The right to privacy

26th April 2018

The Human Rights Act of 1998 brought English law into line with the European Convention on Human Rights. The European Convention contains an explicit declaration of the right of an individual to have their private life and information protected.

The privacy issue

Issues of privacy invasion can affect anyone in the country. It is not just celebrities and public figures that have to guard against private details of their lives being made public.

People can still have their details made public unlawfully if they are connected to a criminal investigation or if they are wrongly placed on the police DNA database.

The Regulation of Investigatory Powers Act or RIPA is an act which has been brought in to ensure that surveillance of private individuals is carried out in accordance with the various regulations the purpose of which are designed to protect the members of the public.

The Act is specifically designed to ensure that the human rights of the UK general public are not infringed.

RIPA is an Act brought in to ensure that the human rights of the UK general public are not infringed

Here are some of the ways in which the human right to privacy is protected under UK law.


RIPA sets out limits on how surveillance can be carried out, and who is authorised to carry it out. There are numerous different types of surveillance, and their legality depends largely on who is carrying them out and why.

  • Intrusive surveillance

Intrusive surveillance is designed to gain information or intelligence from surveilling the more private areas of an individual’s life – inside their home or private vehicle, for example.

There are some circumstances in which surveillance from outside could be considered to be intrusive surveillance, particularly with advancements in technology. If surveillance equipment is used outside a private residence, but it is advanced enough that it surveils to the same standard that equipment placed inside the residence could, this would count as intrusive surveillance, regardless of where the surveillance equipment is placed.

Intrusive surveillance will only be authorised for the most serious of investigations – the surveillance must be crucial to the investigation or prevention of serious crime, or the maintenance of UK national security and economic health.

Intrusive surveillance must be the best available option to be considered – if it would be possible to gain the information sought by an intrusive surveillance operation via other means, those other means should be considered first.

intrusive surveillance will only be authorised for the most serious of investigations

There are very few individuals with the power to authorise intrusive surveillance, this power being limited to the home secretary and a small group of others.

All authorisations are overseen by a Surveillance Commissioner, who must give authorisation before any intrusive surveillance can begin (unless the matter is urgent and surveillance needs to begin immediately).

  • Directed surveillance

Directed surveillance is a less invasive form of surveillance, as it is generally conducted in a more public arena, and is not considered to violate an individual’s privacy in the same way that intrusive surveillance would.

Surveilling someone in a public place is a common way of carrying out directed surveillance, by way of listening devices or taking photographs. Naturally, whilst surveilling in a public place, it is likely that others will also be surveilled – this should be taken into account when authorising the surveillance.

Directed surveillance can also be used to monitor a private place, such as an individual’s home. This is considered acceptable under directed surveillance limitations, as long as the surveillance equipment used is not so sophisticated as to match the surveillance capabilities of equipment that would be used inside the building or vehicle.

directed surveillance can be used to monitor a private place, such as an individual’s home

Unlike intrusive surveillance, directed surveillance can be authorised by lesser powers than the home secretary and a Surveillance Commissioner.

Local authorities, such as a city council, can have the power to authorise directed surveillance in certain circumstances – although a local authority’s power to initiate surveillance will be significantly less than the power that police or security services hold.

A local authority can only instigate directed surveillance to detect and prevent crime (CCTV cameras in a town centre to spot and deter troublemakers, for example). Higher authorities, such as the police, can authorise directed surveillance for other more specialised purposes.

  • Covert Human Intelligence Sources

A Covert Human Intelligence Source (CHIS) can be anyone authorised by a particular authority to carry out surveillance on an individual or group of individuals they have formed a relationship with, whether this relationship was a previously existing one, or one formed for the purposes of this surveillance.

A CHIS is not a specially trained officer – often a CHIS will be a normal person in a position to gain the trust of a person of interest. Authorities with the power to deploy a CHIS include UK intelligence authorise and security services, as well as the police and HM Revenue and Customs.

Naturally, involving a CHIS in an investigation is not ideal. It can put the individual and their family in great danger, and authorities will generally go to great lengths to ensure that the identities of their agents are kept secret.

Interception of Communications

The Investigatory Powers Act 2016, allows for a number of different organisations to carry out interception of communications and other forms of monitoring. Different forms of surveillance vary on how they can be used and which organisations can be permitted to use them.

  • Interception Warrant

Intercepting a communication in transmission can refer to a number of different communication monitoring techniques, from phone tapping to intercepting someone’s mail or email. No organisation can legally intercept a communication in transmission, whether they are the police, the Secret Service, or HM Revenue and Customs, without an interception warrant granted by the home secretary.

