21.  Chapter II of Part I of RIPA essentially deals with four matters:

• what categories of communications data should be available;
• who can access it;
• for what purposes; and

subject to what safeguards.

22.  As we have said, the annual report of the IoCC for 2011 states that in that year 494,078 requests were made for access to communications data. The great majority were made under RIPA, though there are a number of other statutory information-gathering powers which can be used by public authorities to acquire communications data. Clause 24 of and Schedule 2 to the draft Bill will amend certain powers in other legislation so that they may not be used in the future to oblige CSPs to disclose communications data. This is intended to consolidate the powers under which communications data can be disclosed.

There is a difference between the numbers of requests, the numbers of people being investigated, and the numbers of crimes being investigated. Many requests may be made in relation to the same person because that person may use a large number of devices (criminals habitually change 'phones on a regular basis to try to evade detection); conversely one request can reveal data on many people. Nor does the number of requests equate to the number of crimes investigated. Many requests can be made during an investigation into a single crime; a significant murder, organised crime or counter-terrorism investigation can involve hundreds of communications data requests.

Data that can be accessed

23.  Data can of course only be accessed if it is available. CSPs are commercial organisations; they generate data only if it is useful and they keep it only for as long as it is necessary, but storage is expensive, and once they no longer have a business purpose for data, they will delete it unless they are required to retain it under the Regulations implementing the Data Retention Directive. Otherwise they are currently under no duty to preserve data, nor will they do so. One of the main drivers of the legislation is to give the Government the power to require CSPs to generate and retain data for which they have no business purpose.

24.  When RIPA was enacted communications were still mainly by post or by phone, though emails were gaining in popularity, and the distinction between communications data and content was relatively straightforward. In the case of post, communications data was what was written on the outside of the item, and the rest was content. Phone calls were calls between landlines, between mobile phones, or between landlines and mobile phones. Communications data is therefore defined in RIPA as three elements:

• traffic data (essentially, data identifying the location of the device to or from which the communication is sent, the equipment through which it is transmitted and the signals actuating equipment);
• use data (data, other than content, about the use made of a service); and

subscriber data (data held by the service provider about the persons to whom it provides the service, other than traffic data or use data).

Accessed by whom?

25.  Section 25(1) of RIPA as originally enacted listed six public authorities permitted to access communications data. These included, in addition to police forces and the intelligence and security services, the National Criminal Intelligence Service and the National Crime Squad, which are now superseded by SOCA,[18] and the Commissioners of Customs and Excise and Commissioners of Inland Revenue, now superseded by HMRC.[19]

26.  In addition, the Secretary of State has power by order to add any public authority. Over the years a large number of authorities have been added in this way.[20] For some, like the Financial Services Authority (FSA), a good case can be made. The inclusion of all local authorities is more controversial; the inclusion of some others seems hard to justify, even though they can access communications data only for limited purposes. In Chapter 4 we give our views on which authorities should appear on the face of the draft Bill, and the procedure which should be followed for any amendments to this list.

Permitted purposes

27.  RIPA, as originally enacted, provided that communications data could be obtained only if to do so was "necessary" on one of the following grounds:[21]

"  (a) in the interests of national security;

(b) for the purpose of preventing or detecting crime or of preventing disorder;

(c) in the interests of the economic well-being of the United Kingdom;

(d) in the interests of public safety;

(e) for the purpose of protecting public health;

(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department;

(g) for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health."

28.  There was also a power for the Secretary of State to add, by order subject to affirmative resolution, "any purpose (not falling within paragraphs (a) to (g)) which is specified for the purposes of this subsection by an order made by the Secretary of State". Two additions have been made under this power:[22]

"  (a) to assist investigations into alleged miscarriages of justice; and

(b) where a person ("P") has died or is unable to identify themselves because of a physical or mental condition—

(i)  to assist in identifying P, or

(ii)  to obtain information about P's next of kin or other persons connected with P or about the reason for P's death or condition."

