Open-source intelligence (OSINT) is loosely defined as the collection and analysis of publicly available information to support decision-making. While that definition is broadly accurate, it can create the mistaken impression that anything publicly accessible is automatically fair game.
In reality, OSINT practitioners operate within a legal and ethical framework that influences how information is collected, stored, analysed, shared, and acted upon within their jurisdiction. Whether you work in law enforcement, government, journalism, corporate security, fraud investigations, due diligence, private investigation, or cyber threat intelligence, understanding the legislation that shapes your work is essential.
This article provides an overview of the key UK laws that OSINT practitioners should familiarise themselves with. It is not legal advice, but rather a starting point for understanding the legal environment in which investigations take place.
Why Legal Knowledge Matters
The consequences of misunderstanding legal requirements can be significant. Potential outcomes include:
- Regulatory action
- Civil litigation
- Reputational damage
- Loss of client trust
- Exclusion of evidence from proceedings
- Criminal liability in extreme cases
Understanding the law also helps investigators recognise opportunities and limitations. Rather than viewing legislation as a barrier, experienced practitioners use it as a framework that helps them conduct investigations responsibly and defensibly.
UK GDPR and the Data Protection Act 2018
For many OSINT practitioners, data protection legislation is the most relevant area of law.
The UK General Data Protection Regulation (UK GDPR), alongside the Data Protection Act 2018, governs how personal data is processed.
Personal data remains personal data regardless of regardless of whether it is publicly available or not, including if it appears on:
- Social media profiles
- Company records
- News articles
- Professional registers
- Public forums
- Electoral records
The key question is not whether information is public, but whether there is a lawful basis for processing it. Depending on the organisation and purpose, lawful bases may include:
- Legitimate interests
- Legal obligations
- Consent
- Contractual necessity
OSINT practitioners should understand:
- What constitutes personal data
- Principles of data minimisation
- Data retention requirements
- Accuracy obligations
- Security requirements
- Subject access rights
Good investigators collect information that is necessary and proportionate rather than gathering everything available simply because they can.
Human Rights Act 1998
The Human Rights Act incorporates the European Convention on Human Rights into UK law.
Of particular relevance to OSINT is Article 8, which protects an individual's right to respect for private and family life. Courts have repeatedly shown us that just because information is shared online, does not mean that privacy considerations don't apply. Factors that may influence privacy expectations include:
- The nature of the information
- How it was obtained
- Whether access restrictions existed
- The individual's role and public profile
- The purpose of the investigation
When conducting investigations, practitioners should consider whether their activity is necessary, proportionate, and justified by a legitimate purpose.
Computer Misuse Act 1990
The Computer Misuse Act is particularly important for investigators working online. The legislation criminalises unauthorised access to computer systems and data. Examples of activity that may raise concerns include:
- Accessing systems without permission
- Using compromised credentials
- Circumventing access controls
- Exploiting vulnerabilities
- Downloading information from systems without authorisation
For OSINT practitioners, the principle is relatively straightforward: Publicly available information is generally acceptable to access. Information that requires bypassing security measures is likely to fall outside legitimate OSINT activity. The distinction between OSINT and intrusion must remain clear.
Regulation of Investigatory Powers Act (RIPA) and Investigatory Powers Act (IPA)
Investigators working in law enforcement, government, and certain public bodies should be familiar with surveillance legislation. The Regulation of Investigatory Powers Act 2000 (RIPA) and the Investigatory Powers Act 2016 provide legal frameworks for surveillance and communications-related activities.
Although many OSINT practitioners are not directly conducting surveillance under these powers, it is important to understand where the boundaries exist.
Questions may arise around:
- Directed surveillance
- Covert online activity
- Use of undercover identities
- Monitoring online communities
- Collection of communications data
Public sector investigators should ensure that OSINT activity aligns with organisational policies and authorisation procedures.
Research Versus Directed Surveillance
In many investigations, an investigator may visit a subject's publicly accessible social media profile to establish identity, gather intelligence or preserve evidence.
A single examination of publicly available information as part of an investigation will not normally amount to directed surveillance.
However, the position may change where investigators repeatedly return to the same account or online presence over a period of time to monitor activity.
Examples may include:
- Checking a suspect's Facebook profile every morning.
- Monitoring an individual's Instagram stories throughout an investigation.
- Regularly reviewing LinkedIn activity to identify changes in employment.
- Repeatedly visiting online forums to observe the behaviour of a specific user.
At this point, the activity becomes less about collecting existing information and more about observing an individual's ongoing behaviour.
For public authorities, this may amount to directed surveillance and require appropriate authorisation under RIPA.
Exactly when that threshold is reached will depend on the circumstances of the investigation, organisational policy, and the applicable Codes of Practice. Investigators should always follow their organisation's legal guidance and authorisation procedures.
Covert Online Identities
Another consideration under RIPA is the use of covert identities for research accounts.
Simply viewing publicly available information without interacting with a subject will often have different legal implications from:
- Sending friend requests.
- Joining closed groups.
- Establishing covert online personas.
- Engaging directly with subjects.
