Investigatory Powers Bill

Written evidence submitted by the Information Commissioner (IPB 14)

Executive Summary:

· The bill is far-reaching with the potential to intrude into the private lives of individuals. The case justifying the measures, the necessity for them, their proportionality and the adequacy of compensatory safeguards, must be subject to detailed scrutiny.

· Parliament has a responsibility to scrutinise these provisions, not simply as they stand in the bill but in the wider context of surveillance generally.

· The value of communications data to law enforcement is understood and is also vital to the Commissioner’s own enforcement work.

· There are specific concerns with the bill as drafted as these affect the Commissioner’s ability to perform his regulatory duties, both under the bill and existing legislation:

o The Commissioner’s role in auditing retained communications data needs strengthening with both obligations on telecommunications operators to cooperate and sanctions if they do not cooperate included in the bill itself.

o The disapplication of the requirement under Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) to report security breaches to the Information Commissioner weakens essential existing regulatory safeguards around the security of data retained by telecommunications operators.

· The Commissioner has concerns about other aspects of the bill:

o The need to retain data for twelve months and the definition of any retention period needs to be based on sound evidence that this is the appropriate period

o Internet connection records can be revealing. Strong justifications for intrusion are required including the reassurance of post legislative scrutiny.

o Provisions for the acquisition of some bulk personal data sets already exist in statute. The established approach could be used for data sets of concern. Consideration should be given to exempting certain data sets involving sensitive personal data, such as those, for example, relating to health data.

o Notices requiring the removal of electronic protection should not be permitted to lead to the removal or weakening of encryption. This technique is vital to help ensure the security of personal data generally.

o The IPC role will be vital, including in improving transparency. The role must be independent and inspire public confidence. Reports should include the value of data to law enforcement outcomes so that continued need and justification can be assessed. The process for notifying individuals of any errors should be strengthened.

Introduction

1. The Information Commissioner has responsibility in the United Kingdom for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations (EIR) and the Privacy and Electronic Communications Regulations 2003, as amended (PECR). The Information Commissioner also has a more limited supervisory role under the Data Retention Regulations 2014 (DRR 2014) created under the Data Retention and Investigatory Powers Act 2014 (DRIPA).

2. He is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals and taking appropriate action where the law is broken. His activities also include providing advice on policy and other initiatives that engage information rights concerns.

3. This evidence will focus on those aspects of the bill that fall within the Information Commissioner’s direct regulatory remit. It also covers the other aspects of the bill that have an impact on the privacy of individuals.

4. The Information Commissioner recognises that the provisions in the bill are aimed at helping law enforcement and security bodies respond to evolving challenges. Wide ranging powers require very careful consideration of the proportionality of the measures, and the adequacy of any compensatory safeguards. Respect for an individual’s privacy is one of our cherished freedoms. There are significant features of the bill that touch on the lives of all citizens, not just those suspected of involvement in criminality.

5. The wider context of this bill requires recognition that there are also other forms of surveillance by public bodies. Widespread automatic number plate recognition systems (ANPR) result in around 30 million records of the routine use of vehicles being collected every single day, not linked to any suspicion of criminal activity but nevertheless retained in a central database for a number of years. Airline passenger name records can be extensive and largely unseen. Ally to this the extensive network of CCTV cameras, and this technology’s developing capabilities, and there is an increasing danger that we are living in a society where few aspects of our daily private lives are beyond the reach of the state.

6. Parliament has a vital role in considering the bill not only on its own merits but also in the broader context of all these wider developments, many of which have evolved with little, if any, statutory underpinning - but always in the name of improving public security and the capabilities of those who are there to protect us.

7. Measures in the bill which require more extensive information to be retained, make that information available to others in different contexts than for which it was originally collected, and store it for prolonged periods, engage concerns about core data protection and PECR safeguards. These protections are aimed at minimising information risk (such as unwarranted intrusion or the consequences of a security breach).

8. The Information Commissioner’s view on the key aspects of the bill that engage his statutory functions are set out below.

Communications Data

9. The Information Commissioner does understand the value of communications data for investigatory purposes. He has first-hand experience of its evidential value in relation to his own enforcement and prosecution powers and it is important that he is specified in Schedule 4 as a relevant public authority. In particular the power to acquire communications data is essential to his work in prosecuting the unlawful obtaining and disclosure of personal data and in tackling nuisance telephone calls and texts. The lack of this data would impair his ability to take action in areas of increasing public concern.

