Nid ydym yn gwybod a yw'r ymateb mwyaf diweddar i'r cais hwn yn cynnwys gwybodaeth neuai peidio - os chi ywMillie mewngofnodwch a gadael i bawb wybod.

Social Media Monitoring

We're waiting for Millie to read a recent response and update the status.

Dear Sir/Madam,

Freedom of information act request

RE: Social media monitoring / social media intelligence

FOIA REQUEST

For definition of social media intelligence please see background explanation below. We further note the comments of the Office of Surveillance Commissioners Annual Report 2016 cited below.

1. In 2016 the Rt Hon Lord Judge, then Chief Surveillance Commissioner, wrote to all Local Authorities regarding use of social media in investigations. Please confirm whether you are aware you received this letter and:
(a) Provide a copy of your response; (please confirm if you did not respond)

(b) Provide a copy of any internal audit relating to social media use arising out of Rt Hon Lord Judge’s recommendations; (please confirm if you did not conduct an internal audit and state whether any internal audit of social media use has taken place since 2016).

(c) Provide a copy of your corporate policy on the use of social media in investigations. (please confirm if you do not have one)

(d) Please confirm whether a follow up audit was conducted by the Surveillance Commissioner’s Office which was exclusively or partially related to social media use in investigations by your Local Authority.

2. Does your Local Authority conduct overt and/or covert social media intelligence in some or all of its work?

(a) If yes, please specify whether this includes profiling individuals, conducting investigations, monitoring individuals, monitoring groups, monitoring locations, gathering intelligence, for recruitment purposes.

(b) If your Local Authority does conduct social media intelligence/monitoring, please specify whether this includes both or either overt or covert monitoring of social media.

(c) If the Local Authority has conducted covert social media monitoring, please confirm the number of RIPA warrants obtained in the last two years for this purpose.

3. If the Local Authority conducts social media intelligence, please provide a copy of any current guidance/policies/internal guidance/code of practice or any other such written material used by/available to the local authority or those working on behalf of the local authority to conduct SOCMINT, the monitoring or accessing of information published on social media that is either publicly available or requires additional access e.g. to be friends with an individual, to have password and login details.

4. If you conduct overt or covert social media intelligence relating to social media platforms, please provide a copy of:
(a) Relevant [sections of the] privacy policy;
(b) the data protection impact assessment;
(c) privacy impact assessment;
(d) equality and human rights impact assessment
(e) training materials for those conducting social media intelligence.

Please state if you do not have any of the above.

5. Please provide a copy of any other template/form/document currently used (or to be used with the next three months) by the local authority or fraud investigator (or team) in the conduct of social media monitoring

6. Please confirm whether or not your local authority has purchased or uses software and/or hardware to conduct social network / social media monitoring and/or in relation to sentiment analysis.

(a) If yes, please state the name of the company / provider.

(b) If no, please state whether the local authority has developed internal methods to conduct social media / social network monitoring.

7. Please confirm, if not stated in the guidance (question 3), the policy on deletion of data obtained from social networking sites.

8. If no documents (question 3) exist, or if the following is not covered in the documents which do exist, please explain:
a. In what areas of the local authority's work is social media monitoring used
b. What criteria must be satisfied in order for social media monitoring to be carried out
c. Who must authorise the request to conduct social media monitoring
d. What is the process for conducting social media monitoring
e. How long is data collected and retained?
f. Is there any process for requesting deletion?

9. Are you able to state how regularly social media monitoring is used? If so, please provide the figures.

Kind regards,

Camilla Graham Wood

-----------

Background explanation: What is social media intelligence

This is a Freedom of Information Act request in relation to social media intelligence. Social media intelligence (SOCMINT) can also be referred to as social media monitoring, social network monitoring, social media listening, open source intelligence (OSINT) (focusing on social media platforms). Reference to SOCMINT in this FOIA request encompasses all these and any other terminology used to describe the viewing, collection, retention and analysis of data on social media platforms.

