Section 8 "orders"

conorh91

Until this weekend I had never heard of the Gardaí, or a court, ordering the production of data from an ISP citing s.8 of the DPAs.

However, Devore has made reference to boards.ie receiving these orders.

I would have presumed that a s.8 "order" is a request for data in possession of an ISP, such as one might receive from a civil litigant, the Revenue, or Gardaí themselves. I would have assumed it does nothing more than give an ISP discretion over whether or not they wish to release personal data to the person or agency making the request.

My understanding is that a party seeking private data needs to acquire (i) a Norwich Pharmacal order (at civil law) or (ii) a warrant/ court order (at criminal law) before they can require an ISP to release private data.

I assume people who frequent this forum might be better able to shine a light on how Gardaí derive their powers to demand disclosure of online data.

What exactly is a section 8 order?

S.8 of the DPAs

8. [Processing] of personal data in certain cases
Any restrictions in this Act on the disclosure of personal data do not apply if the [processing]is—

(a) in the opinion of a member of the Garda Síochána not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under this paragraph, required for the purpose of safeguarding the security of the State,
(b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid,
(c) required in the interests of protecting the international relations of the State,
(d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property,
(e) required by or under any enactment or by a rule of law or order of a court,
(f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness,
(g) […], or
(h) made at the request or with the consent of the data subject or a person acting on his behalf.

the world wonders

A section 8 order is a polite request, with the unspoken implication of "and if you don't we'll get a warrant and confiscate all your servers for six months" behind it.

Tom Young

The use of the s.8 is to disclose subscriber information in respect of the handle used by the real person posting on the internet here, or elsewhere for that matter.

Your assumptions are not wrong in re. actually private data. Such disclosures would normally require a court order.

The terms and conditions of a data processors service may allow for alias disclosures when requested by law enforcement agencies and other state bodies depending on their reasons.

Tom

conorh91

Tom Young wrote: »

The use of the s.8 is to disclose subscriber information in respect of the handle used by the real person posting on the internet here, or elsewhere for that matter.

Your assumptions are not wrong in re. actually private data. Such disclosures would normally require a court order.

I see, so to clarify, there is a distinction between the author's content and the author's identity?

If that were so, shouldn't an author's identity be presumed to be protected as a privileged source emanating from Art 40.6.1(i) of the Constitution?

Say, for example, a user "IAMAGARD", presumed by readers to be a member of AGS, began publishing a series of pieces on boards.ie. IAMAGARD claims to have witnessed practices which, if true, disclose criminality or unprofessional conduct or policy.

The Gardaí then approach the site's owners seeking its assistance in identifying IAMAGARD. I find it hard to believe that the site is obliged to assist AGS, unless it wishes to?

My difficulty is in understanding the obligatory nature of s.8 orders/ requests for information.

I know the above is a bit of an extreme example, but if anybody would like to humor it...

Little CuChulainn

conorh91 wrote: »

I see, so to clarify, there is a distinction between the author's content and the author's identity?

If that were so, shouldn't an author's identity be presumed to be protected as a privileged source emanating from Art 40.6.1(i) of the Constitution?

Say, for example, a user "IAMAGARD", presumed by readers to be a member of AGS, began publishing a series of pieces on boards.ie. IAMAGARD claims to have witnessed practices which, if true, disclose criminality or unprofessional conduct or policy.

The Gardaí then approach the site's owners seeking its assistance in identifying IAMAGARD. I find it hard to believe that the site is obliged to assist AGS, unless it wishes to?

My difficulty is in understanding the obligatory nature of s.8 orders/ requests for information.

I know the above is a bit of an extreme example, but if anybody would like to humor it...

It's not really an extreme example. The news last week reported that AGS are clamping down on Gardaí using social media.

Manach

Offhand would there not be an issue with the Data Protection Act? This being based on the EU Directive of 1995; section43 would suggest that as such material is personal (could id an individual). So if it were to be handed over then there would need to be clear proof that it was so.
"Whereas restrictions on the rights of access and
information and on certain obligations of the
controller may similarly be imposed by Member
States in so far as they are necessary to safeguard,
for example, national security, defence, public
safety, or important economic or financial interests
of a Member State or the Union, as well as
criminal investigations and prosecutions"

From reading an article by Bruce Schneier on the use of such to gather data - this should mean that the authorities have to be very specific on what they are seeking and not go on a "fishing expedition".

FreudianSlippers

Tom Young wrote: »

The use of the s.8 is to disclose subscriber information in respect of the handle used by the real person posting on the internet here, or elsewhere for that matter.

Your assumptions are not wrong in re. actually private data. Such disclosures would normally require a court order.

The terms and conditions of a data processors service may allow for alias disclosures when requested by law enforcement agencies and other state bodies depending on their reasons.

