The Law Shop is now closed. Please click here to find out more.

Regulation of Privacy & Surveillance

Privacy in UK law sets out what in what contexts and situations does an individual within the UK jurisdiction have a right to privacy of information.

The Human Rights Act of 1998 brought English law into line with the European Convention on Human Rights. The European Convention contains an explicit declaration of the right of an individual to have their private life and information protected.

Issues of privacy invasion can affect anyone in the country. It is not just celebrities and public figures that have to guard against private details of their lives being made public. People can still have their details made public unlawfully if they are connected to a criminal investigation or if they are wrongly placed on the police DNA database.

Here are some of the ways in which the human right to privacy is protected under UK law.


There are limits on how surveillance can be carried out, and who is authorised to carry it out. There are numerous different types of surveillance, and their legality depends largely on who is carrying them out and why.

Intrusive Surveillance

Intrusive surveillance is designed to gain information or intelligence from surveilling the more private areas of an individual’s life – inside their home or private vehicle, for example.

There are some circumstances in which surveillance from outside could be considered to be intrusive surveillance, particularly with advancements in technology. If surveillance equipment is used outside a private residence, but it is advanced enough that it surveils to the same standard that equipment placed inside the residence could, this would count as intrusive surveillance, regardless of where the surveillance equipment is placed.

Intrusive surveillance will only be authorised for the most serious of investigations – the surveillance must be crucial to the investigation or prevention of serious crime, or the maintenance of UK national security and economic health. Intrusive surveillance must be the best available option to be considered – if it would be possible to gain the information sought by an intrusive surveillance operation via other means, those other means should be considered first.

There are very few individuals with the power to authorise intrusive surveillance, this power being limited to the home secretary and a small group of others. All authorisations are overseen by a Surveillance Commissioner, who must give authorisation before any intrusive surveillance can begin (unless the matter is urgent and surveillance needs to begin immediately).

Directed Surveillance

Directed surveillance is a less invasive form of surveillance, as it is generally conducted in a more public arena, and is not considered to violate an individual’s privacy in the same way that intrusive surveillance would.

Surveilling someone in a public place is a common way of carrying out directed surveillance, by way of listening devices or taking photographs. Naturally, whilst surveilling in a public place, it is likely that others will also be surveilled – this should be taken into account when authorising the surveillance.

Directed surveillance can also be used to monitor a private place, such as an individual’s home. This is considered acceptable under directed surveillance limitations, as long as the surveillance equipment used is not so sophisticated as to match the surveillance capabilities of equipment that would be used inside the building or vehicle.

Unlike intrusive surveillance, directed surveillance can be authorised by lesser powers than the home secretary and a Surveillance Commissioner. Local authorities, such as a city council, can have the power to authorise directed surveillance in certain circumstances – although a local authority’s power to initiate surveillance will be significantly less than the power that police or security services hold.

A local authority can only instigate directed surveillance to detect and prevent crime (CCTV cameras in a town centre to spot and deter troublemakers, for example). Higher authorities, such as the police, can authorise directed surveillance for other more specialised purposes.

Covert Human Intelligence Sources

A Covert Human Intelligence Source (CHIS) can be anyone authorised by a particular authority to carry out surveillance on an individual or group of individuals they have formed a relationship with, whether this relationship was a previously existing one, or one formed for the purposes of this surveillance.

A CHIS is not a specially trained officer – often a CHIS will be a normal person in a position to gain the trust of a person of interest. Authorities with the power to deploy a CHIS include UK intelligence authorise and security services, as well as the police and HM Revenue and Customs.

Naturally, involving a CHIS in an investigation is not ideal. It can put the individual and their family in great danger, and authorities will generally go to great lengths to ensure that the identities of their agents are kept secret.

Interception of Communications

The Regulation of Investigatory Powers Act 2000 (RIPA) allows for a number of different organisations to carry out interception of communications and other forms of monitoring. Different forms of surveillance vary on how they can be used and which organisations can be permitted to use them.

Interception Warrant

Intercepting a communication in transmission can refer to a number of different communication monitoring techniques, from phone tapping to intercepting someone’s mail or email.

No organisation can legally intercept a communication in transmission, whether they are the police, the Secret Service, or HM Revenue and Customs, without an interception warrant granted by the home secretary.

