Recently we were asked what laws govern the collection of open-source-intelligence (OSINT), this was our response.
Collecting OSINT is commonly used by orgs/businesses (O&B) to gather info about their competitors, customers and due diligence purposes. In the UK, O&B must be aware of and comply with the laws/regulations that govern data protection/privacy.
General-Data-Protection-Regulation (GDPR) is a regulation of the EU that came into effect in May 2018. GDPR applies to any company that processes personal data of anyone in the EU, regardless of where the company is based. In the UK, GDPR was incorporated into law through the Data-Protection-Act 2018 (DPA). Since the UK left the EU, a new law was formed, known as ‘UK-GDPR.’
The legislation outlines that orgs must have a ‘lawful reason’ to –
1.collect and process personal data and must take steps to protect the security of that data
2.must be transparent about their data collection practices or risk fines from the Information-Commissioners-Office (ICO)
3.must have clear knowledge of the requirements for OSINT collection under data-protection (DP) legislation
4.must conduct regular audits of their data collection practices as well as implementing policies/procedures in accordance with ICO guidance/DP legislation
VALKYRIE (GB) LIMITED have previously posted about the Regulation-of-Investigatory-Powers-Act 2000 (RIPA). RIPA was originally introduced to legislate the way the police/govt agencies intercepted and monitored communications, including those that may be used in OSINT collection. RIPA is quite specific requiring agencies to justify their actives to be necessary and proportionate. The types of activities covered by RIPA are – conducting covert surveillance in public places, collecting communications data, intercepting communications and using covert human intelligence.
Businesses can be subjected to the powers under RIPA. E.g., private orgs may use private contractors for activities that may be authorised to act under RIPA if that org is contracted by a govt entity to carry out an activity that may amount to directed surveillance activities.
Other legislation that governs OSINT collection includes the Computer-Misuse-Act 1990, this law makes it illegal to gain unauthorised access (e.g. hacking) to computer systems/networks. And, the Human-Rights-Act 1998, this protects the right to privacy/family life.
When collecting OSINT in the UK, it is important to ensure that you are not violating any of these laws and regulations. This may involve obtaining consent from individuals before collecting their personal data, using legal methods to access computer systems and networks, and ensuring that any surveillance/intercept activities are authorised/proportionate. Failure to comply with these laws can result in prosecution of the org involved.