SOCMINT refers to the techniques and technologies that allow the monitoring and gathering of information on social media platforms such as Facebook, Twitter and Instagram. SOCMINT includes monitoring of content, such as messages or images posted, and other data, which is generated when someone uses a social media networking site i.e. meta data like location information. This information involves person-to-person, person-to-group, group-to-group and includes interactions that are private and public.

The methods for analysing social media networking sites vary. Methods may include manually reviewing content as it is posted in public or private groups or pages; reviewing the results of searches and queries of users; reviewing the activities or types of content users post; or 'scraping' - extracting the content of a web page - and replicating content in ways that are directly accessible to the person gathering social media intelligence.

It may include looking at content posted to public or private groups or pages. it may also involve "scraping" or grabbing all the data from a social media platform, including content and individual post and data about their behaviour (likes and shares). Through scraping and other tools, SOCMINT permits the collection and analysis of a large pool of social media data, which can be used to generate profiles and predictions about users.

We are sending this FOIA request to you as a local authority being either a London borough, metropolitan district, unitary authority, district council or county council.

Background explanation: Surveillance Commissioner Annual Reports

The Chief Surveillance Commissioner The Rt Hon Sir Christopher Rose’s Annual Report first referred to social network sites in 2012-13 stating that:

“2.4 All public authorities have struggled with the use of the Internet for investigations, particularly social network sites. A particular difficulty is the desire of national bodies to apply a doctrinaire approach which invites error if facts specific to each case are ignored or poorly considered.”

The subsequent report 2013 – 2014 stated that:

“5.30 … Although there remains a significant debate as to how anything made publicly available in this medium can be considered private, my Commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity.

5.31 In cash-strapped public authorities, it might be tempting to conduct online investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates etc. But just because one can, do not mean one should. The same considerations of privacy and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances. It is worth repeating something I said in my 2011-2012 report, paragraph 5.8:

“There is a fine line between general observation, systematic observation and research and it is unwise to rely on a perception of a person’s reasonable expectation or their ability to control their personal data. Like ANPR and CCTV, the Internet is a useful investigative tool but they each operate in domains which are public and private. As with ANPR and CCTV, it is inappropriate to define surveillance solely by the device used; the act of surveillance is of primary consideration and this is defined at section 48(2-4) of RIPA (monitoring, observing, listening and recording by or with the assistance of a surveillance device). The Internet is a surveillance device as defined by RIPA section 48(1). Surveillance is covert “if, and only if, it is conducted in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is, or may be taking place.” Knowing that something is capable of happening is not the same as an awareness that it is or may be taking place. The ease with which an activity meets the legislative threshold demands improved supervision.”

The final report of the Chief Surveillance Commissioner in 2016 , before this was abolished and replaced by the IPCO stated:

“4.3 From time to time my Inspectorate is asked why, given that no authorisation has been granted by an individual authority since the previous inspection some three years earlier, the process of inspection and oversight is necessary. The short answer is unequivocal. While local authorities remain vested with the power to deploy covert surveillance, regardless of actual use, the appropriate structures and training must remain in place so that if and when the powers do come to be exercised, as they may have to be in an unexpected and possibly emergency situation, the exercise will be lawful. So, for that reason alone the process of inspection must continue. There is a further consideration. The inspection may reveal inadvertent use and misuse of the legislative powers. The steady expansion in the use of the social media and Internet for the purposes of investigative work provides a striking example of a potential new problem which came to light through the inspection system. Local authority officials, vested with burdensome responsibilities for, among others, the care of children and vulnerable adults, are, like everyone else, permitted to look at whatever material an individual may have chosen to put in the public domain. This is entirely lawful, and requires no authorisation. However, repeated visits to individual sites may develop into an activity which, if it is to continue lawfully, would require appropriate authorisations. Local authorities must therefore put in place arrangements for training officials into a high level of awareness of these risks. Without the inspection process this problem might never have been identified.

