Draft Communications Data Bill - Draft Communications Data Bill Joint Committee Contents


5  Safeguards

148.  The draft legislation includes various safeguards to ensure that the communications data regime operates safely and effectively with checks and balances. Some of these safeguards are not as strong or as clear as they could be.

Definitions of communications data

149.  We believe that one of the central safeguards is ensuring that the definitions in the draft Bill are clear and appropriate and do not raise the risk that communications data will include information other than what is really needed by law enforcement and other bodies.

THE DEFINITION OF CONTENT

150.  The Government has repeatedly assured us that nothing in the draft Bill will allow access to the content of a communication. The Home Secretary emphasised this point: "I am absolutely clear that the key data we want is the who, when, where and how. That is clear, and there is no intention of going beyond that into content or anything..."[102] There is nevertheless debate about whether the legislation ensures that content cannot be accessed.

151.  Clauses 1(4) and 9(5)(a) both explicitly prohibit the interception of communications in the course of their transmission. Content itself is never defined in the legislation, although it is referred to. The draft Bill's definition of "use data" explicitly excludes the content of a communication but the definitions of traffic and subscriber data have no similar exclusions (see Box 8).

152.  These drafting issues have given some of our witnesses the impression that traffic and subscriber data may include content. For example, JANET, a private data network that connects universities, colleges, research organisations and schools networks to each other and to the internet, stated in its written evidence that "Indeed since, unlike clause 28(4) defining use data, clause 28(5) does not exclude the content of communications, it appears that communications data would also include the content of all the user's messages that were held by the telecommunications operator".

153.  This illustrates a common fear. The content of user messages (e-mails, stored voicemails, texts, closed Facebook posts, closed blog postings etc) would not be covered by this legislation. If the drafting gives the impression that these things could be accessed then the definitions should be revisited to give public reassurance. Access to content should continue to be regulated by other legislation and clearly prohibited in this Bill.

154.  The challenge of excluding content is exacerbated by the fact that there is no clear consensus about precisely what constitutes content in the internet age. When telephones were the main generators of communications data, the definition of content was clear: it was the words exchanged over the phone (never saved by the CSP and only accessible if an intercept warrant was granted); the voice message in voicemails (CSPs might have had access to those that were stored on a voicemail platform and had either not been listened to yet, or had been listened to and had been saved for a few days) and in more recent times the text of SMS messages (CSPs might have had access to those that were on an SMS server awaiting delivery to a subscriber, or those that had been delivered to a subscriber, but were still sitting on the server). It was clear to everyone that these were content.

155.  With internet based communications the line between content and data is harder to draw. For example, when a person subscribes to a social network they may be given the option to fill in data fields that include their religious views, sexual preferences, favourite TV shows etc. Do these data fields really only include "data"? It is not just social networks that raise this problem. It is also an issue for companies where the provider provides more than communications services. The information these companies hold on their customer management systems may go far beyond what is thought of as communications data although it may have been collected as customer data for non-communications services. Taken to extremes, if a hotel were to be designated as a CSP (because it allows guests to make calls from their bedrooms), then all of the hotel booking information, pillow preferences etc, could fall under the definition of "subscriber data". As discussed in Chapter 4, we received evidence from those that argued that web addresses, even those limited to information before the first "/", were more akin to content than data.

156.  The problems inherent in trying to define content make it more important than ever that the legislation clearly defines communications data and the various categories which comprise it. One way to do this is more tightly to define subscriber data as discussed below. Another is explicitly to exclude content from every category of communications data.

THE DEFINITION OF COMMUNICATIONS DATA

157.  The draft Bill uses the RIPA definition of communications data. The definition has not changed, despite the fact that communications technologies, and thus the types of information held by providers, have significantly evolved. The definition was developed at a time when telephony records were considered to be of more immediate interest to investigators than a person's usage of the internet. The language of the draft Bill is peppered with references to telecommunications technologies. The term 'Telecommunications Operator' is used to cover those that provide internet services

158.  Several of our witnesses were concerned about this approach. Vodafone's written evidence stated that "Clearly, taking a pre-internet model and assuming it works in the internet age isn't necessarily going to deliver a workable long-term solution". Mark Hughes from BT made the case that new technologies make it ever more important robustly to define the differences between communications data and content.[103]

159.  In relation to a telecommunications operator, service or system (as opposed to a postal operator or service) communications data is defined with reference to three categories: traffic data, use data or subscriber data (see Box 8).

