5 Safeguards
148. The draft legislation includes various safeguards
to ensure that the communications data regime operates safely
and effectively with checks and balances. Some of these safeguards
are not as strong or as clear as they could be.
Definitions of communications
data
149. We believe that one of the central safeguards
is ensuring that the definitions in the draft Bill are clear and
appropriate and do not raise the risk that communications data
will include information other than what is really needed by law
enforcement and other bodies.
THE DEFINITION OF CONTENT
150. The Government has repeatedly assured us
that nothing in the draft Bill will allow access to the content
of a communication. The Home Secretary emphasised this point:
"I am absolutely clear that the key data we want is the who,
when, where and how. That is clear, and there is no intention
of going beyond that into content or anything..."[102]
There is nevertheless debate about whether the legislation
ensures that content cannot be accessed.
151. Clauses 1(4) and 9(5)(a) both explicitly
prohibit the interception of communications in the course of their
transmission. Content itself is never defined in the legislation,
although it is referred to. The draft Bill's definition of "use
data" explicitly excludes the content of a communication
but the definitions of traffic and subscriber data have no similar
exclusions (see Box 8).
152. These drafting issues have given some of
our witnesses the impression that traffic and subscriber data
may include content. For example, JANET, a private data network
that connects universities, colleges, research organisations and
schools networks to each other and to the internet, stated in
its written evidence that "Indeed since, unlike clause 28(4)
defining use data, clause 28(5) does not exclude the content of
communications, it appears that communications data would also
include the content of all the user's messages that were held
by the telecommunications operator".
153. This illustrates a common fear. The content
of user messages (e-mails, stored voicemails, texts, closed Facebook
posts, closed blog postings etc) would not be covered by this
legislation. If the drafting gives the impression that these things
could be accessed then the definitions should be revisited to
give public reassurance. Access to content should continue to
be regulated by other legislation and clearly prohibited in this
Bill.
154. The challenge of excluding content is exacerbated
by the fact that there is no clear consensus about precisely what
constitutes content in the internet age. When telephones were
the main generators of communications data, the definition of
content was clear: it was the words exchanged over the phone (never
saved by the CSP and only accessible if an intercept warrant was
granted); the voice message in voicemails (CSPs might have had
access to those that were stored on a voicemail platform and had
either not been listened to yet, or had been listened to and had
been saved for a few days) and in more recent times the text of
SMS messages (CSPs might have had access to those that were on
an SMS server awaiting delivery to a subscriber, or those that
had been delivered to a subscriber, but were still sitting on
the server). It was clear to everyone that these were content.
155. With internet based communications the line
between content and data is harder to draw. For example, when
a person subscribes to a social network they may be given the
option to fill in data fields that include their religious views,
sexual preferences, favourite TV shows etc. Do these data fields
really only include "data"? It is not just social networks
that raise this problem. It is also an issue for companies where
the provider provides more than communications services. The information
these companies hold on their customer management systems may
go far beyond what is thought of as communications data although
it may have been collected as customer data for non-communications
services. Taken to extremes, if a hotel were to be designated
as a CSP (because it allows guests to make calls from their bedrooms),
then all of the hotel booking information, pillow preferences
etc, could fall under the definition of "subscriber data".
As discussed in Chapter 4, we received evidence from those that
argued that web addresses, even those limited to information before
the first "/", were more akin to content than data.
156. The problems inherent in trying to define
content make it more important than ever that the legislation
clearly defines communications data and the various categories
which comprise it. One way to do this is more tightly to define
subscriber data as discussed below. Another is explicitly to exclude
content from every category of communications data.
THE DEFINITION OF COMMUNICATIONS
DATA
157. The draft Bill uses the RIPA definition
of communications data. The definition has not changed, despite
the fact that communications technologies, and thus the types
of information held by providers, have significantly evolved.
The definition was developed at a time when telephony records
were considered to be of more immediate interest to investigators
than a person's usage of the internet. The language of the draft
Bill is peppered with references to telecommunications technologies.
The term 'Telecommunications Operator' is used to cover those
that provide internet services
158. Several of our witnesses were concerned
about this approach. Vodafone's written evidence stated that "Clearly,
taking a pre-internet model and assuming it works in the internet
age isn't necessarily going to deliver a workable long-term solution".
Mark Hughes from BT made the case that new technologies make it
ever more important robustly to define the differences between
communications data and content.[103]
159. In relation to a telecommunications operator,
service or system (as opposed to a postal operator or service)
communications data is defined with reference to three categories:
traffic data, use data or subscriber data (see Box 8).
BOX 8: Definitions of Communications Data
in the draft Bill
160. The definition of subscriber data is particularly
problematic because it is a catch-all for information that does
not fall into the other two categories. In the telephone age there
was a clear and finite amount of data that did not fit the criteria
for use or traffic data. In the internet age this is not so clear.
This point was made forcefully in the written evidence submitted
by JANET:
"The definition of "communications data"
in clauses 28(1) to 28(5) will extend much wider than the normal
meaning of that term (and the stated intention of the draft Bill)
when it is applied to organisations such as universities, webmail
and social network services, all of which appear to be included
in the current definition of "telecommunications operator".