15.2 As discussed earlier one major consequence of the OSC inspections has been the emergence, during the course of discussions, of investigations being made by public authorities through use of social media and the Internet. For example, it may help to show whether counterfeit good are being offered for sale on a Facebook page, or reveal that someone who claims to be living alone as a single parent has a social media page which provides a different story, or perhaps, particularly sensitive, enable a check to be made whether concerns about the welfare of a child or vulnerable adult may be justified. When individuals choose to go public or advertise themselves, they cannot normally complaint that those who look at their social media sites are disregarding their rights to privacy. However if the study of an individual site becomes persistent, issues under the legislation may arise.

15.3 The resources available to the OSC do not enable me to say positively that issues relating to the use of social media sites have arisen or are arising in every local authority. What matters is that this potential certainly exists. Senior officials at local authorities should therefore be made aware of it and have the necessary policy documents and training and awareness arrangements in place to address it. This issue has been recognised in the forthcoming Home Office and Scottish Government Codes of Practice (which will be issued at a convenient date after the introduction of the Investigatory Powers Act 2016). However, in advance of the issue, and because of repeated findings in reports made to me by Inspectors and Assistant Surveillance Commissioners throughout this year, I acted on my own initiative. I therefore wrote to all local authorities in April 2017 explaining my concerns, and urging them to undertake internal checks of the use of social media by no doubt well-intentioned members of their staff, and to ensure that appropriate guidance and training should be provided.

15.4 An extract from the letter reads:

“it has become steadily more apparent that a number of officers working for public authorities, particularly those with responsibilities for the care of children and vulnerable adults have started to use the [social media and internet] sits, acting in good faith and on their own initiative. RIPA issues do not normally arise at the start of any investigation which involves accessing “open source” material, but what may begin as lawful overt investigation can drift into cover surveillance which falls within the legislation. Although the investigation of crime is not normally a “core function” of the Council, the protection of children and vulnerable adults certainly is, and any continuing and deeper study of the social media site in question would only be justified by the exercise of that protective function.

These are complex legislative provisions, and without appropriate training and awareness council officers cannot be expected to appreciate and apply them. They may therefore act unlawfully. Ignorance would provide no defence to them personally, nor to the Council for which they were working.

The Surveillance Commissioners have issued further guidance on this issue, and identified circumstances when an appropriate authorisations under the legislation would be required or advisable. The guidance is available on the OSC website as a public document, with the OSC Procedures Guidance. Note 289 is relevant and I highlight it for your attention.

It would be sensible for an internal audit of the use of social media sites and Internet for investigative or official business made across all departments be undertaken now. That would provide the necessary information about the extent to which formal training or awareness of these complex provisions is required.”

15.5 A copy of this letter was sent to the Chair of the Local Government Association and the national police lead for child protection issues, Chief Constable Simon Bailey of the Norfolk Constabulary.

15.6 As I reported last year, many local authorities have first-class arrangements in place for the use of covert tactics, even if, as a matter of policy, they do not intend to deploy them: others do not. Where necessary arrangements to ensure compliance are not in place, I require a report from the Chief Executive after a given period, say six months, about how the inadequacies have been addressed, and indicating that a further inspection may have to be arranged. There have been, and will continue to be occasional inspection revisits. One such revisit will have taken place by the time this report is published. I should, however, highlight that the problem of the non-compliant local authority should be kept in perspective. These authorities very rarely use or attempt to use statutory powers, and the occasions when they have been in breach of the legislative provisions remain very rare indeed. The point, as one of my Inspectors helpfully paraphrased it, is that while they are vested with these significant powers they should remain “match fit”. The inspection process provides both an encouragement and a check that they are.

The Investigatory Powers Commissioner replaced the Surveillance Commissioner. The Investigatory Powers Commissioner, Sir Adrian Fulford’s Annual Report 2017 states:

4.37 Local authority guidance on surveillance does not always address how investigators should use social media or where they may need an authorisation. The 2018 revised Home Office code of practice for surveillance contains helpful advice local authorities can incorporate into their policy documents and training.