Interception warrants can only be granted by the home secretary (or the Scottish Executive for Scottish cases) who must approve of the communication interception that is going to be made, and be satisfied that interception of communication is the best possible option for gaining the information or evidence they hope to gain. The violation of privacy must also be worth the information and evidence gained – essentially, the ends must justify the means.

This could depend on the type of content that is going to come up in the communication. If a phone conversation or email is likely to contain highly personal information about the individual being monitored, such as their medical state or their political beliefs, the home secretary should consider this additional violation of privacy.

A standard interception warrant will last three months, although the organisation holding it can apply for an extra six months if necessary. Hundreds, if not thousands of interception warrants are issued every year – 1,508 in 2008, although this was a significant drop from the previous year, and it’s possible that some of those interception warrants will have been issued improperly.

It is often difficult to find this out – an individual making a complaint about having their communications intercepted will not be allowed to see the government’s reasons for allowing it to happen. This makes it difficult to that a an interception warrant was falsely.

However, if an interception warrant has been found to have been wrongly issued, the Investigatory Powers Tribunal can order that the records of the intercepted transmissions be destroyed, and that the victim of the unfair surveillance receive compensation.

Other Legal Communications Interception

The interception of communications is authorised in some other circumstances, under the Lawful Business Practice (LBP) regulations.

A business has the right to monitor their communication systems (such as inbound phone calls and their email network) to determine whether or not the communications made are relevant to their business, and that no one is gaining unauthorised access to the system or abusing it to engage in criminal or otherwise unwanted activities.

An example of this could be a company monitoring the work email accounts and internet usage of their employees, to ensure that they are working at the time that they are supposed to be working.

Communications interception is authorised in certain other cases – for example, a company running a call centre or another telephone-based service can monitor their calls for training purposes.

With all communications interception of this nature, the company operating the communications system must take reasonable steps to inform anyone communicating on that system that communications may be intercepted. This includes people outside the company, hence the legal obligation of employees who operate a company’s phone lines to inform those they contact that calls may be monitored.

Interception of Post and Mail

Intentionally intercepting an individual’s mail is illegal, unless the power to do so has been gained through an interception warrant. Opening someone else’s post that has been delivered to your address is also illegal.

However, take note that these rules will cover mail delivered by anything that could be described as a “postal system” according to RIPA rules. A letter delivered by the Royal Mail will certainly fall into this category, but a parcel sent internally within your company may not.

An individual can claim for compensation for damage caused by the non-compliance with privacy rights as well as damage and connected distress caused by any contravention of the Data Protection Act. This can include violation of one or more of the Data Protection Principles.

If the individual can prove that they have been inflicted financial or physical damage, or damage and distress as the consequence of a breach of the DPA, and the data controller is not able to prove that he or she has taken the proper amount of care to comply with the relevant requirement, then the individual will be allowed to claim compensation under section 13.

The individual can only claim damages for distress alone where the violation relates to the processing of personal data for the “special purposes” — usually artistic, literary or journalistic aims.

Unless the problem is solved by between the two contending sides, all claims for compensation have to be made to the Court. This even applies when the Information Commissioner has assessed that there has been a violation of the DPA, as the commissioner has no power to give compensation to the individual.

Awards are usually pretty low under the DPA and there are no guidelines for the correct amount of compensation. When hearing a case the judge has discretion and has to take into his consideration lots of facts and factors, like the effect upon the individual when judging damages for distress and the severity of the violation. There can be claims for compensation for damage and stress caused by any violation of the DPA, and damage caused by the non compliance of the individual’s rights as mentioned previously.

Rights in relation to inaccurate data

If an individual thinks that the data being retained about them is wrong or misleading they can apply to the Court to order the data controller to change, block, or destroy the data.

A court can additionally make that order if it acknowledges that the individual has suffered damage because of the violation by a data controller of any of the requirements of the DPA allowing them to compensation under section 13, and that there is a considerable chance of more contravention of the information.

In either situation, the court can, where it thinks it practicable, compel the data controller to inform third parties to whom the data have been disclosed of the change, blocking, or destruction. If the information is wrong but accurately records the data given to the data controller by the subject or a third party, the Court could decide the requirements stated in the interpretation of the Fourth Data Protection Principle, namely:

  • whether the date controller took proper action to make sure that the information was true
  • if the individual has already informed the data controller of his opinion that the information is wrong, and whether the information indicates this.