Tom

Agreed. In fact, the boards.ie privacy policy is quite broad in with whom and when they will disclose your information. The key provision in relation to these requests by AGS is:

We may disclose this information to law enforcement, government officials or courts where we believe or are advised that disclosure is necessary and proportionate

Here's a link to the policy. As I said, it's actually quite a broad policy... particularly with the sharing with the other Distilled Media sites.

Manach wrote: »

Offhand would there not be an issue with the Data Protection Act? This being based on the EU Directive of 1995; section43 would suggest that as such material is personal (could id an individual). So if it were to be handed over then there would need to be clear proof that it was so.
"Whereas restrictions on the rights of access and
information and on certain obligations of the
controller may similarly be imposed by Member
States in so far as they are necessary to safeguard,
for example, national security, defence, public
safety, or important economic or financial interests
of a Member State or the Union, as well as
criminal investigations and prosecutions"

From reading an article by Bruce Schneier on the use of such to gather data - this should mean that the authorities have to be very specific on what they are seeking and not go on a "fishing expedition".

Section 8 of the 1988 Act removes the general disclosure restrictions where (inter alia) the information is requested by a member of AGS not below the rank of chief superintendent. I'm not sure how these things work internally, but I'd imagine the paperwork is done by the investigating officer and is just routinely signed-off by a chief superintendent.

conorh91

FreudianSlippers wrote: »

Agreed. In fact, the boards.ie privacy policy is quite broad in with whom and when they will disclose your information. The key provision in relation to these requests by AGS is:

Just to clarify, the terms and conditions are not in issue. In fact the provision which you quote appears to be to be redundant in most circumstances, since boards.ie has a statutory basis for derogation under s.8 of the DPAs.

It came up recently during a discussion with DeVore.

http://www.boards.ie/vbulletin/showpost.php?p=92390750&postcount=32

After a search, I saw that other people describe section 8 requests/ orders in similar terms - as obligatory, or as being the order of a court. My question is simply that I don't understand this side of things, and I am wondering if others can shed light.

This is not an area I have any competence in so it's mere curiosity on my behalf.

Section 8 of the 1988 Act removes the general disclosure restrictions where (inter alia) the information is requested by a member of AGS not below the rank of chief superintendent. I'm not sure how these things work internally, but I'd imagine the paperwork is done by the investigating officer and is just routinely signed-off by a chief superintendent.

That particular inter alia is one very unusual application of s.8.

The other provisions are the relevant bits.

Any member of AGS may make approaches and receive personal data from boards.ie, as could Revenue or a Local Authority employe, as in theory, could a civil litigant or the Government.

That also suggests it is open to abuse.

FreudianSlippers

conorh91 wrote: »

Just to clarify, the terms and conditions are not in issue. In fact the provision which you quote appears to be to be redundant in most circumstances, since boards.ie has a statutory basis for derogation under s.8 of the DPAs.

It came up recently during a discussion with DeVore.

http://www.boards.ie/vbulletin/showpost.php?p=92390750&postcount=32

After a search, I saw that other people describe section 8 requests/ orders in similar terms - as obligatory, or as being the order of a court. My question is simply that I don't understand this side of things, and I am wondering if others can shed light.

This is not an area I have any competence in so it's mere curiosity on my behalf.

That particular inter alia is one very unusual application of s.8.

The other provisions are the relevant bits.

Any member of AGS may make approaches and receive personal data from boards.ie, as could Revenue or a Local Authority employe, as in theory, could a civil litigant or the Government.

That also suggests it is open to abuse.

There’s more than one element at play in reality. But by no means is the privacy policy redundant. By using boards.ie, you are effectively consenting to the disclosure for various reasons contained therein – broadly this deals with section 8(f)&(h) of the Act.

8(f) "required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness"

8(h) "made at the request or with the consent of the data subject or to a person acting on his behalf"

The policy also informs users that they may make disclosure pursuant to sections 8(a)&(b) without a Court Order. Both of these are obviously where boards.ie considers it proportionate. Regardless of what anyone says, it’s in their policy and they can do it – we can take DeVore’s word that they will not do it without a Court Order, but legally they are entitled to. Vitally, these sub-sections do not impose any obligation to disclose the information, so it is entirely possible that although boards.ie policy does stipulate that they may do this in theory, they don’t actually do it.

AFAIK, however, there is no such thing as a “Section 8 Order” (at least not vis-à-vis the DPA). What I believe they are referring to is the immediate lifting of the restrictions under the DPA on a data controller where a Court Order is made – i.e. a Norwich Pharmacal Order. That is, the obligation on the data controller which exists under other sub-sections of section 8 to consider proportionality is automatically removed by Court Order.

8(e) "required by or under any enactment or by a rule of law or order of a court"

Section 8(e) ensures that legal obligations (NB from a Court) take precedence over the DPA; it’s vital that the DPC has previously found that statutory obligations do not fall under this section and must still be proportionate and pursuant to one of the other section 8 exceptions.