"This is because "communications data"
is defined in clause 28(1) as the aggregate of "use data",
"traffic data" and "subscriber data". Clause
28(5) then defines "subscriber data" as "information
(other than traffic data or use data) held or obtained by a person
providing a telecommunications service about those to whom the
service is provided by that person". In other words "communications
data" will comprise all information held by the service provider
about the individuals who use the service. In the case of a university
or social network this would cover much more than is normally
considered subscriber or communications data: for example it would
include a student's academic record or a member of staff's personnel
file."
161. ISPA agreed:
" the draft Bill defines 'subscriber data' as
"information (other than traffic data or use data) held or
obtained by a person providing a telecommunications service about
those to whom the service is provided by that person." Social
networks often ask their users for information about their gender,
religion, relationship status etc. which should not only be considered
as very personal information but is also information that is currently
not retained for law enforcement purposes."[104]
162. The potentially wide application of the
definition of subscriber data is particularly worrying given that
this data is considered to be the least intrusive of the three
data types. That was the intention when RIPA was drafted and the
Regulation of Investigatory Powers (Communications Data) Order
2010[105] reflects
this by providing that authorisations in respect of the acquisition
of subscriber data can be made in the case of a police force by
an inspector whilst authorisations to obtain use and/or traffic
data must be made by a superintendent. Clauses 17(2) and (3) of
the draft Bill provide an equivalent order-making power which
will permit the Secretary of State to provide a lower level of
authorisation for subscriber checks than for traffic data checks.
As Demos put it:
"The current legislationthe RIPA 2000is
animated by the basic precept that the more possibly harmful the
interception, the fewer agencies should be authorised to access
and use the information, the narrower an acceptable justification
for such access should be, the tougher the oversight of the process
has to be."[106]
163. If this was the basic precept of RIPA, and
continues to be the precept of the draft Bill, then the definition
of subscriber data is not fit for purpose.
164. When we visited the law enforcement unit
at the Metropolitan Police we had the opportunity to talk to several
SPoCs about the communications data requests they see (see appendix
4). It was clear that the information sought under the heading
"subscriber data" is information similar to a reverse
directory check, it is information that links an individual to
an account. Law enforcement is not asking for the capability to
see the wide range of data that could potentially fall under the
current definition of subscriber data. The drafting of the Bill
is thus not reflecting either the needs of law enforcement or
the realities of new technologies and it is unnecessarily giving
rise to concerns about access to content.
165. If the definitions of subscriber, use and
traffic data are in need of review, what should be the way forward?
First, we refer back to the lack of consultation before the publication
of this draft Bill (see paragraphs 46-60). Industry, technical
experts, lawyers and civil liberties groups could all provide
valuable input into a revised definition but they were not given
the chance to do so. A consultation on the particular challenge
of defining communications data is needed.
166. Demos made a further suggestion about how
a revision of definitions could be approached:
"...we believe the following inter alia principles
could be useful to determine and measure the degree of privacy
intrusion of various communications data collected and used, and
thus the level at which it should be authorised, the list of acceptable
purposes, and appropriate level of oversight:
- Public attitudes about the extent
to which a certain type of communications data is private, and
level, and therefore how intrusive data collection is
- The risk of identifying details of an individual's
life, behaviour, beliefs, that they would reasonably consider
personal
- The risk of data being misused (i.e. used in
a way not set out by the legislation) or accessed by third parties,
either intentionally or not
- The context in which the data are being used
(i.e. whether to create aggregated, anonymous data sets or targeted
at individuals)."[107]
167. The language of RIPA
is out of date and should not be used as the basis of new legislation.
The Bill should be re-drafted with new definitions of communications
data. The challenge will lie in creating definitions that will
stand the test of time. There should be an urgent consultation
with industry on changing the definitions and making them relevant
to the year 2012.
168. The definitions of use,
subscriber and traffic data are particularly problematic. Subscriber
data should not be a catch-all for data that does not meet the
other definitions. Currently the definition of subscriber data
could be read to cover all sorts of data that social networks
and other services keep on their customers which can be highly
personal and is not traditionally thought of as communications
data. A new definition of subscriber data is needed that simply
covers the basic subscriber checks that are the most commonly
used. How to define subscriber data should be a key element of
the consultation, but the evidence we have received leads us to
suggest that the definition should include checks on the name,
date of birth, addresses and other contact information held on
the subscriber to a communication service; for each service the
customer's unique ID (e.g. mobile number, e-mail address or username);
the activation, suspension and termination dates of an account
and payment and billing information.
169. A new hierarchy of data
types needs to be developed. Data should be divided into categories
that reflect how intrusive each type of data is. The following
principles could be useful to determine and measure the degree
of privacy intrusion of communications data: public attitudes
about the extent to which a certain type of communications data
is private; the risk of identifying details of an individual's
life, behaviour, beliefs, that they would reasonably consider
personal; the risk of data being misused (i.e. used in a way not
set out by the legislation) or accessed by third parties, either
intentionally or not.
170. It is imperative that
everything is done to make clear that content cannot be requested
under the provisions of this legislation. Content is not defined
in the draft Bill. Although it may not be possible to define content
clearly beyond the fact that it is the "what" of a communication,
it is nevertheless important that the content should be expressly
excluded from all categories of communications data.
The authorisation process
171. Requests to access communications data are
currently subject to an internal authorisation process which was
described in some detail in Chapter 2. To briefly recap: every
application has to be authorised by a Designated Senior Officer
(DSO) from the organisation that is making the request. Before
the application reaches the DSO it is channelled through a Single
Point of Contact (SPoC) who is a trained expert, independent of
the investigation, who will advise the applicant and the DSO on
whether the application is necessary and proportionate, what collateral
damage may result and whether the communications data sought is
likely to be available.
