Column Number: 003
First Standing Committee on Delegated Legislation
Thursday 13 November 2003
[Mr. Edward O'Hara in the Chair]
Draft Retention of Communications Data (Code of Practice) Order 2003
The Minister for Crime Reduction, Policing and Community Safety (Ms Hazel Blears): I beg to move,
That the Committee has considered the draft Retention of Communications Data (Code of Practice) Order 2003.
The Chairman: With this it will be convenient to consider the draft Retention of Communications Data (Extension of Initial Period) Order 2003.
Ms Blears: I am delighted to welcome hon. Members to the Committee. The two draft orders are made under sections 103(5) and 105(3) of the Anti-terrorism, Crime and Security Act 2001. The first order is made under section 103(5) of the Act, part 11 of which allows for the publication of a code of practice for the voluntary retention of communications data by the communications service providers. Before I explain its purpose and intention, I wish to apologise to the Committee for the need to have withdrawn and re-laid the order, which was originally laid before Parliament on 11 September this year. I understand that the reference to the code of practice in article 2 of the initial order did not precisely replicate the title of the code. That was due to human error.
I am aware that some members of the Committee are extremely well versed and expert in the matters under discussion, so they will know that the order is not about retention of the content of communications; for example, the content of telephone calls or e-mails. It is about the retention of related communications data, such as information about the telephone subscriber, the numbers dialled or addresses to which e-mails have been sent. It concerns trafficking information, not the actual content. It is important to make that distinction because when such matters were discussed in the past, the wrong impression was given and that led to a great deal of public anxiety. Trafficking and subscriber information is a vital tool in investigations into terrorist incidents.
The purpose of the order is to bring into force the draft code of practice on the retention of communications data that was prepared by the Secretary of State under section 102 of the Act. The purpose of the code is to allow communications service providers to retain data for an extended period beyond their usual business practice, should it not be as great as that shown in the code, for the purpose of safeguarding national security. Appendix A to the code sets out in some detail the sort of information required, such as subscriber details, telephony and e-mail data, internet service provider data and the various periods for which retention is authorised under the code should it be in excess of the period for which it would usually be retained for business purposes.
Column Number: 004
I wish to make it absolutely clear that the code relates to information that is already kept by communications service providers for their own business purposes. There is no requirement in the code for people to collect new forms and categories of information. It will not be a further burden on businesses. It will concern information that they carry already.
Mr. Dominic Grieve (Beaconsfield): I am a little startled by the Minister's comments. She must acknowledge that there will be cost implications for service providers. Admittedly, they already keep such material, but they will now be asked to keep it for much longer than they would do usually.
Ms Blears: The hon. Gentleman makes a fair point. I am sure that he will know that there is provision for financial support for those who volunteer to take part in the code. Some £4 million remains in this year's budget to help companies with any extra costs that they might incur as a result of the code. Clearly, the issue of cost was a factor in the extensive consultation process—held, admittedly, over a fairly long period—that helped us to draw up the code.
The code does two things: first, it identifies the types of data that the Government would like communications service providers to retain; secondly, it sets out how long the Government would like the data to be retained. Data retention relates to the storage of everyone's communications data; it does not discriminate between people. In other words, a data retention scheme will involve data relating to possible terrorists and non-terrorists alike. I suppose that there is a degree of equity, in that everyone's privacy is invaded to the same degree. We are talking about a blanket provision.
I would like to make the distinction between data retention and data preservation; the latter is much more targeted and is more of an individual, case-by-case analysis. Data preservation is the storage of data that relate only to individuals already under suspicion. It is clear to the Government that data preservation can never replace data retention. In many situations, suspects come under suspicion only many months after the incident under investigation took place.
Brian White (Milton Keynes, North-East): Businesses keep data for their own purposes—for network security—for a short period. What happens if the security agencies find out some information many months down the line, and the relevant data have already gone because of the normal workings of companies? Is not that, and the costs associated with it, the fundamental problem that needs to be addressed?
Ms Blears: That is one reason that we are seeking to introduce the code of practice. If data have already been disposed of, they cannot be recovered. It is therefore essential that we can intervene as early as possible to give companies guidance on what needs to be retained in case it is needed later.
Clearly, if information has already been disposed of, very little can be done to rescue it. We want a coherent system in which companies know what is expected of them, so they are not placed in a position
Column Number: 005
in which they want to help, as many would do, but cannot. Industry has been tremendously co-operative on that issue. It wants to assist Government in the fight against crime and terrorism, and it is a key partner. We do not want to place industry in a position where it has destroyed information that it might later regret having destroyed because it could have assisted in the fight against crime. That is a real reason for the code to come into play.
I wanted to make the distinction between data preservation and data retention because I think that it has led to a little confusion. What we are talking about under the code is blanket retention of data that we might need later. Data preservation, on the other hand, would be more relevant on a case-by-case basis. That brings into play the issues of proportionality and necessity, which I am sure we will explore at some length in Committee.
As I have said, experience suggests that we are unlikely to know the identity of the perpetrators of an attack as soon as it takes place. Only painstaking investigative work done after an incident identifies the communications trails of those that commit the kind of terrorist outrages that we have in mind. That painstaking investigation is possible only if the communications data have been retained—that is the point made by my hon. Friend the Member for Milton Keynes, North-East (Brian White)—and that is why there is a clear need for the retention of data.
I would like to remind everyone that data retention is, in this context, an anti-terrorism measure, and that the threat of terrorism, which gave impetus to the introduction of the Act, is as clear and present today as it was when the Act was passed in 2001.
Mr. Richard Allan (Sheffield, Hallam): The Minister has stressed throughout that we are talking about an anti-terrorism measure—quite correctly, as it arises from something called the Anti-terrorism, Crime and Security Act 2001—in the context of a section on which the Government accepted an amendment that defined the data as being retained specifically for the purposes of combating terrorism.
The Minister will, of course, be aware of a slew of legal opinion that suggests that if the data are retained under the Act for the purposes of combating terrorism, they cannot be ring-fenced, and they will be available under the wider provisions of the Regulation of Investigatory Powers Act 2000. They may even be available under civil court orders for people who know that the data are there and want to cite them in evidence in a civil case. Can the Minister give us an up-to-date statement of the Government's view of that position? Does she feel that the data can be ring-fenced for anti-terrorism purposes, or will they be available for all the other reasons, too?
Ms Blears: At the heart of the debate is what hon. Members have referred to as the disparity, or divergence, between the reason for retaining the data—clearly, that is anti-terrorism—and the method by which they may be accessed. It is primarily accessed through the RIPA powers, and possibly through others. I shall make some substantive comments on disparity, as that also reflects on whether data can be
Column Number: 006
used and on the nature of the transaction that is taking place when access is sought. We are going to get into the question whether this is a public authority, a functional public authority or a private business undertaking a public function. All those matters can be explored—and if I get through my speech, I hope to address them all.
Mr. Grieve: I was slightly surprised by the question asked of the Minister whether she could confirm that it was not possible to ring-fence the data. Surely, it is possible to ring-fence them. The Government have, as a matter of policy, chosen not to do that.
Ms Blears: Hon. Members will be aware that an amendment on whether the data should be ring-fenced for anti-terrorism measures was tabled in the House of Lords. I understand that it was not pressed and Parliament accepted the current position on the possibility of information gathered under the anti-terrorism legislation being used under a different legal framework under the RIPA powers.