BOX 8: Definitions of Communications Data in the draft Bill

160.  The definition of subscriber data is particularly problematic because it is a catch-all for information that does not fall into the other two categories. In the telephone age there was a clear and finite amount of data that did not fit the criteria for use or traffic data. In the internet age this is not so clear. This point was made forcefully in the written evidence submitted by JANET:

"The definition of "communications data" in clauses 28(1) to 28(5) will extend much wider than the normal meaning of that term (and the stated intention of the draft Bill) when it is applied to organisations such as universities, webmail and social network services, all of which appear to be included in the current definition of "telecommunications operator".

"This is because "communications data" is defined in clause 28(1) as the aggregate of "use data", "traffic data" and "subscriber data". Clause 28(5) then defines "subscriber data" as "information (other than traffic data or use data) held or obtained by a person providing a telecommunications service about those to whom the service is provided by that person". In other words "communications data" will comprise all information held by the service provider about the individuals who use the service. In the case of a university or social network this would cover much more than is normally considered subscriber or communications data: for example it would include a student's academic record or a member of staff's personnel file."

161.  ISPA agreed:

" the draft Bill defines 'subscriber data' as "information (other than traffic data or use data) held or obtained by a person providing a telecommunications service about those to whom the service is provided by that person." Social networks often ask their users for information about their gender, religion, relationship status etc. which should not only be considered as very personal information but is also information that is currently not retained for law enforcement purposes."[104]

162.  The potentially wide application of the definition of subscriber data is particularly worrying given that this data is considered to be the least intrusive of the three data types. That was the intention when RIPA was drafted and the Regulation of Investigatory Powers (Communications Data) Order 2010[105] reflects this by providing that authorisations in respect of the acquisition of subscriber data can be made in the case of a police force by an inspector whilst authorisations to obtain use and/or traffic data must be made by a superintendent. Clauses 17(2) and (3) of the draft Bill provide an equivalent order-making power which will permit the Secretary of State to provide a lower level of authorisation for subscriber checks than for traffic data checks. As Demos put it:

"The current legislation—the RIPA 2000—is animated by the basic precept that the more possibly harmful the interception, the fewer agencies should be authorised to access and use the information, the narrower an acceptable justification for such access should be, the tougher the oversight of the process has to be."[106]

163.  If this was the basic precept of RIPA, and continues to be the precept of the draft Bill, then the definition of subscriber data is not fit for purpose.

164.  When we visited the law enforcement unit at the Metropolitan Police we had the opportunity to talk to several SPoCs about the communications data requests they see (see appendix 4). It was clear that the information sought under the heading "subscriber data" is information similar to a reverse directory check, it is information that links an individual to an account. Law enforcement is not asking for the capability to see the wide range of data that could potentially fall under the current definition of subscriber data. The drafting of the Bill is thus not reflecting either the needs of law enforcement or the realities of new technologies and it is unnecessarily giving rise to concerns about access to content.

165.  If the definitions of subscriber, use and traffic data are in need of review, what should be the way forward? First, we refer back to the lack of consultation before the publication of this draft Bill (see paragraphs 46-60). Industry, technical experts, lawyers and civil liberties groups could all provide valuable input into a revised definition but they were not given the chance to do so. A consultation on the particular challenge of defining communications data is needed.

166.  Demos made a further suggestion about how a revision of definitions could be approached:

"...we believe the following inter alia principles could be useful to determine and measure the degree of privacy intrusion of various communications data collected and used, and thus the level at which it should be authorised, the list of acceptable purposes, and appropriate level of oversight:

  • Public attitudes about the extent to which a certain type of communications data is private, and level, and therefore how intrusive data collection is
  • The risk of identifying details of an individual's life, behaviour, beliefs, that they would reasonably consider personal
  • The risk of data being misused (i.e. used in a way not set out by the legislation) or accessed by third parties, either intentionally or not
  • The context in which the data are being used (i.e. whether to create aggregated, anonymous data sets or targeted at individuals)."[107]

167.  The language of RIPA is out of date and should not be used as the basis of new legislation. The Bill should be re-drafted with new definitions of communications data. The challenge will lie in creating definitions that will stand the test of time. There should be an urgent consultation with industry on changing the definitions and making them relevant to the year 2012.