172. On our visit to the Metropolitan Police
Central Intelligence Unit we saw in action the system which covers
the whole of the Metropolitan Police.[108]
We talked to some of the large number of SPoCs, and were impressed
by the high level of their training and the thoroughness with
which they considered each and every application. While SPoCs
do not authorise applications themselves we saw examples where
they referred applications back to the investigating officer on
the grounds that additional information was required before a
DSO could consider authorisation. We also spoke to several DSOs
who explained the detailed advice they receive from the SPoCs
on the necessity and proportionality of each application. Later
in our inquiry we took evidence from Detective Superintendent
Steve Higgins who is in charge of communications data training
at the National Policing Improvement Agency. He stated that SPoC
training was constantly being reviewed and updated[109]
and that SPoCs are trained to challenge more senior officers if
the communications data requests they submit are inappropriate[110].
173. We also saw the system from the other end
when we visited Everything Everywhere, one of the major recipients
of applications for communications data. They told us that the
requests which reached them almost invariably had been carefully
considered, and satisfied the statutory requirements.[111]
Virgin Media's written evidence stated: "The current regime
has strengths, particularly the Single Point of Contact System,
which provides an important framework for the relationship between
law enforcement authorities and CSPs." ISPA said: "We
believe that the current regime performs fairly well, in particular
the dedicated expertise in the Single Point of Contact System,
which has provided for an effective means of structuring the relationship
between law enforcement authorities and CSPs."[112]
174. Many police forces make frequent use of
the SPoC system, as do some other law enforcement agencies. Most
other designated authorities, in particular local authorities,
use it infrequently or only rarely by virtue of the fact that
they are not frequent users of communications data. Inevitably
the applicants are less familiar with the procedure, the SPoCs
less well trained and less experienced, and the DSOs act in that
capacity less often. This heightens the risk that errors may creep
in. Such risk can however be mitigated by the pooling of expertise.
Some of the smaller police forces have already joined together
with neighbouring forces to share their SPoC expertise. The National
Anti-Fraud Network (NAFN) provides SPoC services for many local
authorities. NAFN is an unincorporated, not for profit organisation
created and managed by local authorities to provide specialist
data and intelligence services. The IoCC's inspection team has
reported that "The Accredited SPoCs at NAFN are providing
an excellent service".[113]
175. Some of our witnesses suggested that the
internal authorisation procedure was not sufficiently independent
or robust and they argued that all or most applications for communications
data should be subject to judicial approval. For example Justice
stated that:
"JUSTICE considers that the administrative authorisation
procedure provided for in clauses 9 and 10 provide for inadequate
independent scrutiny of the need for access to data. These provisions
are largely modelled on RIPA. In Freedom from Suspicion, we explained
our view that prior judicial approval should be the default authorisation
mechanism for most surveillance activities, including access to
communications data. While it is no doubt true that senior members
of organisations are typically well-placed to supervise the operational
decisions of their subordinates, and more mindful of their ultimate
accountability to the public, it is also clear that senior and
junior members of the same organisation will inevitably share
an interest in achieving the necessary results."[114]
176. Liberty agreed:
"Liberty maintains that even if a designated
officer is not directly involved in an investigation it is entirely
unacceptable for public authorities to be able to self-authorise
access to revealing personal data, particularly when the access
regime is so broadly framed. Considerations of necessity and proportionality
should be assessed by a member of the judiciary who will be both
independent and adept at conducting the Article 8 balancing exercise.
We do not seek to impugn the integrity [of] senior employees of
our law enforcement agencies, but rather point out the reality
that their primary concern will relate to the operational capacity
of their agency. This is a matter of organisation culture and
is perfectly understandable, but it is also a reality which mitigates
in favour of independent third party authorisation."[115]
177. We explained in paragraph 135 how, following
some high profile cases where local authorities misused communications
data, the law was changed on 1 November so that authorisation
for a local authority to access communications data now needs
the approval of a magistrate. Civil liberties groups called for
this model to be extended to all public authorities.
178. We understand the principles behind these
views but we are not convinced that in reality a magistrate would
provide a tougher authorisation test that the current system.
Magistrates would not have access to the SPoC expertise to advise
them on the necessity and proportionality of each request. There
are also practical considerations; the sheer volume of communications
data requests would place a huge burden on the judiciary and a
judicial authorisation process would lead to delays in access
to communications data. Such delays could prove harmful to live
investigations. It is our view that the current internal authorisation
procedure is the right model. Having said that, there are ways
that the internal authorisation model could be strengthened.
179. The first step to strengthening the current
model is to ensure that the advice of an expert SPoC is always
sought. The SPoC system is an integral part of the RIPA request
process. The role is referred to in the Code of Practice for the
Acquisition and Disclosure of Communications Data (a statutory
code which was made pursuant to section 71(3) RIPA, brought into
force by the Regulation of Investigatory Powers (Acquisition
and Disclosure of Communications Data: Code of Practice) Order
2007).[116]
The Code sets out what amounts to best
practice which authorities are required to have regard to when
seeking communications data. The failure to adhere to the Code
of Practice would be taken into account by a court in any proceedings
against an authority for misuse of its powers to obtain data.
It is our view that the SPoC service should be made a statutory
requirement for all authorities which have access to communications
data.