10. The concept of telecommunications operators retaining data for longer than needed for their own business purposes and then making this available to specified bodies on request is carried forward from existing legislation. The period for retention remains at twelve months. The justification for this period should be clear and reassessed during post legislative scrutiny.

11. The Information Commissioner will be required under clause 210 to audit the integrity, security and destruction of retained data. The bill does not require telecommunications operators to cooperate with the Information Commissioner’s audits on the integrity, security or destruction of data held under a relevant notice from the Secretary of State. Putting a duty on the Information Commissioner to undertake an important oversight role without the accompanying powers in primary legislation to fulfil this duty is a deficiency that needs remedying. Whilst this has not prevented the Information Commissioner from complying with his obligations to date, there have been challenges from telecommunications operators around the extent of the Information Commissioner’s powers. It is our experience, from our wider audit role under the DPA, that organisations cooperate more readily where we have a clear statutory power of audit. Such provisions could also include sanctions for failing to cooperate. The intended approach of including requirements to cooperate in a separate code of practice and in individual retention notices, both drafted by the Secretary of State, falls short of the legal certainty provided by clear and enforceable statutory provisions. This would also provide additional public reassurance on the rigour and independence of the audit process.

12. Retaining more data for longer inevitably engages concerns about the security of the retained data. Whilst it may be possible to ensure that normal business systems holding retained data have the appropriate security safeguards in place such systems are, by their nature, aimed at facilitating wider business use with greater levels of access. This may pose more of a challenge not only for telecommunications operators to ensure appropriate security but also for the Information Commissioner to audit. Ensuring there is a requirement, either on the face of the legislation or in a subsidiary code of practice, that requires the data to be retained separately from normal business systems may help reduce security risks. This is all the more important given retention of internet connection records (ICRs).

13. Clause 210 requires the Information Commissioner to audit telecommunications operators who are complying with retention notices under Part 4 of the bill. Clause 86 makes clear that persons outside the UK can receive such notices and must have regard to these. It is not clear how this would be achieved in practice with a telecommunications operator in another jurisdiction. This needs clarifying as, otherwise, important compensatory safeguards may not be available in practice.

14. One potentially welcome feature of the bill is the filtering mechanism proposed at clause 58. If this mechanism is effective this could reduce privacy intrusion. However how this would work in practice would require some attention and close review by the Investigatory Powers Commissioner (IPC) to ensure that it is achieving its aims and not being used in inappropriate ways.

Reporting of data breaches

15. Telecommunications operators have expressed concerns about the implications, for them, of the requirement to ‘dual-report’ data security breaches to both the IPC and the Information Commissioner. There are requirements under existing legislation and the Information Commissioner believes, from his own practical experience, that these concerns about duplication of work have been overstated. The number of such dual reporting security breaches is very small and a small fraction of the total number of security breach notifications by telecommunications operators. If this dual reporting amounted to a significant administrative burden due to the numbers involved, this would call into question the effectiveness of the current telecommunications operators security arrangements and would be of concern.

16. Schedule 10 of the bill will remove the obligation to inform the Information Commissioner directly, through an amendment to regulation 5A of PECR, replacing this statutory requirement with one in paragraph 21.40 of the Communications Data draft code of practice that requires the IPC to receive notification of breaches and then consider notifying the Information Commissioner. This has two significant consequences: the regulatory regime around the security of data retained under a notice will be weaker than for other data retained by telecommunications operators and the UK’s implementation of current and future international legal obligations prejudiced.

17. The overall regulatory regime will be weakened in an area that demands even tighter control. Removing the requirement to notify security breaches direct to the Information Commissioner and placing discretion in the hands of a third party with different interests runs the risk that the Information Commissioner will be unaware of breaches and therefore would not be in a position to exercise his range of regulatory sanctions, such as imposing monetary penalties for failure to notify the breach or where serious breaches of PECR and DPA requirements have occurred. This will weaken the regulatory regime in the case of retained communications data and run the risk that telecommunications operators will avoid the stiffer regulatory sanctions such as enforcement and monetary penalties powers that can be deployed by the Information Commissioner as compared to the IPC.

18. The UK’s implementation of international legal obligations will also be put in jeopardy. Regulation 5A of PECR the imposes an obligation on telecommunications operators to notify the Information Commissioner, and affected individuals, where a breach of security has occurred in relation to personal data processed in connection with the provision of the service. A telecommunications operator is required to notify the Information Commissioner if a personal data breach occurs. A ‘personal data breach’ means -

"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service"

The notification requirements in Regulation 5A PECR serve to implement in the UK the provisions of Article 4 (in particular, Article 4.3) of the Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (as amended by Directive 2006/24/EC and Directive 2009/136/EC)- the PEC Directive

19. In the UK the Information Commissioner is the competent national authority for the purposes of the PEC Directive, and is also supervisory authority for the purposes of the DP Directive. The Information Commissioner therefore has oversight responsibilities in respect of, and regulatory powers over, the protection in the UK of the rights of individuals with regard to the processing of personal data in general, and specifically in respect of such processing in connection with the provision of telecommunications services.