If the Court thinks that these needs have been satisfied then the Court can instead, order that the information be added to by a Court approved statement of the real facts.

Rights in relation to automated decision taking

To make sure that individuals know of automated decisions, data controllers must notify you where such decisions are made, although there is no penalty if they fail to do so.

The DPA has examples of the aims for which automated decision making may be used. Evaluating your creditworthiness, your reliability or your conduct are some examples of this. An individual has the right, by writing to them, to require a data controller to make sure that no decision which affects you majorly is based just on processing by automatic means of personal data concerning the individual.

If the court is acknowledges that the data controller hasn’t complied with your request, it could order a person taking a decision in respect of the individual to reconsider the decision or to make a new decision which isn’t based on processing by automatic means.

The individual could also pursue damages under section 13 if the data controller does not respond to an objection and causes the individual to suffer.

Sarah’s Law

There is a provision in the law for data about convicted child sex offenders to be disclosed to citizens in certain situations. This provision is known as “Sarah’s Law”, in memory of Sarah Payne, a child killed by a convicted child sex offender.

This law gives parents, carers and guardians the ability to formally ask the police to inform them if an individual has a record for particular sexual crimes. The legislation that authorises “Sarah’s Law” is within amendments to the Criminal Justice Act 2003 (the “CJA 2003”).

Disclosure of information on sexual offenders

Section 235(2) of the CJA 2003 imposes an obligation on the authority for each geographical area to establish arrangements to examine and manage risks in that area by particular sexual and violent criminals. In exercising this obligation, section 237A obliges the authority responsible to disclose particular data to the public about sexual offenders of children.

This is a section of the legislation that has become known as Sarah’s Law. Section 237A(1) states that the authority responsible should judge whether to disclose data it has about the relevant previous convictions of every child sex offender watched over by it to any particular citizen.

The law creates the presumption that the authority responsible should disclose the data if the child sex offender is seen as a threat to a certain child or to children of a certain category, and disclosure is needed to protect that child or children from harm.

Enhanced Criminal Record Certificate

A ‘high level check’ will be available for individuals applying for an increasing series of jobs. It is available at the moment for all those who are applying for work which regularly includes training, caring for, supervision or being in sole charge of those aged under eighteen or vulnerable adults.

The check will also be there for any individual looking for registration as a day carer or minder of children, or approval as a carer or adopting parent, or looking for gaming licences or judicial appointments, or where the suitability of the individual as a company director is in question.

Recent changes have been made to ensure that Enhanced Criminal Record Certificates can be arranged for in a bigger range of circumstances. Since September 2006, school governors, and people with a position in a school, are covered by the Enhanced Certificate system.

Much like the Intermediate Level Check, a High Level Check will need a joint application from the individual, whom the certificate is about, and the potential employer or organisation (which must be registered).

The check will lead to the issue of an Enhanced Criminal Record Certificate. This will reveal all of the data that would be in a Criminal Record Certificate, including unspent and spent convictions, cautions, reprimands and warnings, and notification requirements under the Sexual Offences Act. It will also show any appearances on the protection of children and vulnerable adult lists.

An Enhanced Criminal Record Certificate can also give other data that is deemed relevant retained by the police that does not concern convictions, cautions, appearances on lists or so on, but which the chief officer of the relevant police force thinks to be relevant to the job or voluntary work sought, and appropriate to be given to both the offender and the potential employer or organisation.

This can include records of acquittals, criminal intelligence information and results of inconclusive police investigations, as well as uncorroborated accusations from informants and witnesses.

All Enhanced Criminal Record Certificates will be given to both the individual whose data it sets out, and the potential employer or organisation.

Other relevant information given ‘off-Certificate’ to employer/organisation alone

It’s vital to realise that if the chief officer of the relevant police force receives a request for other data for an Enhanced Criminal Record Certificate, and he or she thinks that there is such data which the employer or organisation should know, but which should not be part of the certificate itself because it could prejudice interests of the detection or prevention of crime, that data can be shown separately to the would-be employer or organisation.

It will not be on the Enhanced Criminal Record Certificate at all. In these situations, the individual whom the data concerns will not be aware not only of the content of such relevant data provided or even that it has been provided. The potential employer or organisation will not be allowed to reveal that content, or the fact that they have received it, to the jobseeker.

Other legal topics that may interest you