180. The second step to strengthening the current
model is to encourage more pooling of SPoC resources along the
lines of the NAFN model. It should be obligatory that all local
authorities use the NAFN service and that other infrequent users
of communications data also use a centralised service.
181. The third step is to strengthen the inspection
regime. The public do not have confidence in the internal authorisation
model but if the inspections of the IoCC were more thorough and
the reports of the inspectors were more detailed then this could
build confidence.
182. Representatives from the police were keen
that more should be done to demonstrate how robust the current
system is. Detective Superintendent Allan Lyon told us "I
think the inspection process, which is independent and separate
from the police, may be an opportunity to develop some sort of
public communication programme that can reassure the public that
Greater Manchester Police treats this particular sensitive tactic
with the utmost respect and we deal with it in a very lawful and
transparent way".[117]
Sir Peter Fahy agreed "I think it is frustrating that the
public and some of the commentators do not seem to understand.
I regard it very, very seriously, because this is an important
capability. If there is any concern whatsoever from the public
that we are using this inappropriately, that would be a huge damage
to policing and a huge damage to victims of crime."[118]
183. The role of the Interception of Communications
Commissioner and his inspection regime are discussed in greater
detail in the next section.
184. The SPoC process should
be enshrined in primary legislation. A specialist centralised
SPoC service should be established modelled on the National Anti-Fraud
Network service which currently offers SPoC expertise to local
authorities. The Home Office should consider allowing police forces
to bid to run this service. This new service should be established
by statute, and all local authorities and other infrequent users
of communications data should be required to obtain advice from
this service.
185. In the case of local
authorities it should be possible for magistrates to cope with
the volume of work involved in approving applications for authorisation.
But we believe that if our recommendations are accepted and incorporated
into the Bill, they will provide a stronger authorisation test
than magistrates can.
186. Although approval by
magistrates of local authority authorisations is a very recent
change in the law, we think that if our recommendations are implemented
it will be unnecessary to continue with different arrangements
applying only to local authorities.
The Interception of Communications
Commissioner
187. An additional safeguard was the creation
by section 57 of RIPA of the office of Interception of Communications
Commissioner (IoCC), one of whose duties is "to keep under
review
the exercise and performance, by the persons on
whom they are conferred or imposed, of the powers and duties conferred
or imposed by or under Chapter II of Part I [of RIPA]". In
other words, he inspects the working of the system for access
to communications data to make sure that it is done entirely in
accordance with the statute, and makes recommendations for improvement
when errors occur. The purpose is to reassure the public that
intrusion is kept to a minimum and their privacy is respected
as far as is consistent with the aims of the legislation.
188. This is only one of the duties of the IoCC.
He also has to keep under review the Secretary of State's use
of interception warrants, the investigation of electronic data
protected by encryption, and the adequacy of the safeguards; and
he has undertaken to oversee the interception of the communications
of prisoners. Sir Paul Kennedy, the current Commissioner,[119]
gave us written and oral evidence. In addition, his annual report
for 2011[120]
contains a great deal of useful material and is more comprehensive
than earlier reports.
189. The annual report explains that where a
public authority has submitted only a small number of communications
data applications "it is likely that they will all be examined".
Public authorities which make only a handful of requests every
yearor perhaps only in some yearsinevitably have
less experience of the system and are more likely to make errors.[121]
We do not know how a "small number" is defined, or how
likely it is that they will be examined. The example Sir Paul
gave was that "when my inspectors go to a small user who
has made seven applicationsand that would be quite a lot
sometimesfor data over the last two years, they inspect
them all, so there is no question there of any type of sampling."[122]
We would prefer to be assured that in the case of every authority
submitting fewer than, say, 100 applications a year, they were
all routinely examined.
190. For the remainder of the half million requests
made during 2011 the inspectors can only select a random sample
and check that they have been dealt with strictly in accordance
with the Act and the Code of Practice. It is clear from the annual
report that inspections of the main law enforcement authorities
find only a very small proportion of errorsthough a small
proportion of half a million is still a significant number. And,
as we have shown in Chapter 4, the proportion of errors made by
local authorities is twenty times the average of other public
authorities.
191. It is not only the public authorities which
make errors. The annual report shows that in two cases a CSP disclosed
incorrect data in response to a request, the police took action
on the basis of this data, and members of the public were wrongly
detained and accused of crimes.
192. We think it a fair summary of Sir Paul's
evidence to say that in his view the system is broadly working
well, that comparatively few errors are made, that only a few
of these are serious, and that his inspectors do a thorough job
through which they can discover where the system is failing, and
make recommendations to put this right which are followed. However,
one of the purposes of the inspections is to reassure the public,
and the evidence is that they are not reassured. The written evidence
of Caspar Bowden contains lengthy and detailed criticisms of the
role of the IoCC and the way his role is discharged. The view
of Angela Patrick, the Human Rights Officer of JUSTICE, was that
the inspectors were looking mainly at factual compliance, but
that "the Commissioner either does not see looking at necessity
and proportionality as a core part of his role or, alternatively,
they [the inspectors] simply do not have the expertise or the
resources to be able to apply that kind of balance."[123]
193. The IoCC does not explain in his annual
report how his team assess necessity and proportionality. Sir
Paul told us that in his view it was not possible to develop a
formula, but he believed it was something that is easy to assess
when looking at individual cases.[124]
Several civil liberties campaigners were concerned about this
apparent lack of transparency. Caspar Bowden asked: "What
does the IoCC consider "necessary and proportionate"?
