1. Comments of the Information Commissioner
on the provisions of the Anti-Terrorism, Crime and Security Bill
relating to the retention of communications data
The Information Commissioner (the Commissioner)
has statutory responsibility for promoting and enforcing the Data
Protection Act 1998 (the 1998 Act). The Act sets legally enforceable
standards in relation to the processing of personal data, it also
gives the Commissioner a statutory duty to raise awareness and
promote good practice in relation to the processing of personal
data. The Act provides a number of safeguards to protect individuals
where others are handling their personal information, but it also
contains provisions modifying these where they would be likely
to prejudice the prevention or detection of crime, the apprehension
and prosecution of offenders or where national security would
be affected. In short, the Act and the European Union Directive
upon which it is based, seek to balance respect for the privacy
of individual citizens and the need of society to protect itself
against criminal and other subversive activity.
The Human Rights Act 1998, emphasises the need
to interfere with individuals rights only in limited circumstances
and only to do so in a way that is proportionate to these other
pressing needs. The Commissioner's role is to offer advice on
how an appropriate balance is to be struck.
2. THE NEED
The Commissioner has been aware for some time
of pressure from the law enforcement community to require communications
providers to retain details of communications data. This, it is
claimed, would assist the detection of particular crimes and help
with criminal intelligence gathering. Although such calls have
been made it has not always been clear to what extent such retention
is required beyond the period for which the communications providers
would retain this for their own business reasons. Neither is it
clear what additional retention is realistically required to meet
the law enforcement community's investigatory needs. Questions
relating to the extent of the information required have also remained
largely unanswered. For example, are all aspects of communications
data important or just those elements that may be described as
"the connection data" (limited to matters such as IP
address, connection times and calling line identity)?
Important issues are the relevance of the personal
data, the length of the data retention period for the needs of
the law enforcement community and how far this goes beyond existing
industry practice. Attaching the appropriate weight to these factors
is necessary to avoid affecting the privacy of individual citizens
disproportionately and also placing additional cost burdens upon
communications providers in having to retain large collections
of personal data and continue to manage these to the standards
set down in the 1998 Act.
The Commissioner is aware that the law enforcement
agencies have taken action in relation to communications data
to enable them to follow up particular lines of enquiry resulting
from events on the 11 September. It appears that existing retention
practices have not caused problems in pursuing these lines of
enquiry. More routine law enforcement activities would, therefore,
seem to be relevant when seeking a justification for continued
3. THE EFFECTS
ACT 1998, THE
1999 AND THE
A number of the Act's provisions are relevant,
but of most immediate significance is the requirement that personal
data be held for no longer than necessary for the purpose for
which they were processed. A data controller should not hold personal
data for longer than necessary for its own purpose for processing
the data (5th Principle). The Telecommunications Regulations 1999
introduce more specific provisions relating to traffic and billing
data held by communications providers; the need for retention
would be judged against the continued necessity for its business
purposes such as for sending out a bill, dealing with a disputed
matter or ensuring the security of the network.
Other compliance issues can arise in connection
with the need to process personal data fairly and lawfully, including
having a legitimate basis for processing (1st Principle) and to
ensure that data are relevant and not excessive in relation to
the purpose for processing (3rd Principle). Communications data
may contain, for example, in e-mail headers, information of a
specially sensitive nature (such as health information). Directive
95/46/EC and the 1998 Act impose strict rules regulating the circumstances
in which such data can be processed. Failure to comply with these
Principles can lead to enforcement action by the Commissioner
or legal action by an individual who suffers damage or distress
as a result of the contravention.
Continued retention of communications data by
a communications provider beyond the completion of its own processing
need, in order to satisfy the needs of others, is likely to contravene
the 1998 Act's requirements. The clauses providing for retention
based on the provision of a code of practice or agreement would
not necessarily remedy the situation.