4.38 Our inspectors were particularly impressed by Durham Country Council, whose senior responsible officer commissioned a helpful audit across the organisation on the “Use of social media in Covert Investigations’, to evaluate and report their system is adequate and appropriate for this purpose. We commend this approach.

Folkestone & Hythe District Council

Dear Camilla Graham Wood,
 
Ref: LS-009920-RN - FOI - Social Media Surveillance
 
Thank you for your information access request dated 7 October 2019. This
is being processed under the Freedom of Information Act 2000. 
 
We will endeavour to supply the information you have requested promptly
and within the requisite 20 working days. If we think that it will take
longer, we will contact you.
 
Please ensure you leave the subject line in any correspondence sent to us
in relation to this request to enable us to locate your file.  The
reference number for your file is shown above in the Subject Line.
 
Kind regards,
 
Jamie Naylor
Senior Information Officer
Folkestone & Hythe District Council.
Email: [Folkestone & Hythe District Council request email]
Website: Home | FOI and Data | Privacy
Follow us on Twitter and Facebook
 
 
 
      
 
   
[1]www.folkestone-hythe.gov.uk
 
 

dangos adrannau a ddyfynnir

Folkestone & Hythe District Council

Dear Camilla Graham Wood,
 
We have received the following request for information under the Freedom
of Information Act 2000.  
 
1. In 2016 the Rt Hon Lord Judge, then Chief Surveillance Commissioner,
wrote to all Local Authorities  regarding use of social media in
investigations. Please confirm whether you are aware you received this
letter and:
      The Council no longer holds information relating to this letter;
consequently, we are unable to confirm whether it was received at the
time.
 

 a. Provide a copy of your response; (please confirm if you did not
respond)

Please see above.
     
(b) Provide a copy of any internal audit relating to social media use
arising out of Rt Hon Lord Judge’s recommendations; (please confirm if you
did not conduct an internal audit and state whether any internal audit of
social media use has taken place since 2016).
No internal audits were conducted by the Council specifically regarding
social media usage.
 
(c) Provide a copy of your corporate policy on the use of social media in
investigations. (please confirm if you do not have one)
The Council’s corporate policy on the use of social media in
investigations is contained within the broader [1]RIPA policy.
 
(d) Please confirm whether a follow up audit was conducted by the
Surveillance Commissioner’s Office which was exclusively or partially
related to social media use in investigations by your Local Authority.
The Surveillance Commissioner’s Office previously conducted inspections of
the Council’s RIPA authorisations on a three-yearly basis. The
Commissioner’s last inspection report in 2016 examined the Council’s
social media policies and is [2]published on our website.
 
2. Does your Local Authority conduct overt and/or covert social media
intelligence in some or all of its work?
While the Council retains the ability to make use of social media
intelligence when it is determined that doing so represents a
proportionate and effective measure, covert social media surveillance
meeting a threshold for RIPA authorisation is not currently utilised on an
ongoing basis. Whenever it is considered necessary to proceed with covert
surveillance, RIPA authorisations will be sought as required.  
 
(a) If yes, please specify whether this includes profiling individuals,
conducting investigations, monitoring individuals, monitoring groups,
monitoring locations, gathering intelligence, for recruitment purposes.
 
(b) If your Local Authority does conduct social media
intelligence/monitoring, please specify whether this includes both or
either overt or covert monitoring of social media.
 
(c) If the Local Authority has conducted covert social media monitoring,
please confirm the number of RIPA warrants obtained in the last two years
for this purpose.
No covert monitoring requiring a RIPA warrant has been undertaken across
that time period; 0 warrants have been obtained.
 
3. If the Local Authority conducts social media intelligence, please
provide a copy of any current guidance/policies/internal guidance/code of
practice or any other such written material used by/available to the local
authority or those working on behalf of the local authority to conduct
SOCMINT, the monitoring or accessing of information published on social
media that is either publicly available or requires additional access e.g.
to be friends with an individual, to have password and login details.
 
