14. Use of social media in gathering evidence
As explained in this policy, the Regulation of Investigatory Powers Act 2000 regulates the use of covert surveillance activities by Local Authorities. Special authorisation arrangements need to be put in place whenever the Council considers commencing a covert surveillance or obtaining information by the use of informants or officers acting in an undercover capacity.
This also includes the use of social media sites for gathering evidence to assist in enforcement activities, as set out below:
- officers must not create a false identity in order to ‘befriend’ individuals on social networks without authorisation under RIPA.
- officers viewing an individual’s public profile on a social network should do so only to the minimum degree necessary and proportionate in order to obtain evidence to support or refute their investigation.
- repeated viewing of open profiles on social networks to gather evidence or to monitor an individual’s status, must only take place once RIPA authorisation has been granted and approved by a Magistrate.
- officers should be aware that it may not be possible to verify the accuracy of information on social networks and, if such information is to be used as evidence, take reasonable steps to ensure its validity.
Reviewing open source sites does not require authorisation unless the review is carried out with some regularity, usually when creating a profile, in which case directed surveillance authorisation will be required. If it becomes necessary to breach the privacy controls and become, for example, a ‘friend’ on Facebook, with the investigating officer utilising a false account concealing his/her identity as a Council officer for the purposes of gleaning intelligence, this is a covert operation intended to obtain private information and should be authorised, at a minimum, as directed surveillance. If the investigator engages in any form of relationship with the account operator then s/he becomes a CHIS requiring authorisation as such and management by a controller and handler with a record being kept and a risk assessment created.