The Bill raises a number of concerns about its
compatibility with Convention rights. While the Bill might engage
a number of Convention rights, the Commissioner's comments focus
on the Article 8 right to respect for private and family life.
The starting point must be that the proposed legislation will
involve an interference with the Article 8 rights of individuals.
The question is whether that interference can be justified under
The first requirement of Article 8(2) is that
the measures proposed are "in accordance with the law".
This requires that interference must have some basis in national
law. The proposed legislation would satisfy this bare requirement.
However, the phrase "in accordance with the law" in
terms of the Convention further requires that the law concerned
must be accessible and precise (ie foreseeable in its consequences).
Where the state has power to carry out investigations involving
an interference with the right to privacy, Article 8 requires
a positive framework of legal rules circumscribing the exercise
of any such power, and incorporating legally binding safeguards
against abuse. The law must indicate the circumstances in which
such interference can occur, its duration, and the limits of the
authorities' powers. Without sight of the proposed statutory code
of practice (clause 101(1)), any agreement with a communications
provider (clause 101(2)) and/or secondary legislation (clause
102) envisaged under the proposed legislation it is not possible
to assess what the legal framework will be in this area. There
must therefore be a concern that the proposed legislation would
be incompatible with Convention rights as it fails to satisfy
this basic requirement for precision and foreseeability in the
delineation of the Secretary of State's powers.
4. CODES AND
This clause in the Bill provides for the Secretary
of State to issue a code of practice relating to the retention
by communications providers of data obtained or held by them.
The Commissioner understands the attraction of the flexibility
in such an approach, particularly where the precise needs have
yet to be determined. The clause provides for the Secretary of
State to include such provisions as he deems necessary for crime
prevention and detection purposes. The clause provides no further
guidance on the matters to be included in such a code or its relationship
with the code produced under section 71 of the Regulation of Investigatory
Powers Act 2000 dealing with the accessing of communications data.
The lack of specific provision gives the Commissioner cause for
concern that any code produced on the basis of the clauses contained
in existing draft provisions would have a number of significant
defects particularly in terms of compliance with the requirements
of the Human Rights Act. The continued absence of clarity as to
what information is necessary for law enforcement purposes, what
the realistic retention needs of these agencies amount to and
the effect on those who seek to comply with the code's provisions
present real difficulties.
The Bill pursues the legitimate aims of national
security, public safety and the prevention of disorder of crime.
Article 8(2) imposes a further requirement that any interference
be "necessary in a democratic society", ie that it fulfils
a "pressing social need" and is "proportionate"
to the legitimate aim pursued. The scope of the powers proposed
to be given to the Secretary of State is immensely broad. The
lack of any overt safeguards against abuse of such powers indicate
a lack of proportionality such as to render the prospective legislation
incompatible with Convention rights.
The extent to which communications data expose
private life varies. Some data reveal either directly or by implication
the content of messages. It appears that those that are least
revealing may be those that are of most value to law enforcement
agencies. Application of the principle of "proportionality"
requires that any proposals for retention address communications
data item by item. A proportionate and human rights compliant
approach would restrict retention to these less revealing and
more valuable data.
The Commissioner is also concerned that a communications
provider would not be in a position to have confidence that adherence
to the code's provisions would ensure compliance with the 1998
Act. As set out above, a number of the Act's requirements would
be relevant particularly regarding processing data for no longer
than necessary for the business purpose, but also in relation
to having a proper basis for processing and the need to ensure
data are not excessive. The clause provides for the admissibility
of the code in legal proceedings. This would have the effect that
the code could be taken into account by the Commissioner when
assessing the processing for compliance or deciding upon enforcement
action. However the simple existence of a voluntary code containing
provisions relating to retention would not necessarily mean that
such periods were relevant to judging whether data are held longer
than necessary for the communications providers own purposes.