4. If you conduct overt or covert social media intelligence relating to
social media platforms, please provide a copy of:
(a) Relevant [sections of the] privacy policy;
(b) the data protection impact assessment;
(c) privacy impact assessment;
(d) equality and human rights impact assessment
(e) training materials for those conducting social media intelligence.
 
Please state if you do not have any of the above.
(a) – (d): The Council has not conducted generalised impact assessments
for the use of social media in investigations. The factors specific to a
case would instead be examined when a RIPA authorisation is applied for.
 
This process inherently involves assessing the proportionality of a
surveillance exercise by weighing the core purpose against impacts on the
individual(s)’ privacy and human rights.
 
If a specific project or process is proposed that would involve the
systemic processing or profiling of personal data (obtained from social
media or otherwise), a DPIA would be conducted to evaluate risk.
 
(e): Requirements relating to social media monitoring are set out in the
Council’s RIPA policy. Staff involved in activities that could potentially
result in RIPA implications are made aware of these requirements by
department managers.
 
5. Please provide a copy of any other template/form/document currently
used (or to be used with the next three months) by the local authority or
fraud investigator (or team) in the conduct of social media monitoring
Template RIPA authorisation request forms are contained within the
Council’s RIPA policy (appendix 6).
 
6. Please confirm whether or not your local authority has purchased or
uses software and/or hardware to conduct social network / social media
monitoring and/or in relation to sentiment analysis.
No such software has been purchased or is used.
 

 a. If yes, please state the name of the company / provider.

N/A
 

 b. If no, please state whether the local authority has developed internal
methods to conduct social media / social network monitoring.

No internally developed methods for social media monitoring are used.
 
7. Please confirm, if not stated in the guidance (question 3), the policy
on deletion of data obtained from social networking sites.
If any social media data is obtained, the approach to its retention and
deletion would be dependent on the purpose it was obtained for. This would
then proceed in line with the Council’s corporate retention policy.
 
For example, if social media data is obtained as evidence in a Council Tax
fraud investigation, the data would be held in line with the relevant
Council Tax schedule entry.
 
8. If no documents (question 3) exist, or if the following is not covered
in the documents which do exist, please explain:
    a. In what areas of the local authority's work is social media
monitoring used
     
    b. What criteria must be satisfied in order for social media
monitoring to be carried out
      Relevant criteria are explained within the RIPA policy.
 
    c. Who must authorise the request to conduct social media monitoring
      Monitoring that would engage the provisions of RIPA must be
authorised by a designated officer specified within the RIPA policy.
 
    d. What is the process for conducting social media monitoring
Staff are required to determine whether any surveillance would engage the
provisions of RIPA, according to the Council’s RIPA policy. If it is
believed that such provisions would be engaged, appropriate authorisation
must be sought prior to the processing being undertaken.
 
    e. How long is data collected and retained?
      Please see Q7.
 
    f. Is there any process for requesting deletion?
Individuals may contact the department processing their data or the
Council’s Data Protection Officer
([3][email address]) to exercise their data
rights.
 
This includes the right to erasure defined in GDPR’s Article 17,  when
this right is relevant. The right to erasure is conditional, and does not
apply in all circumstances.
 
The Council explains individuals’ privacy rights and how to exercise them
in its corporate privacy policy on the Council website.
     
9. Are you able to state how regularly social media monitoring is used? If
so, please provide the figures.
      The Council does not hold this information. The only held records
relate to authorisations for use of RIPA surveillance powers. Please see
2(c) for details.
 
Should you require any further information, or if you are not satisfied
with our response, please do not hesitate to contact me. You may also
request an internal review by writing to the following address:
 
Freedom of Information Appeals Officer
Compliance & Information Governance
Folkestone & Hythe District Council
Castle Hill Avenue
Folkestone
Kent CT20 2QY
 
Alternatively you can use our Customer Comment Form which can be accessed
at our website [4]www.folkestone-hythe.gov.uk.
 