These are currently the nine permitted purposes. If communications data is not "necessary" for one of these very broad purposes, it cannot be accessed under RIPA.

The safeguards under RIPA

29.  Any of many thousands of police officers may think that communications data is necessary to help them with a criminal investigation. Authorisation therefore has to be given by Designated Senior Officers independent of the inquiry. Designated Senior Officers are trained in considering the impact of necessity, proportionality and collateral intrusion on an individual's privacy. Before an application reaches the Designated Senior Officer, it is channelled through a Single Point of Contact (SPoC). The SPoC is an officer who has undergone formal training, is independent from the investigation, will advise the applicant, and will submit applications for authorisation if, and only if, they meet all the formal requirements, including those of necessity and proportionality. Authorisation is then given by the Designated Senior Officer, also independent from the investigation. If the application is authorised, it is returned to the SPoC officer who will obtain the communications data from the CSP and pass it to the applicant.

30.  The seniority of the officer granting the authorisation is prescribed by an order made by the Secretary of State.[23] In the police forces no officer under the rank of Superintendent can authorise an application for all classes of communications data, though Inspectors can authorise applications for subscriber data. The purposes for which authorisations can be granted are also limited; the police can grant authorisations for all purposes except tax assessment and collection, and the investigation of possible miscarriages of justice, while only HMRC can grant authorisations for tax purposes, and authorisations for investigations into miscarriages of justice can be given only to the Criminal Cases Review Commission and its Scottish equivalent. Fire Control Officers and Control Supervisors in Ambulance Control Rooms can access all communications data, but for the single purpose of dealing with death or injury in an emergency. If they wish to access communications data for preventing or detecting crime, authorisation is needed at a more senior level, and will not extend to traffic data.

31.  Some witnesses suggested to us that the authorisation system was simply a means of rubber-stamping applications.[24] We are satisfied that this is not the case and we explain why in Chapter 5.

32.  An additional safeguard was the creation by section 57 of RIPA of the office of IoCC, one of whose duties is "to keep under review … the exercise and performance, by the persons on whom they are conferred or imposed, of the powers and duties conferred or imposed by or under Chapter II of Part I [of RIPA]". In other words, he inspects the working of the system for access to communications data to make sure that it is done entirely in accordance with the statute, and makes recommendations for improvement when errors occur. The purpose is to reassure the public that intrusion is kept to a minimum and their privacy is respected as far as is consistent with the aims of the legislation. Whether this reassurance is achieved is again something we consider in Chapter 5.

Communications data held overseas

33.  RIPA is drafted so as to attempt to give United Kingdom public authorities a legal basis for requesting communications data from CSPs based overseas if they operate a service in the United Kingdom. However, many overseas CSPs refuse to acknowledge the extra-territorial application of RIPA. The procedure can of course be used to request access to data, and many CSPs will comply but emphasise that they are doing so on a voluntary basis; others will refuse to respond to RIPA requests at all. At that stage the only way in which United Kingdom law enforcement authorities can access the data is through the arrangements for international mutual legal assistance which allow the judicial and prosecuting authorities of one state to seek from the authorities of another state help in the prevention, detection and prosecution of crime. We consider these arrangements in Chapter 6.

19   Paragraph 8 of Schedule 12 to the Serious Crime Act 2007 makes the consequential amendment to section 25 of RIPA. Back

20   The Regulation of Investigatory Powers (Communications Data) Order 2010, SI 2010/480, lists all the relevant public authorities, and gives the ranks of the persons designated to grant access to communications data and the purposes for which they may grant authorisations. Back

21   Section 22(2) Back

22   by the Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006, SI 2006/1878, which is now consolidated by the Regulation of Investigatory Powers (Communications Data) Order 2010, SI 2010/480. Back

23   RIPA, section 25(2)-(5) Back

24   E.g. David Davis MP and Dr Gus Hosein, Q 118 Back