Once data were no longer needed for the purposes of the communications
provider, they should be deleted. The proposed legislation imposes
no duty to retain for the law enforcement purposes of public authorities;
it is not clear how the simple power proposed can overcome the
duty to delete imposed by the 1998 Act. Concerns over Human Rights
Act compliance would further weaken the reliance to be placed
on such a code in an enforcement context.
The clause also contains a provision relating
to the Secretary of State entering into "agreements".
Any such agreement would suffer from all the defects described
above in relation to the code of practice. This provision has
the additional problem of creating uncertainty about the relationship
between an existing code and a specific agreement with a particular
provider. It is not clear whether such an agreement could weaken
or otherwise alter provisions set down in the proposed code benefiting
from previous consultation with interested parties. This lack
of precision as to effect and consequences underscores the concerns
about the propriety of such an approach.
The clause provides for consultation with communications
providers at the point of production or revision of a code. There
are a number of other interested parties who should be involved
in any consultation process. Given the Commissioner's role in
enforcing legislation affecting the retention of data it is essential
that she be included formally in the consultation process. Given
that it is individuals whose data will be retained and possibly
accessed by third parties then consideration should be given to
consulting formally on a Code with appropriate representatives
of the wider community. An appropriate model may be found at section
51(3) of the 1998 Act as this requires the Commissioner to consult
with both trade associations and representatives of data subjects
as appear appropriate prior to production of a data protection
code of practice. The final code should also be drawn to the attention
of affected parties not just to communications providers.
If there is a need to retain data for longer
than a communications provider would for their own purposes in
order to prevent and detect crime then a statutory duty to retain
would provide the necessary certainty for communications providers
that such retention would not contravene the 1998 Act. If continued
retention is necessary then this approach should be adopted rather
than left as an alternative to be considered at a later date.
A statutory duty would provide a proper basis for processing by
a communications provider.
Although a statutory duty to retain is attractive,
the mechanism envisaged by this clause is problematic. Although
the Secretary of State requires an order before he can make directions,
the order making power does not appear to result in the direction
itself being subject to the same scrutiny. The inclusion of a
requirement for an order to specify a maximum period for retention
permitted in any direction is helpful. However, once the Secretary
of State has the power then, subject to any necessary consultations,
he will still enjoy a substantial amount of discretion over the
content of any directions. This is of concern.
The clause provides for consultation with communications
providers before the Secretary of State issues a direction. The
earlier comments in relation to consultation on codes of practice
and agreements are equally relevant here. The Commissioner would
expect to be consulted formally about directions applying to communications
The inclusions of a provision (clause 103) causing
the order making power to lapse if unused for two years is a helpful
mechanism to ensure scrutiny of the continued need for such a
power. However, there is no linkage between the taking of the
power and the issuing of directions. It is possible that the power
could be taken to preserve the possibility of directions at a
If communications providers are expected to
retain data beyond their own needs this will inevitably incur
an additional financial burden not only in terms of storage but
also in relation to the cost of ensuring that they hold the data
to the standards set by the 1998 Act. They must, for example,
ensure appropriate security and facilitate individuals' access
rights. It is not for the Commissioner to comment on the propriety
of reimbursing costs, however, consideration should be given to
establishing a regime that reinforces the need for those seeking
retention to act in a proportionate manner.
7. OTHER OBSERVATIONS
The time available for consideration of this
important issue may mean that other options that might have a
lesser impact in terms of personal privacy are not explored. Consideration
could be given to the possibility of establishing a trusted third
party who would retain the communications data (perhaps in an
encrypted form with restricted access to the keys) beyond the
needs of the communications provider. Such a third party would
need to be independent of the law enforcement community, communications
industry and government: some form of judicial control might be
Consideration should also be given to the need
to preserve data in specific circumstances rather than rely on
a long period of general retention. Law enforcement agencies in
many instances become aware of the need to access communications
data quite soon after a crime has been committed although they
may not possess the resources to examine the data before deletion.
A facility to preserve communications data in limited specified
circumstances might be worthy of consideration.