The Secretary of State is the primary decision maker under the Act as to whether a warrant should be issued. Parliament has however designated Judicial Commissioners as an independent safeguard to ensure that warrants that are issued satisfy the requirements of necessity and proportionality, which include the requirement that they are in accordance with the law.

The violation of privacy must also be worth the information and evidence gained – essentially, the ends must justify the means. This could depend on the type of content that is going to come up in the communication.

If a phone conversation or email is likely to contain highly personal information about the individual being monitored, such as their medical state or their political beliefs, the home secretary and/or Judicial Commissioner should consider this additional violation of privacy.

A standard interception warrant will last 6 months

It is often difficult to find this out – an individual making a complaint about having their communications intercepted will not be allowed to see the government’s reasons for allowing it to happen. This makes it difficult to determine that an interception warrant was falsely.

However, if an interception warrant has been found to have been wrongly issued, the Investigatory Powers Tribunal can order that the records of the intercepted transmissions be destroyed, and that the victim of the unfair surveillance receive compensation.  Criminal sanctions also exist for unauthorised use.

  • Other legal communications interception

The interception of communications is authorised in some other circumstances, under the Lawful Business Practice (LBP) regulations.

A business has the right to monitor their communication systems (such as inbound phone calls and their email network) to determine whether or not the communications made are relevant to their business, and that no one is gaining unauthorised access to the system or abusing it to engage in criminal or otherwise unwanted activities.

a business has the right to monitor their communication systems

An example of this could be a company monitoring the work email accounts and internet usage of their employees, to ensure that they are working at the time that they are supposed to be working.

Communications interception is authorised in certain other cases – for example, a company running a call centre or another telephone-based service can monitor their calls for training purposes.

With all communications interception of this nature, the company operating the communications system must take reasonable steps to inform anyone communicating on that system that communications may be intercepted.

This includes people outside the company, hence the legal obligation of employees who operate a company’s phone lines to inform those they contact that calls may be monitored.

  • Interception of Post and Mail

Intentionally intercepting an individual’s mail is illegal, unless the power to do so has been gained through an interception warrant. Opening someone else’s post that has been delivered to your address is also illegal.

However, take note that these rules will cover mail delivered by anything that could be described as a “postal system” according to RIPA rules. A letter delivered by the Royal Mail will certainly fall into this category, but a parcel sent internally within your company may not.

An individual can claim for compensation for damage caused by the non-compliance with privacy rights as well as damage and connected distress caused by any contravention of the Data Protection Act. This can include violation of one or more of the Data Protection Principles.

If the individual can prove that they have been inflicted financial or physical damage, or damage and distress as the consequence of a breach of the DPA, and the data controller is not able to prove that he or she has taken the proper amount of care to comply with the relevant requirement, then the individual will be allowed to claim compensation under section 13.

The individual can only claim damages for distress alone where the violation relates to the processing of personal data for the “special purposes” – usually artistic, literary or journalistic aims.

Unless the problem is solved by between the two contending sides, all claims for compensation have to be made to the Court. This even applies when the Information Commissioner has assessed that there has been a violation of the DPA, as the commissioner has no power to give compensation to the individual.

Awards are usually pretty low under the DPA and there are no guidelines for the correct amount of compensation. When hearing a case the judge has discretion and has to take into his consideration lots of facts and factors, like the effect upon the individual when judging damages for distress and the severity of the violation.

There can be claims for compensation for damage and stress caused by any violation of the DPA, and damage caused by the non-compliance of the individual’s rights as mentioned previously.

  • Rights in relation to inaccurate data

If an individual thinks that the data being retained about them is wrong or misleading they can apply to the Court to order the data controller to change, block, or destroy the data.

A court can additionally make that order if it acknowledges that the individual has suffered damage because of the violation by a data controller of any of the requirements of the DPA allowing them to compensation under section 13, and that there is a considerable chance of more contravention of the information.

In either situation, the court can, where it thinks it practicable, compel the data controller to inform third parties to whom the data have been disclosed of the change, blocking, or destruction.

If the information is wrong but accurately records the data given to the data controller by the subject or a third party, the Court could decide the requirements stated in the interpretation of the Fourth Data Protection Principle, namely:

  • Whether the date controller took proper action to make sure that the information was true
  • If the individual has already informed the data controller of his opinion that the information is wrong, and whether the information indicates this.