Under the UK regime, almost all jurisprudence about interception
and communications data takes place invisibly within the cranium
of the IoCC, and almost nowhere else".[125]
The Open Rights Group stated that the lack of concrete information
illustrating what is and is not judged acceptable raises questions
about the spirit of ECHR compliance.[126]
194. We accept that these concepts are not easy
to define. We believe that it would at the very least be helpful
if the IoCC, rather than simply saying in his annual report that
"my inspectors seek to ensure
that the disclosure
required was necessary and proportionate to the task in hand",
could give examples of where they have thought that this test
was satisfied, and where they believe it was not.
195. For these inspections the IoCC is assisted
by a chief inspector, five inspectors and two administrative staff,
who also have to support the IoCC in his other duties. Section
57(7) of RIPA requires the Secretary of State to provide the Commissioner
with "such staff as are sufficient to make sure that the
Commissioner is able properly to carry out his functions".
Clearly, there is no way in which a staff of six inspectors can
scrutinise the exercise and performance of the system for accessing
communications data in a way which will reassure the public. The
numbers must be increased at least to a level where they can fully
scrutinise each public authority every year, and carry out a full
scrutiny of those that only rarely make use of the system.
196. The IoCC should carry
out a full review of each of the large users of communications
data every year. While sampling is acceptable as a way of dealing
with large users, the requests of users making fewer than 100
applications in a year should be checked individually. The annual
report of the IoCC should include more detail, including statistics,
about the performance of each public authority and the criteria
against which judgments are made about performance. It should
analyse how many communications data requests are made for each
permitted purpose. For this the IoCC will need substantial additional
resources, both as to numbers and as to technical expertise. There
should be full consultation with him on this. His role should
be given more publicity.
197. The IoCC's brief should
explicitly cover the need to provide advice and guidance on proportionality
and necessity, and there should be rigorous testing of, and reporting
on, the proportionality and necessity of requests made.
198. Sir Paul Kennedy told us that he had yet
to be given enough information about the Request Filter fully
to understand his new responsibilities for operating it, but that
he expected it would need new expertise within his office:
"So far as the second part of what is envisaged
is concerned, that is the filtering side of the operation, I thinkand
I am only guessing here because we have not yet got anything in
place against which you can run the teststhat will require
a degree of expertise that at the moment we do not have in-house.
For that purpose it may well be necessary to recruit someone with
an IT background, either on a full-time or a part-time or a consultancy
basis, to discharge the obligation that is placed upon the commissioner
by the Bill if it becomes law."[127]
199. The IoCC will be key
to public confidence in the Request Filter. The IoCC will need
the necessary expertise properly to examine the operation of the
Request Filter. He will have to report on the scale of searches
via the Request Filter and rigorously test the necessity and proportionality
of requests put to the Filter. All this information should be
included in the public section of his annual report so that if
there are any signs that the Filter is resulting in more intrusive
requests Parliament can review the legislation.
The Information Commissioner
200. As in the case of the IoCC, oversight by
the Information Commissioner is intended to be one of the safeguards
which ensure that the powers under the draft Bill are not misused
or abused. The only provision of the draft Bill imposing obligations
on the Information Commissioner is clause 22(5):
"(5) The Information Commissioner must keep
under review the operation of
(a) sections 3 and 6 of this Act, and
(b) any provisions in an order under section 1 of
this Act which relate to the security of communications data held
by telecommunications operators."
201. Clause 3 imposes on telecommunications operators
a duty to secure the quality, security and protection of data,
and to protect its integrity; clause 6 provides for the destruction
of data "in such a way that it can never be retrieveda
problem we deal with later in this chapter. Clause 1 we have dealt
with in the previous chapter.
202. Christopher Graham, the Information Commissioner,
had this to say about his duties under paragraph (a): "It
is not clear what the duty to 'keep under review' the operation
of sections 3 and 6 is meant to achieve in practice ... If the
intention is for the Information Commissioner to play an active
role in inspecting and then assessing whether safeguards are being
adhered to in practice then this wording falls short of achieving
the desired objective. The Information Commissioner's existing
powers to assess processing are also insufficient
[they]
fall short of the powers needed to undertake ongoing, effective
and proactive scrutiny of a telecommunications operator's activities
... It may be possible, with the close co-operation of telecommunications
operators and other relevant regulators, to build up an impression
of whether the provisions are being adhered to; but that might
only be of partial and limited value given the complex technical
nature of the proposals. It is hard to see that it would provide
the level of safeguard envisaged by those promoting this legislation
"[128]
It is clear that the Information Commissioner could not monitor
compliance with clauses 3 and 6 in the case of data kept overseas
by providers not based in the United Kingdom.
203. He was similarly perplexed about what he
was supposed to do in relation to clause 1, and how: "It
is not clear whether the details of the operators to whom these
notices are issued will be in the public domain or even available
to the Information Commissioner for his supervisory activities.
Not only does the Information Commissioner need the powers over
telecommunications operators and the resources necessary to provide
the oversight he is expected to deliver, he also needs a right
to receive relevant information from the Secretary of State."[129]
Notices under clause 1 will be secret.[130]
Whether they will be shown to the Information
Commissioner is not clear to him or to us.
