This form has been designed by a committee representing both Police forces and Internet Service Providers and meeting under the auspices of ACPO. This committee aimed to produce a single form that would be recognised by all ISPs and contained precisely the information they needed. Police forces are therefore requested to use the form exactly as provided except of course for replacing the Force name, logo, and details with their own and possibly modifying the notes on the back to refer to their specific procedures. Use of this form will allow ISPs to streamline the handling of requests for personal data.

Section 28(3) of the Data Protection Act gives ISPs the authority to release personal data to the police provided that certain criteria are met; in addition, the Data Protection Registrar has placed further interpretations on the Act. Failure to meet these criteria could mean that the ISP, the requesting officer, or both are committing a criminal offence. For these reasons the form must be completed properly and the wording must not be changed.

Note 1

The form should be addressed to the ISP as a company, and not to a specific person or department. The form would normally be sent with a covering letter or fax, and that can of course be addressed more specifically.

Note 2

This space is reserved for the ISP to use. If you have contacted the ISP ahead of time they may provide you with a reference to place there. Otherwise leave it blank. If you contact the ISP again about this request you should quote that reference.

Note 3

There tend to be two kinds of request:

1. A "real world" datum - such as a name, address, or telephone number - is known and the requesting officer has reason to believe the subject has an account with the ISP and wishes to identify that account.

If a name is given, the ISP will search for accounts held in that name. Unless the name is an unusual one, other information such as an address or telephone number will probably be necessary. Section 28(3) may not be used for "trawling" ISP records, and the ISP should refuse to give details if more than about four unrelated accounts match the data given.

If an address or telephone number is given, the ISP will search for accounts where the customer's records include that address or telephone number. Officers should be aware that not all ISPs are able to search by address or by telephone number.

2. A "cyberspace" datum - such as email address, account name, or web page URL - is known and the requesting officer is attempting to identify the person behind that identifier.

If an email address is given, the ISP will provide details of the account that has that address. In general an email address looks like fred@xxx.com and will always include an @ sign. An email address will sometimes have the format Fred Bloggs <fred@xxx.com> where there is a "comment" associated with the address. This comment is created by the person sending the email and so need bear no resemblance to the actual account holder's name. Therefore the complete email address should always be quoted. It is easy to forge email addresses in many contexts, and therefore the complete message or posting that is being used as a source of information - including any header lines - should be attached to the request.

If an IP address is given an explanation of why this is provided must be attached. If the date and time that the address was used is known, this should be included as well. Some ISPs allocate IP addresses from a central pool, and so the address alone does not identify an account because it would have been used by many different accounts.

If a web URL is provided the ISP will provide details of the account operating the relevant web site or part of the site. A URL is the "address" of a web page, and typically looks like http://www.xxx.com/abc/def.html - it will be displayed by a web browser when viewing the page. Whenever possible a printout of the page should be included with the form to allow the ISP to confirm that the correct page is being viewed.

Some web sites use a technique called "frames", where two or more pages are displayed on the screen at the same time. When this happens the URL displayed by the browser will be that of one of the pages and does not identify the other pages (which could be part of a different site). In this case the actions taken to reach the page should be described and a printout must be attached, annotated to indicate which specific page is of interest.

Note 4

If other information is required, it should be specified here and an explanation of why it is needed should be attached to the form. It is not acceptable to request "all information known about the account". Not all ISPs may not be able to provide certain kinds of information conveniently or even at all, and some data may only be held for a certain length of time. If in doubt, the specifics of the situation should be discussed informally with the ISP before making the request; it may be possible to identify some item of data that meets the Police requirement while being convenient for the ISP to provide.

Note 5

Give here enough information that the recipient can make an decision whether to disclose in accordance with your declaration. This information must relate to the specific case that is being investigated, and a clear explanation must be given as to why you need this information and why you will be hindered if it is not provided.

Note 6

There are some rare situations where such an explanation would itself prejudice the case (for example, where you have evidence pointing at an unknown member of the ISP's staff) and in these cases you can tick this and leave the previous section blank.

Note 7

The requesting officer should attach any relevant items mentioned in this guidance, and any other material that the ISP might find useful for processing the request. The attachments should be numbered and carry the case reference given on the form (see note 8). The ISP can only make use of material attached in this way when determining whether or not to respond to the request.

If any information is attached, the box on the form must be ticked and the number of pages given.

Note 8

The requesting officer should specify the case number, file number, case name, or any other reference that identifies the investigation being made. It is possible that the ISP will need to contact the Force making the request months or even years later, and it is essential that the specific case can be identified without needing to contact the original requesting officer. Individual Police forces will have their own policies for this identifier, and it need not be meaningful to the ISP (except that it should be clear when several requests relate to the same investigation).

The Data Protection Act only allows release of information where both the information is required for one of the purposes listed and failure to disclose the data would be likely to prejudice the matter. This form must not be used where the only purpose is to confirm known facts, for general intelligence, or for administrative reasons.

Note 9

The ISP is only permitted to reveal personal data if they are reasonably convinced that the two conditions mentioned above are true, and the Data Protection Registrar has issued guidance concerning statements from Police officers. To protect both the ISPs and the requesting officer from inadvertently breaching the Act, it has been agreed that the ISP will refuse this request if:

• the form has not been signed by both requesting officer and authorising officer and their full details given, or
• the authorising officer is not of a rank senior to that of the requesting officer, or
• the authorising officer is below the rank of Inspector.

The requesting and authorising officers should be aware that they are each making a statement that the two conditions are true, and that obtaining personal data under false pretences may be a criminal offence.

---