Memorandum submitted by Orange UK
1.1 Orange welcomes the House of Commons
Home Affairs Select Committee inquiry into "a surveillance
society". With mobile phone penetration at over 80% of the
UK population and broadband penetration continuing to grow, the
role of electronic communications has become an important factor
in building a case of evidence in the fight against crime and
1.2 Despite the value of such data, it is
vital that government and its agencies meet the right balance
between protecting individuals' privacy and accessing data in
an appropriate way to help them in their investigations. It is
also important that commercial organisations have processes in
place to ensure that privacy is protected in meeting the requirements
of the Data Protection Act 1998.
1.3 Orange is a key brand of the France
Telecom Group, providing mobile, broadband, fixed, business and
entertainment services across Europe. It is one of the world's
leading telecommunications operators with more than 168 million
customers on five continents. In June 2006, Orange merged with
Wanadoo, a leading Internet Service Provider (ISP) and now, under
a single brand, offers mobile, broadband and multi-play offers,
including digital television and home phone services.
1.4 We recognise that, as a leading UK communications
provider with over 16 million customers, and as part of the Critical
National Infrastructure (CNI), we need to co-operate and assist
government and its agencies in their work. Orange has a dedicated
Government Liaison, Disclosures & Abuse Management Team that
works with both government and law enforcement agencies to provide
the necessary information needed to aid an investigation.
2. DATA RETENTION:
2.1 In line with the Data Protection Act,
Orange holds data for as long as is required for business purposes.
We have strict processes to protect this data and the privacy
of our customers (see below). We are also required to hold specific
data as defined and required under the Data Retention (EC Directive)
Regulations 2007 (which entered into force on 1 October 2007).for
a period of 12 months.
2.2 Orange provides data to law enforcement
and government agencies in accordance with the Regulation of Investigatory
Powers Act 2000 (RIPA). RIPA creates a legal and fully regulated
basis for the demand by Law Enforcement and Government agencies
for the disclosure of subscriber information, itemised billing
and other communications data. However, in cases such as dropped
999 calls, we may respond to requests for subscriber details under
data protection legislation in order to speed up this process.
RIPA also allows for requests to be prioritised in line with the
ACPO DCG (Association of Chief Police Officers Data Communications
Group) National Prioritisation Grading system. In "life at
risk" situations, a request can be made verbally under RIPA,
and we will provide real time location information to the requesting
agency 24-hours a day. The information is not an exact location
but provides a good starting point for the police in their search
for a missing or abducted person.
2.3 RIPA places an obligation on the authority
requesting the information (and not the organisation which holds
the data ie Orange) to prove the proportionality and justification
for the request and the subsequent disclosure of the data. Orange
is fully supportive of the Single Point of Contact (SPOC) procedure
which facilitates the acquisition and disclosure of communications
data between service providers and law enforcement agencies. However,
we believe SPOCs could be given a higher profile within all law
enforcement agencies as communications data becomes more important
in criminal and terrorist investigations. We are working with
ACPO DCG to address this issue.
2.4 The oversight of these powers is provided
by the Interception Commissioner. Orange believes RIPA provides
an appropriate balance between civil liberties and security. However,
this is an issue that needs to be kept under constant review as
technology changes. A careful balance needs to be met between
maintaining the privacy of our customers and providing essential
data for criminal and terrorist investigations. Orange works within
the regulatory framework (see above) to maintain this balance
and, whilst we regularly discuss this with government and law
enforcement agencies, we believe it is the Government's, rather
than a commercial operator's, decision to ascertain whether it
adequately meets the balance between security and privacy.
3. DATA PROTECTION:
3.1 Orange takes its responsibility to protect
the confidentiality of customer's personal data very seriously.
Oversight of this is regulated and enforced by the Information
Commissioner and the Government is committed to strengthening
its powers to give it access to inspect our processes to ensure
we are doing this.
3.2 Orange employs a number of techniques
to ensure customers are safeguarded from attempts to fraudulently
access account information. We also use a number of processes
to monitor our staff's access of customer accounts to ensure such
access is warranted. We regularly review and adapt our information
security procedures to ensure they are effective.
3.3 Orange is certified to the International
Standard for Information Security (ISO27001), and audits are run
against this every six months to ensure we are compliant. We therefore
continuously monitor, evaluate and improve our controls across
the full scope of our business and we have a focus on customer
data ahead of any other type of information.
3.4 Orange does not send large amounts of
sensitive customer data by internal or external mail. In cases
where we have to send data by these methods, the data is generally
less sensitive in its nature or composition, or we protect it
by encryption techniques for electronic media and by other physical
methods for other media types. Most of our data is moved internally
by automated transfers between machines and systems, and these
transfers are within our corporate perimeter with its security
measures. Such flows are protected where appropriate, depending
on the type of data and the aggregation of data we need to send,
and where such protection can be applied within system limitations.