Data Protection Act s28(3)/s29(3) form

1999 to 2002 - The original DPA Disclosure Form

ACPO (The Association of Chief Police Officers) and the ISP industry worked together to produce a standardised form for requests for data under section 28(3)/29(3) of the Data Protection Acts 1984 and 1998. The aim of this form is to ensure that ISPs have sufficient information to decide whether they are in a position to release information under the provisions in section 29(3) of the 1998 Data Protection Act (previously section 28(3) of the 1984 Act).

The wording was agreed at a meeting held at the Data Protection Registrar's office on 11th Jan 1999 where outstanding issues were resolved. Subsequently the ACPO/ISP forum (now known as the Internet Crime Forum) agreed the text and ACPO distributed it to all police forces.

The form consisted of three parts:

The form itself (in rtf and reproduced below in html).
The short-form notes to be printed on the back of the form.
The long-form guidance material to be provided to police forces and ISPs.

It does not oblige ISPs to take any action.

2003 - Revised, RIPA compliant DPA Disclosure Forms

Many of the issues of disclosure were subsequently explored in the LINX Privacy BCP, in particular Section 9.

At the time of writing the BCP (May 2001) it was expected that the provisions contained in Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 would be in force by Summer 2001. The preparations for implementing RIPA Pt1 Ch2 involved the development of new processes, and RIPA-compliant forms, within the law enforcement community.

However, a number of delays frustrated the switch from DPA to RIPA regimes, and in December 2002, ACPO announced that it would be distributing and using a new 29(3) form, based on processes which are essentially the same as those that were expected to be employed when RIPA Pt1 Ch2 was commenced.

There were two new forms.

The application by an investigating officer, which was processed by the Single Point of Contact (SPOC).

The SPOC is a specialised unit within each law enforcement agency (typically a county police force), trained in the lawful acquisition of communications data. It is agreed that CSPs will only respond to requests from SPOCs, and not individual police officers.

Although the form only mentions telephony data, it was expected to be also used for Internet data.

The protective marking "RESTRICTED" applied to the form AFTER it had been completed. ACPO have given permission for these two blank forms to be available on this public website.

The form which is sent to the ISP. A notice issued under 22(4) of RIPA must be complied with by an ISP, but until RIPA Pt1 Ch2 was commenced, this form did not oblige ISPs to take any action.

2004 onwards - RIPA Disclosure

The relevant sections of RIPA came into force on 5th January 2004, and the forms and other material are available from the Home Office Website.

It is possible that there are some circumstances where a RIPA form is not appropriate (for example, when investigating a death were no crime is suspected) and therefore it is possible that the DPA forms will still be invoked from time to time. It is, however, Home Office policy that DPA forms are not used if the same enquiry could be made under RIPA.

The form

BLANKSHIRE POLICE

Police Headquarters, The Green, Much-Binding-in-the-Marsh, AM3 4XX

Phone: 01034 123456 Fax: 01034 123457

REQUEST FOR DISCLOSURE OF PERSONAL DATA

Under section 28(3)/29(3) of the Data Protection Acts 1984 c.35 and 1998 c.29

To: [note 1] ISP reference: [note 2]

Please provide the data concerning the following subject [note3]:

Please provide the following information:

Name and address

Account name or number

Other (specify): [note 4]

Offence being investigated:

Reason that the information is necessary [note 5]:

I certify that completing the above section would itself prejudice the prevention or detection of crime [note 6].

pages of further information [note 7] are attached.

I certify that the data is required for the prevention or detection of crime or for the apprehension or prosecution of offenders, and that failure to disclose the data would be likely to prejudice these matters.

The requested data are required for case reference [note 8]. It is possible that this data may have a relevance in future to as yet unidentified offences and it may need to be used in such an event. It will not be used in any way incompatible with the purpose for which it is being disclosed.

I understand that if any information on this form is omitted or wrong I may be committing an offence under section 5(6) of the Data Protection Act 1984 and/or section 55 of the Data Protection Act 1998.

Signed:	Date:
Name and number:	Rank

Authorised:	Date:
Name and number:	Rank:

This application must be authorised by a person who is senior to the requesting officer, and of a rank no lower than Inspector. See note 9.

NOTES

REQUEST FOR DISCLOSURE OF PERSONAL DATA

Under section 28(3)/29(3) of the Data Protection Acts 1984 c.35 and 1998 c.29

Note 1: give the company name here, and any particular contact name on the covering letter or fax.

Note 2: this space is reserved for the information provider.

Note 3: give here the identifying information that you have available. It will be assumed that you want information on all accounts matching that information.

If specifying an IP address, you must attach an explanation why an IP address is being specified.
If specifying a URL, a printout of the page should be attached to the request (if possible) to enable the ISP to confirm the URL is correct.

Note 4: state here what specific information is being requested and why. Do not ask for "all information known about the account" or something similar. If in doubt, discuss the matter with the ISP's contact before making the request.

Note 5: give here enough information that the recipient can make a decision whether to disclose in accordance with your declaration.

Note 6: if this applies, tick the box to the left and leave the previous section blank. The authorising officer (note 9) must have the rank of Superintendent or above in this case.

Note 7: tick this if you have attached any information mentioned in these notes, or any other material that the ISP may find useful for processing the request. Show how many pages have been attached, number those pages, and place the case reference (see note 8) on each page.

Note 8: give here a case number, file number, case name, or any other reference that identifies the investigation being made. It is not necessary to specify the details of the case or any other names.

Note 9: the authorising officer must be senior to the requesting officer and of the rank of Inspector or above (Superintendent or above where no reason for the request is given). You must give full details of both officers.