204. We asked Mr Graham what the Home Office
had told him about these proposed additional duties. He replied:
"I have not heard from the Home Office whether
this is merely an expression of the responsibilities that the
Information Commissioner has anyway in relation to data protection
or whether something new and extra is envisaged, because if one
is going to be part of a framework of reassurance where safeguards
are built into the Bill, frankly it has to be more than aspiration.
I am told that I am to keep things under review, but I would like
to know how and with what."[131]
205. A little later he added:
"What I have not had is any discussions with
the Home Office about how the regime is expected to work. I did
not see the Bill. I saw the draft clauses that concern the Information
Commissioner I think the day before, possibly the week before.
I have had one telephone call with the Minister responsible since,
and that is it."[132]
206. We found it hard to understand how additional
duties could be imposed on the Information Commissioner without
first consulting him, asking him what duties he thought sensible
and feasible, whether he would be able to comply with them, and
what additional resources he might need to do so. We put this
to Home Office officials on 24 October, and Charles Farr replied:
"The Information Commissioner had seen the draft
clauses of the Bill which affected him in advance. He had a meeting
with the Minister; he had three hours with Richard going through
the detail of the legislation."[133]
207. As in the case of the consultation with
the CSPs, which we discussed in the preceding chapter, this evidence
appeared to contradict what the Information Commissioner had told
us. Subsequently however the Home Office agreed that the reference
to a "meeting" with the Minister was an error; this
was in fact a phone call following the publication of the draft
Bill. As to the draft clauses affecting him, the Information Commissioner
has told us in a letter of 6 November that he asked on 23 May
to see them in advance of a meeting on 31 May; his request was
refused, and it was only at that meeting that he was given a copy
of those clauses. He was sent a copy of the draft Bill the day
before it was published.
208. In a note sent to us subsequently the Home
Office suggested that the Information Commissioner's duties under
the draft Bill were little more than an extension of his duties
in relation to the Data Retention Directive under Regulation 6(2)
of the Data Retention (EC Directive) Regulations 2009, which states:
"It is the duty of the Information Commissioner, as the Supervisory
Authority designated for the purposes of Article 9 of the Data
Retention Directive, to monitor the application of the provisions
of these Regulations with respect to the security of stored data."
The Information Commissioner replied that his duties under the
Bill would be "on a different scale" and "more
challenging". He noted in particular the new requirement
to monitor the destruction of data in such a way that "it
can never be retrieved", which in his view will involve extensive
work needing additional specialist technical expertise.[134]
209. The Information Commissioner told us several
times that he would need additional resources for any duties imposed
on him, and that he had not been consulted on this.[135]
On 24 October, Charles Farr said: "We have consulted with
him. We believe that the sum is about £150,000, and that
it is affordable as part of the £1.8 billion."[136]
In his letter of 6 November the Mr Graham said that the figure
of "about £150,000" was one he quoted in his phone
call to the Minister on 14 June. He added: "There has been
no consultation at all on resources. There has been no discussion
around a business plan, either the ICO's or the Home Office's.
The ICO has not been asked for a business plan and has not submitted
one, for the reasons I gave in my evidence."
210. In a note submitted to us on 9 November,
the Home Office said: "The Information Commissioner has provided
an estimate of £150,000 per year in additional costs for
meeting his responsibilities under the legislation. We are discussing
with him how he envisages carrying out his responsibilities (which
are largely the same as today) and the business case for the additional
costs. As with the Interception Commissioner, we will meet any
legitimate costs in meeting his responsibilities under the legislation."
211. These discussions would have been better
conducted at the beginning of the year rather than the end. What
is clear to us is that the Government has chosen to include in
a draft Bill which had a very long gestation a clause imposing
on the Information Commissioner additional duties, and that prior
to the publication of the Bill there was no consultation with
him about those duties, about the information he would need to
carry them out, about whether it would in fact be possible for
him to undertake those duties, about whether he would need further
powers, and about what extra resources he might need. If they
hoped that, by inserting this clause in this way, they would be
providing an additional safeguard which might allay concerns about
the draft Bill, we can only say that they were mistaken.
212. Clause 22(5) should
be reviewed. If the Government believe that additional safeguards
can be provided by the Information Commissioner, they should undertake
detailed discussions with him as to what such safeguards might
be, how they might be undertaken, and what additional powers and
resources he might need. The Bill should make clear that the Information
Commissioner will need to be shown all notices issued under clause
1.
Other surveillance commissioners
213. The Information Commissioner sent us what
he described as a draft of a Surveillance Road Map.[137]
It sets out all the United Kingdom surveillance legislation, and
lists the roles and responsibilities of the Commissioners who
regulate surveillance in the United Kingdom:
- Information Commissioner
- Interception of Communications Commissioner
- Chief Surveillance Commissioner, overseeing the
use of covert surveillance, so that his role overlaps to some
extent with oversight of intrusive and directed surveillance under
RIPA, and with the Information Commissioner's powers under the
Data Protection Act 1998;
- Intelligence Services Commissioner;
- Investigatory Powers Tribunal, which can hear
complaints from individuals about interference under RIPA by public
bodies;
- Investigatory Powers Commissioner for Northern
Ireland;
- Surveillance Camera Commissioner and Biometric
Commissioner, both appointed under the Protection of Freedoms
Act 2012.
214. The Surveillance Road Map sets out the circumstances
where individuals can complain, and to whom, and the gaps that
still need to be filled by secondary legislation (in accordance
with the Protection of Freedoms Act).