If the Court thinks that these needs have been satisfied then the Court can instead, order that the information be added to by a court approved statement of the real facts.

  • Rights in relation to automated decision taking

To make sure that individuals know of automated decisions, data controllers must notify you where such decisions are made, although there is no penalty if they fail to do so.

The DPA has examples of the aims for which automated decision making may be used. Evaluating your creditworthiness, your reliability or your conduct are some examples of this.

An individual has the right, by writing to them, to require a data controller to make sure that no decision which affects you majorly is based just on processing by automatic means of personal data concerning the individual.

The Information Commissioners Office outlines what rights individuals have under the Data Protection Act. The Act gives individuals three rights in relation to automated decision taking.

  • The first is the right to prevent such a decision being taken. You must not take an automated decision if an individual has given notice in writing asking you not to.
  • The second right applies where no such notice has been given. An organisation that takes an automated decision must inform the individual concerned that it has done this. It must do so as soon as is practicable in the circumstances.
  • The third right relates to the options available to an individual on receiving this information. If an individual is unhappy that an automated decision has been taken, they have 21 days to ask you to reconsider the decision or to take a new decision on a different basis. In most cases, both these options are likely to involve a review of the automated decision.

If the court is acknowledges that the data controller hasn’t complied with your request, it could order a person taking a decision in respect of the individual to reconsider the decision or to make a new decision which isn’t based on processing by automatic means.

The individual could also pursue damages under section 13 if the data controller does not respond to an objection and causes the individual to suffer.

Sarah’s Law

There is a provision in the law for data about convicted child sex offenders to be disclosed to citizens in certain situations. This provision is known as “Sarah’s Law”, in memory of Sarah Payne, a child killed by a convicted child sex offender.

This law gives parents, carers and guardians the ability to formally ask the police to inform them if an individual has a record for particular sexual crimes. The legislation that authorises “Sarah’s Law” is within amendments to the Criminal Justice Act 2003 (the “CJA 2003”).

  • Disclosure of information on sexual offenders

Section 325(2) of the CJA 2003 imposes an obligation on the authority for each geographical area to establish arrangements to examine and manage risks in that area by particular sexual and violent criminals. In exercising this obligation, section 327A obliges the authority responsible to disclose particular data to the public about sexual offenders of children.

This is a section of the legislation that has become known as Sarah’s Law. Section 327A(1) states that the authority responsible should judge whether to disclose data it has about the relevant previous convictions of every child sex offender watched over by it to any particular citizen.

The law creates the presumption that the authority responsible should disclose the data if the child sex offender is seen as a threat to a certain child or to children of a certain category, and disclosure is needed to protect that child or children from harm.

Any disclosure remains a decision for the police in consultation with relevant partner agencies. Disclosures cannot be guaranteed in all cases. Any disclosure made must be lawful, proportionate and necessary to protect a child from the risk of significant harm.

Enhanced criminal record certificate

Criminal Record Certificates are obtained from the Disclosure and Barring Service (DBS), the DBS replaced the Criminal Records Bureau in December 2012.

Since the implementation of the DBS, there are strict guidelines which must be satisfied before submitting an application for a criminal record check for a particular job role.

There are currently 3 levels of criminal records checks.

  • Standard checks
  • Enhanced checks
  • Enhanced checks with children’s and/or adults’ barred list checks.

To be eligible for an enhanced level criminal record check, the role must be included in both the Rehabilitation of Offenders Act Exceptions Order and in the Police Act (Criminal Records) Regulation.

To be eligible for an enhanced checks with children’s and/or adults’ barred list checks, the role must be eligible for an enhanced DBS certificate and be specifically included in the Police Act (Criminal Records) Regulations as being able to check the appropriate barred lists.

The Police Act regulation can be found on You can also check whether you are entitled to request a criminal record check using the eligibility tool on the government’s website.

An Enhanced check searches the applicant’s criminal history for convictions, cautions, warnings and reprimands with an option to check the applicant isn’t on any barred lists.

It will usually be obtained for roles working with children or vulnerable groups. Local police are also able to provide any further relevant information that applies to a potential candidate for a job role.

International Stress Awareness Month: your workplace rights

To mark International Stress Awareness Month, Simon Roberts takes a look at what the law says your employer needs to do about workplace stress.

March 2022 Learn more
Beware the perils of sharing colleagues’ Christmas party antics on social media

Are people allowed to record and share your more embarrassing moments without your permission? What does the law have to say?

December 2019 Learn more