GUIDANCE ON USE OF THE FORM

REQUEST FOR DISCLOSURE OF PERSONAL DATA

Under section 28(3)/29(3) of the Data Protection Acts 1984 c.35 and 1998 c.29

This form has been designed by a committee representing both Police forces and Internet Service Providers and meeting under the auspices of ACPO. This committee aimed to produce a single form that would be recognised by all ISPs and contained precisely the information they needed. Police forces are therefore requested to use the form exactly as provided except of course for replacing the Force name, logo, and details with their own and possibly modifying the notes on the back to refer to their specific procedures. Use of this form will allow ISPs to streamline the handling of requests for personal data.

Section 28(3) of the Data Protection Act 1984 (section 29(3) of the 1998 Act) gives ISPs the authority to release personal data to the police provided that certain criteria are met; in addition, the Data Protection Registrar has placed further interpretations on the Act. Failure to meet these criteria could mean that the ISP, the requesting officer, or both are committing a criminal offence. For these reasons the form must be completed properly and the wording must not be changed. Use of this form does not exempt either party from the provisions of any other legislation which may cover the information being requested.

Note 1

The form should be addressed to the ISP as a company, and not to a specific person or department. The form would normally be sent with a covering letter or fax, and that can of course be addressed more specifically.

Note 2

This space is reserved for the ISP to use. If you have contacted the ISP ahead of time they may provide you with a reference to place there. Otherwise leave it blank. If you contact the ISP again about this request you should quote that reference.

Note 3

There tend to be two kinds of request:

Data such as a name, address, or telephone number are known and the requesting officer has reason to believe the subject has an account with the ISP and wishes to identify that account.
- If a name is given, the ISP will search for accounts held in that name. Unless the name is an unusual one, other information such as an address or telephone number will probably be necessary. Section 28(3)/29(3) may not be used for "trawling" ISP records.
- If an address or telephone number is given, the ISP will search for accounts where the customer's records include that address or telephone number. Officers should be aware that not all ISPs are able to search by address or by telephone number.
Data such as email address, account name, or web page URL are known and the requesting officer is attempting to identify the person behind that identifier.
- If an email address is given, the ISP will provide details of the account that has that address. In general an email address looks like fred@xxx.com and will always include an @ sign. An email address will sometimes have the format Fred Bloggs <fred@xxx.com> where there is a "comment" associated with the address. This comment is created by the person sending the email and so need bear no resemblance to the actual account holder's name. Therefore the complete email address should always be quoted. It is easy to forge email addresses in many contexts, and therefore the complete message or posting that is being used as a source of information - including any header lines - should be attached to the request.
- If an IP address is given the date and precise time that the address was used together with the source must be included. Some ISPs allocate IP addresses from a central pool, and so the address alone does not identify an account because it would have been used by many different accounts.
- If a web URL is provided the ISP will provide details of the account operating the relevant web site or part of the site. A URL is the "address" of a web page, and typically looks like http://www.xxx.com/abc/def.html - it will be displayed by a web browser when viewing the page. Whenever possible a printout of the page should be included with the form to allow the ISP to confirm that the correct page is being viewed.
  Some web sites use a technique called "frames", where two or more pages are displayed on the screen at the same time. When this happens the URL displayed by the browser will be that of one of the pages and does not identify the other pages (which could be part of a different site). In this case the actions taken to reach the page should be described and a printout must be attached, annotated to indicate which specific page is of interest.

Note 4

If other information is required, it should be specified here. It is not acceptable to request "all information known about the account". Not all ISPs may be able to provide certain kinds of information conveniently or even at all, and some data may only be held for a certain length of time. If in doubt, the specifics of the situation should be discussed informally with the ISP before making the request; it may be possible to identify some item of data that meets the Police requirement while being convenient for the ISP to provide.

Note 5

Give here enough information that the recipient can make an decision whether to disclose in accordance with your declaration. This information must relate to the specific case that is being investigated, and a clear explanation must be given as to why you need this information and why you will be hindered if it is not provided.

Note 6

There are some rare situations where such an explanation would itself prejudice the case (for example, where you have evidence pointing at an unknown member of the ISP's staff) and in these cases you can tick this and leave the previous section blank.

Note 7

The requesting officer should attach any relevant items mentioned in this guidance, and any other material that the ISP might find useful for processing the request. The attachments should be numbered and carry the case reference given on the form (see note 8). The ISP can only make use of material attached in this way when determining whether or not to respond to the request.

If any information is attached, the box on the form must be ticked and the number of pages given.

Note 8

The requesting officer should specify the case number, file number, case name, or any other reference that identifies the investigation being made. It is possible that the ISP will need to contact the Force making the request months or even years later, and it is essential that the specific case can be identified without needing to contact the original requesting officer. Individual Police forces will have their own policies for this identifier, and it need not be meaningful to the ISP (except that it should be clear when several requests relate to the same investigation).

The Data Protection Act only allows release of information where both the information is required for one of the purposes listed and failure to disclose the data would be likely to prejudice the matter. This form must not be used where the only purpose is to confirm known facts, for general intelligence, or for administrative reasons.

Note 9

The ISP is only permitted to reveal personal data if they are reasonably convinced that the two conditions mentioned above are true, and the Data Protection Registrar has issued guidance concerning statements from Police officers. To protect both the ISPs and the requesting officer from inadvertently breaching the Act, it has been agreed that the ISP will refuse this request if:

the form has not been signed by both requesting officer and authorising officer and their full details given, or
the authorising officer is not of a rank senior to that of the requesting officer, or
the authorising officer is below the rank of Inspector (Superintendent if note 6 applies).

The requesting and authorising officers should be aware that they are each making a statement that the two conditions are true, and that obtaining personal data under false pretences may be a criminal offence.