215. The Information Commissioner referred to
the conclusion of the House of Commons Home Affairs Committee
"that there ought to be either a single privacy commissioner
or a sort of primus inter pares".[138]
He made the point that his responsibilities extend beyond data
protection to freedom of information, and so relate to both privacy
and open government. For this reason he asserted that his responsibilities
should not be altered. However, the seven other Commissioners
have been set up under a variety of statutes, and it does not
seem that much thought has been given to whether any new duties
could be carried out by a Commissioner already in existence, without
creating yet another. This does not strictly fall within our consideration
of the draft Bill, but we suggest that some thought should be
given to a merger of their powers and responsibilities.
216. Work should be done
to rationalise the number of commissioners with responsibility
for different areas of surveillance. This work should aim to simplify
the situation and make it easier for the public to understand,
while ensuring that all surveillance powers are subject to rigorous
oversight. Consideration should be given to a new unified Surveillance
Commission reporting to parliament with multi-skilled investigators
and human rights and computer experts.
Security and destruction of data
217. The inevitable consequence of the draft
Bill is that a larger quantity of communications data will be
stored relating to a larger number of people. This makes it ever
more important to ensure that data can be stored securely and
disposed of permanently.
218. The draft Bill addresses storage and destruction
in several ways. Clause 1 allows a notice served on a CSP to provide
for the processing, retention or destruction of data. clause 6
provides for the destruction of communications data at the end
of the retention period. The data must be destroyed in such a
way that it can never be retrieved. The deletion of data must
take place within a month of the end of the retention period.
219. Several of our witnesses questioned whether
it was possible to guarantee the safe storage and permanent destruction
of data. We took evidence from Glynn Wintle, an IT security expert
paid by companies to test the security of their systems, who stated
"From my personal experience of trying to break into systems,
you may find one person who does a really good job. If you gave
me 10 companies and said, "Pick one of them", I know
that I am going to get into one of them".[139]
Professor Sadie Creese questioned whether CSPs could guarantee
that they would be able to identify where data was physically
located in order to ensure it was stored and destroyed correctly:
"you may find that behind closed doors people in their evidence
will be willing to tell you that they do not always know where
everything is, do not know where some of this digital stuff has
moved to, and cannot absolutely guarantee to you that it has been
"destroyed", to use the language of the Bill."[140]
In fact none of the CSPs were willing to admit to this but Vodafone
did raise concerns about the requirement to destroy data so that
it can never be retrieved: "We also have concerns about the
requirement for an operator to destroy data "in such a way
that it can never be retrieved." "Never" is an
unrealistic requirement, because we are not in a position to determine
the state of the art in the future".[141]
220. Another concern was the cost of storage
and destruction. Glynn Wintle raised this: "I was quite surprised
that the Home Office did not talk about the cost of destroying
data when they talked about costs; they said that their biggest
costs were going to be on training. Getting rid securely of all
that datadestroying itis a very nontrivial thing
to try to do, especially in the volumes that they will be dealing
with. Securing this data, likewise, is going to be an interesting
problem".[142]
221. One of the safeguards in the draft Bill
is that clause 22(5) places a duty on the Information Commissioner
to keep under review the operation of provisions relating to data
security and the destruction of data. Whether or not this safeguard
will be effective will depend on the powers and resources that
will be given to the Information Commissioner as discussed in
the previous section. Christopher Graham told us that in relation
to this specific duty "The first thing I would have to do
would be to employ specialist staff to complete this work, given
the complex and technical nature of what is being asked of us.
I will certainly need the compulsory audit powers under the Data
Protection Act to be able to take on that work. These are all
conversations that we need to have, but obviously the public will
need reassurance that the obligation to delete will be honoured
and there will not be a temptation on the part of communications
service providers having been asked to hang on to material that
they would not have hung on to in any other circumstances to do
something with it".[143]
He also called into question whether he would be able to ensure
that data can never be retrieved:
"The overarching concerns of the Information
Commissioner are how achievable the destruction envisaged in the
Bill is in practice and how he can keep under review the operation
of these requirements short of a power to inspect the relevant
information systems of operators to actually check that data is
no longer being retained.
Further, even if the Information Commissioner had
inspection and/or audit powers it would still be technically and
practically challenging for him to establish that data that have
supposedly been destroyed 'can never be retrieved'."
222. Security of data can
never be completely guaranteed; the higher the level of security,
the greater the cost. This legislation will require more to be
stored, and more to be stored overseas. It therefore increases
the risk of security breaches.
223. We consider that the
Home Office's cost estimates may underestimate the cost of security
and destruction. Since the cost of security and destruction will
ultimately be borne by the taxpayer, the Home Office will have
to carry out a careful cost/benefit analysis and obtain advice
and assurances from a wider body of experts than the companies
that stand to earn money from devising secure storage solutions.
Offence of misuse of communications
data by a public authority
224. There is already a huge quantity of highly
personal data collected and potentially accessible by a large
number of individuals. The draft Bill would greatly increase opportunities
for misuse and abuse. The public needs to be reassured that appropriate
legislation is in place to provide both a deterrent and a punishment.
225. We agree with the Home Office that there
is no need for criminal offences to punish minor administrative
errors made by officials in public authorities while seeking to
acquire communications data. Where appropriate, disciplinary action
should suffice. But wilful or reckless conduct is another matter.