Many organisations require additional governance where investigators create or deploy covert online identities, even where no interaction ultimately occurs.
Automated Monitoring
Some organisations distinguish between human monitoring and automated monitoring.
For example, investigators may configure software to generate alerts when:
- A specific keyword is mentioned.
- A username posts new content.
- A company receives media coverage.
- A social media profile changes.
One view adopted by some organisations is that automated alerting does not necessarily constitute directed surveillance because no investigator is actively observing the subject until an alert is generated.
However, this is not a universally accepted interpretation. Organisations should establish clear internal policies covering the use of automated monitoring tools, taking legal advice where appropriate.
Protection from Harassment Act 1997
Repeated online research may occasionally bring investigators into contact with subjects multiple times. While legitimate investigations are generally unlikely to meet the legal threshold, practitioners should understand the principles behind harassment legislation.
Potential risks can arise when investigations involve:
- Repeated contact attempts
- Monitoring specific individuals over long periods
- Direct engagement with subjects
- Behaviour that could reasonably cause alarm or distress
Maintaining professional boundaries and documenting investigative rationale can help mitigate concerns.
Defamation Act 2013
OSINT findings are often shared through reports, intelligence products, briefings, and presentations. The Defamation Act highlights the importance of accuracy when communicating findings if these reports are made public.
Investigators should:
- Clearly distinguish facts from assessments
- Identify confidence levels where appropriate
- Cite sources
- Avoid unsupported allegations
- Document investigative reasoning
A poorly evidenced allegation can create significant legal and reputational risks for both investigators and their organisations.
Copyright, Designs and Patents Act 1988
OSINT investigations frequently involve collecting material created by others.
Examples include:
- Photographs
- Videos
- Articles
- Reports
- Social media content
Although content may be publicly visible, copyright protections still apply. Practitioners should understand:
- Fair dealing provisions
- Attribution requirements
- Internal versus external use
- Reproduction restrictions
Particular care should be taken when publishing intelligence products externally or incorporating third-party content into training materials and reports.
Freedom of Information Act 2000
Freedom of Information Act 2000
The Freedom of Information Act (FOIA) plays two important roles for OSINT practitioners.
Firstly, it provides a mechanism for obtaining information that is not already proactively published by public authorities. Secondly, investigators working within public sector organisations should be aware that information they create during the course of an investigation may itself become the subject of a Freedom of Information request.
Using FOIA to Obtain Information
The Freedom of Information Act gives individuals the right to request recorded information held by public authorities, subject to a number of exemptions. For investigators, FOIA can provide access to information such as:
- Government decision-making
- Procurement and contract information
- Public spending
- Policies and procedures
- Regulatory activity
- Inspection reports
- Statistics and datasets
- Historical records
FOIA and Public Sector Investigators
Investigators working for police forces, local authorities, regulators and other public bodies should also understand that the records they create may be requested under the Freedom of Information Act.
Examples may include:
- Investigation reports
- Emails
- Internal correspondence
- Policies
- Statistical information
- Guidance documents
This does not mean that sensitive investigations will automatically be disclosed. The Act contains a range of exemptions protecting information relating to law enforcement, national security, personal data, commercial interests and ongoing investigations. However, investigators should assume that routine correspondence, notes and reports could be scrutinised at a later date if no exemption applies.
For this reason, investigative records should always be:
- Accurate
- Professional
- Objective
- Evidence-based
- Free from unnecessary opinion or speculation
Good record keeping not only supports investigations but also helps organisations respond appropriately to future information requests.
The Importance of Organisational Policies
Legislation is only one part of the picture. Many organisations impose additional requirements through:
- Acceptable use policies
- Investigation policies
- Privacy policies
- Social media policies
- Information security standards
- Intelligence handling procedures
An activity that is legally permissible may still violate organisational policy. Professional investigators understand both the law and the rules governing their organisation.
Ethics Beyond the Law
Not everything that is legal is necessarily ethical. A useful question for practitioners is:
"Could I justify this collection activity if it were reviewed by a regulator, client, court, journalist, or senior manager?"
Ethical considerations may include:
- Necessity
- Proportionality
- Transparency
- Bias
- Privacy impact
- Potential harm
Strong ethical standards often protect investigators from making decisions that later become difficult to defend.
Final Thoughts
The legal framework surrounding OSINT is often misunderstood. Most legislation does not prohibit OSINT activity itself. Instead, it governs how information is collected, processed, stored, and used.
For UK practitioners, familiarity with data protection law, privacy rights, computer misuse legislation, surveillance legislation, defamation, copyright, and information access laws provides a solid foundation for conducting investigations responsibly.
Laws will continue to evolve alongside technology, artificial intelligence, social media platforms, and emerging investigative techniques. The most effective OSINT practitioners therefore treat legal and ethical awareness as an ongoing professional skill rather than a one-time learning exercise.
Understanding the law will not only help you avoid risk—it will help you conduct investigations that are more professional, defensible, and trusted by decision-makers.
Get new handbook chapters as they go live.
Join the Intelligence with Steve community for new guides, member-only articles and training updates.
Join free