20. There has been recent political agreement on an EU General Data Protection Regulation (GDPR) which is in its final stages of adoption. This also includes security breach notification requirements to the national supervisory authority. It is anticipated that the Information Commissioner would be the UK’s national supervisory authority. The proposed approach would also amount to a potential failure to implement those legal provisions in full. The Information Commissioner can provide a more detailed analysis on this aspect should the Committee require.

21. The Information Commissioner believes that removal of the obligation on telecommunications operators to inform him directly of any personal data breach, would render PECR non-compliant with the requirements of the PEC Directive. The approach would also affect the UK’s ability to implement the GDPR which is likely to have full effect in the UK during 2018. It would seem inappropriate for an administrative inconvenience to telecommunications operators to interfere with either the Information Commissioner’s regulatory functions, or the obligations of the UK with respect to conformity with its international legal obligations.

22. The most appropriate way to minimise any administrative burdens caused by dual reporting requirements is to amend paragraph 21:41 of the code of practice to require the Information Commissioner and IPC to agree reporting arrangements designed to minimise the administrative burden on telecommunications operators.

Internet Connection Records

23. Regarding the requirement on telecommunications operators to retain Internet Connection Records (ICRs), although these are portrayed as conveying limited information they can, in reality, go much further and can reveal a great deal about the behaviours and activities of an individual. This could lead to a detailed and intrusive picture of an individual’s interest or concerns being retained and then disclosed. There is also increased risk to all individuals if such retained data are subject to a security breach and that detailed picture of their interests and activities becomes available to third parties. This could lead to unintended consequences and again reinforces the need for specified security requirements for telecommunications operators to safeguard against this risk. The requirement to retain ICRs also adds another dimension to the Information Commissioner’s role, extending the records that must be supervised.

24. Retaining ICRs is an area where there needs to be strong justification. It is not sufficient for the IPC to report on the working of the arrangements; it is the use of the information and its value that is the indicator of whether such intrusion is necessary and proportionate. This information would need to be provided as part of any post legislative scrutiny.

Bulk personal dataset warrants

25. The provisions in the bill around the acquisition of bulk personal data sets require particular scrutiny. It is not clear why existing provisions are considered insufficient. A clearer justification needs to be made of the types of data that are not currently available under existing provisions and why warrant provisions are necessary. These warrant powers should not be available in addition to existing statutory access arrangements.

26. Given the increasing amounts of personal data generated and held in data sets this could be a particularly far reaching and intrusive provision. Whilst the safeguards surrounding authorisation are welcome, and the draft code of practice provides some reassurance, the Information Commissioner remains of the view that there may be some data sets that should be exempted. This is not acknowledged in the bill, or the associated draft code of practice. An obvious example is health data where there are other substantial public policy reasons why such data should not be available in bulk.

27. There are no arrangements for auditing the acquired data and this omission should be rectified. This could include ensuring that only information of value is retained, with measures implemented to delete personal data that is not of interest.

Maintenance of Technical Capability-Removal of Electronic Protection

28. Clause 217 permits the Secretary of State to impose obligations on a relevant operator relating to the removal of electronic protection applied by or on behalf of that relevant operator to any communications or data. This could be a far reaching measure with detrimental consequences to the security of data and safeguards which are essential to the public’s continued confidence in the handling and use of their personal information. The Information Commissioner has repeatedly stressed the importance of encryption to guard against the compromising of personal information. Weakening encryption can have significant consequences for individuals. The constant stream of security breaches only serves to highlight how important encryption is for safeguarding personal information. Weakened encryption safeguards could be exploited by hackers and rogue states intent on harming the UK’s interests.

Oversight arrangements

29. The oversight provisions establishing an Investigatory Powers Commissioner are a positive step. This includes the review of authorisations by a Judicial Commissioner but this falls short of full judicial approval of measures. Measures could be improved by defining the circumstances where individuals are made aware of errors that have affected them, giving them the opportunity to take their own action and hold authorities to account. Expanding the range of matters that the IPC must report on to include a review of the overall operation of the regime would also be a welcome step towards improved transparency.

March 2016

 

Prepared 24th March 2016