The Home Office believes that there are already enough offences
on the statute book to deal with this, including:
- Unauthorised access to computer
material, contrary to section 1 of the Computer Misuse Act 1990,
which carries a maximum sentence of two years' imprisonment;
- Unauthorised access with intent to commit another
offence, such as fraud, contrary to section 2 of the Computer
Misuse Act 1990, which carries a maximum sentence of five years'
imprisonment;
- Knowingly or recklessly obtaining, disclosing
or procuring the disclosure of personal data without the consent
of the data controller under section 55 of the Data Protection
Act 1998, which carries a maximum penalty of an unlimited fine
but not, at present, a custodial sentence;
- The common law offence of misconduct in public
office. It is committed when the office holder wilfully acts (or
fails to act) in a way that he knows is wrong and is calculated
to injure the public interest. The maximum penalty for this offence
is life imprisonment.
226. An unlimited fine for an offence under section
55 of the Data Protection Act 1998 is on the face of it a severe
penalty; but the Information Commissioner told us that in practice
it is "not a very scary provision".[144]
In evidence to the House of Commons Justice Committee on 13 September
2011 he explained that the going rate was a fine of £100
to £150, and that this was "simply not a deterrent".[145]
But the remedy is on the statute book, in the shape of section
77 of the Criminal Justice and Immigration Act 2008.[146]
Under section 77 the Secretary of State has power by order to
increase the penalty to allow a custodial penalty. Mr Graham told
us: "I have spent three years urging Parliamentary committees
to commence sections 77 and 78 of the Criminal Justice and Immigration
Act because it contains the power to impose a penalty up to and
including prison in serious offences."[147]
The House
of Commons Justice Committee recommended that the power under
section 77 of the Criminal Justice and Immigration Act 2008 should
be exercised "without further delay".[148]
Nearly a year later the Home Affairs Committee reached the same
conclusion.[149]
We agree
with the Information Commissioner and with both these Committees
that this power to allow custodial sentences to be imposed in
appropriate cases should be exercised without delay.
227. It has been suggested that the Government
may be awaiting the outcome of Lord Justice Leveson's inquiry.
Section 78 of the 2008 Act, which has not been brought into force,
would provide a specific defence for journalists in the case of
an offence under section 55 of the Data Protection Act, and the
two provisions are therefore connected. Unless the report of the
Leveson inquiry, which will be published just after we agree this
report, contains recommendations to the contrary, we see no reason
for further delay in the Secretary of State exercising her powers
under section 77 of the 2008 Act.
228. Even once these powers have been exercised,
we believe there is still a need for a specific offence aimed
at wilful or reckless conduct in relation to communication data.
We cannot tell whether the offences listed at paragraph 224 would
cover all such conduct, or whether the courts would deal with
such offences with sufficient severity. We believe the public
would be reassured to know that there was a specific offence on
the statute book which might act as a deterrent for such conduct,
and a punishment if and when it took place.
229. The draft Bill should
provide for wilful or reckless misuse of communications data to
be a specific offence punishable in appropriate cases by imprisonment.
102 Q 1144 Back
103
Q 434 Back
104
ISPA written evidence, para 29 Back
105
S.I. 2010/480.This consolidates previous Orders but the position
as to acquisition of subscriber data remains unchanged. Back
106
Demos written evidence Back
107
Demos, supplementary written evidence Back
108
See Appendix 4. Back
109
Q 1108 Back
110
Q 1113 Back
111
See Appendix 5. Back
112
ISPA written evidence Back
113
Annual report of the IoCC 2011, July 2012, HC 496, page 39. Back
114
JUSTICE, written evidence, paragraph 28 Back
115
Liberty written evidence, paragraph 73 Back
116
SI 2007/2197 Back
117
Q 1118 Back
118
Q 1120 Back
119
He will be retiring at the end of 2012. His successor will be
Sir Anthony May, also a former Lord Justice of Appeal. Back
120
July 2012, HC 296. Back
121
The Business Cases for access by public authorities show, for
example, that in the last 3 years the IPCC has made 42 requests,
the OFT has made 28 requests, HSE has made 26 requests, the Criminal
Cases Review Commission has made 2 requests, while the Food Standards
Agency and the Pensions Regulator have made none. Back
122
Q 662 Back
123
Q 241 Back
124
Q 668 Back
125
Caspar Bowden written evidence Back
126
Open Rights Group written evidence Back
127
Q 672 Back
128
Information Commissioner's written evidence, paragraphs 16-19 Back
129
Information Commissioner's supplementary written evidence, 6 November
2012. Back
130
Peter Hill, Q 917 Back
131
Q 694 Back
132
Q 696 Back
133
Q 859 Back
134
Information Commissioner's supplementary written evidence, 6 November
2012. Back
135
QQ 694-700 Back
136
Q 893 Back
137
Not submitted as evidence to our inquiry and so not published
with the written evidence. Back
138
Q 694 Back
139
Q 361 Back
140
Q 360 Back
141
Vodafone written evidence Back
142
Q 361 Back
143
Q 700 Back
144
Q 695 Back
145
http://www.publications.parliament.uk/pa/cm201012/cmselect/cmjust/1473/11091302.htm Back
146
Section 77 came into force on the passing of the Act: see section
153(1). Back
147
Q 709 Back
148
Ninth report, session 2010-2012, paragraph 9. Back
149
Fourth report, session 2012-2013, paragraph 47. Back
|