In addition, if you are not satisfied with our response you may apply to
the Information Commissioner for an independent review at the following
address:
 
The Information Commissioner
Wyncliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone 0303 123 1113 (local rate) or 01625 545 745 (national rate)
[5]www.ico.org.uk
 
There is no charge for making an appeal.
 
Kind regards,
 
 
Eric Thomas  ACFS
Case Officer (Information Governance)
Tel: 01303 853419
[mobile number]
Folkestone & Hythe District Council, Civic Centre, Castle Hill Avenue,
Folkestone, Kent, CT20 2QY
 
Email: [6][Folkestone & Hythe District Council request email]
Website: [7]Home | [8]FOI and Data | [9]Privacy
Follow us on [10]Twitter and [11]Facebook
 
      
 
   
[12]www.folkestone-hythe.gov.uk
 
 
_____________________________________________
From: Neville, Rachel On Behalf Of information.officer
Sent: 10 October 2019 07:32
To: 'Millie' <[FOI #609701 email]>
Cc: information.officer <[email address]>
Subject: LS-009920-RN - FOI - Social Media Surveillance
 
 
Dear Camilla Graham Wood,
 
Ref: LS-009920-RN - FOI - Social Media Surveillance
 
Thank you for your information access request dated 7 October 2019. This
is being processed under the Freedom of Information Act 2000. 
 
We will endeavour to supply the information you have requested promptly
and within the requisite 20 working days. If we think that it will take
longer, we will contact you.
 
Please ensure you leave the subject line in any correspondence sent to us
in relation to this request to enable us to locate your file.  The
reference number for your file is shown above in the Subject Line.
 
Kind regards,
 
Jamie Naylor
Senior Information Officer
Folkestone & Hythe District Council.
Email: [13][Folkestone &amp; Hythe District Council request email]
Website: Home | FOI and Data | Privacy
Follow us on Twitter and Facebook
 
 
 
      
 
   
[14]www.folkestone-hythe.gov.uk
 
 

dangos adrannau a ddyfynnir

Dear Folkestone & Hythe District Council,

Thank you for your response.

Yours faithfully,

Millie

Information Governance, Folkestone & Hythe District Council

[1]Folkestone and Hythe Logo

Thank you for your information access request. A reference number has been
assigned to your enquiry which can be found in the subject line.

A case officer will review this matter shortly. We will endeavour to
supply any information you have requested promptly and within the
requisite 20 working days. If we think that it will take longer, we will
contact you.

Please ensure you leave the subject line in any correspondence, and
respond to the most recent item of correspondence relating to your case.
This will enable us to locate your request and respond appropriately.

For additional information about how your personal data will be used
please see the access to information privacy notice.

The contents and any attachments of this e-mail message are confidential
and intended only for the named addressees. If you have received it in
error, please advise the sender immediately by return email and then
delete it from your system. Any unauthorised distribution or copying of
this transmission, or misuse or wrongful disclosure of information
contained in it, is strictly prohibited. Folkestone & Hythe District
Council cannot accept liability for any statements made which are clearly
the sender's own and not expressly made on behalf of the council. All
email to and from the council may be monitored in accordance with the
council's policies. Folkestone & Hythe District Council is registered with
the ICO as a data controller. Our privacy notice at
[2]www.folkestone-hythe.gov.uk/privacy explains how we use and share
personal information and protect your privacy and rights

ref:_00D1tqGSL._5002o2MEPiN:ref

References

Visible links
2. file:///tmp/www.folkestone-hythe.gov.uk/privacy

Nid ydym yn gwybod a yw'r ymateb mwyaf diweddar i'r cais hwn yn cynnwys gwybodaeth neuai peidio - os chi ywMillie mewngofnodwch a gadael i bawb wybod.