. The general legal position is that RIPA does not apply to activities of a private company, however, that position is different when a private company is contracted by a government entity to carry out an activity that may amount to directed surveillance activities. To protect human rights, any public body or business seeking to utilise the powers available to them under RIPA must seek approval to do so. Authorisation can only be given once the authority can demonstrate that their proposed activities are necessary and proportionate.
Whether you are an organisation or a government entity, there is a certain level to which activity by an analyst or investigator would not amount to requiring authorisation. That threshold is crossed when that activity starts to, for instance, build a pattern of life on an individual, monitor them generally, or extract and save information for a record. The threshold, therefore, is quite low.
Adhering to laws and policies is crucial when conducting OSINT research for several reasons. OSINT is often used for investigations, and breaking laws or disregarding policies can compromise the integrity of the investigation and lead to legal issues for the organisation. Second, when conducting OSINT, it is important to respect individuals’ privacy rights. Ignoring laws and policies can result in the collection and dissemination of personal information that is not relevant to the investigation and can lead to potential legal and reputational issues such as fines from Data Protection Authorities such as the ICO.
In conclusion, OSINT collection is a powerful tool for organisations to gather information, but it is important for these organisations to be aware of and comply with the laws and regulations that govern data protection and privacy. Adhering to legislation ensures that investigations are conducted in a legal and ethical manner, respects individual’s privacy rights, and protects individuals’ personal information.
If you need any advice surrounding GDPR, Data Protection Law, RIPA, or the IA, get in touch using the button below.