168.  The definitions of use, subscriber and traffic data are particularly problematic. Subscriber data should not be a catch-all for data that does not meet the other definitions. Currently the definition of subscriber data could be read to cover all sorts of data that social networks and other services keep on their customers which can be highly personal and is not traditionally thought of as communications data. A new definition of subscriber data is needed that simply covers the basic subscriber checks that are the most commonly used. How to define subscriber data should be a key element of the consultation, but the evidence we have received leads us to suggest that the definition should include checks on the name, date of birth, addresses and other contact information held on the subscriber to a communication service; for each service the customer's unique ID (e.g. mobile number, e-mail address or username); the activation, suspension and termination dates of an account and payment and billing information.

169.  A new hierarchy of data types needs to be developed. Data should be divided into categories that reflect how intrusive each type of data is. The following principles could be useful to determine and measure the degree of privacy intrusion of communications data: public attitudes about the extent to which a certain type of communications data is private; the risk of identifying details of an individual's life, behaviour, beliefs, that they would reasonably consider personal; the risk of data being misused (i.e. used in a way not set out by the legislation) or accessed by third parties, either intentionally or not.

170.  It is imperative that everything is done to make clear that content cannot be requested under the provisions of this legislation. Content is not defined in the draft Bill. Although it may not be possible to define content clearly beyond the fact that it is the "what" of a communication, it is nevertheless important that the content should be expressly excluded from all categories of communications data.

The authorisation process

171.  Requests to access communications data are currently subject to an internal authorisation process which was described in some detail in Chapter 2. To briefly recap: every application has to be authorised by a Designated Senior Officer (DSO) from the organisation that is making the request. Before the application reaches the DSO it is channelled through a Single Point of Contact (SPoC) who is a trained expert, independent of the investigation, who will advise the applicant and the DSO on whether the application is necessary and proportionate, what collateral damage may result and whether the communications data sought is likely to be available.

172.  On our visit to the Metropolitan Police Central Intelligence Unit we saw in action the system which covers the whole of the Metropolitan Police.[108] We talked to some of the large number of SPoCs, and were impressed by the high level of their training and the thoroughness with which they considered each and every application. While SPoCs do not authorise applications themselves we saw examples where they referred applications back to the investigating officer on the grounds that additional information was required before a DSO could consider authorisation. We also spoke to several DSOs who explained the detailed advice they receive from the SPoCs on the necessity and proportionality of each application. Later in our inquiry we took evidence from Detective Superintendent Steve Higgins who is in charge of communications data training at the National Policing Improvement Agency. He stated that SPoC training was constantly being reviewed and updated[109] and that SPoCs are trained to challenge more senior officers if the communications data requests they submit are inappropriate[110].

173.  We also saw the system from the other end when we visited Everything Everywhere, one of the major recipients of applications for communications data. They told us that the requests which reached them almost invariably had been carefully considered, and satisfied the statutory requirements.[111] Virgin Media's written evidence stated: "The current regime has strengths, particularly the Single Point of Contact System, which provides an important framework for the relationship between law enforcement authorities and CSPs." ISPA said: "We believe that the current regime performs fairly well, in particular the dedicated expertise in the Single Point of Contact System, which has provided for an effective means of structuring the relationship between law enforcement authorities and CSPs."[112]

174.  Many police forces make frequent use of the SPoC system, as do some other law enforcement agencies. Most other designated authorities, in particular local authorities, use it infrequently or only rarely by virtue of the fact that they are not frequent users of communications data. Inevitably the applicants are less familiar with the procedure, the SPoCs less well trained and less experienced, and the DSOs act in that capacity less often. This heightens the risk that errors may creep in. Such risk can however be mitigated by the pooling of expertise. Some of the smaller police forces have already joined together with neighbouring forces to share their SPoC expertise. The National Anti-Fraud Network (NAFN) provides SPoC services for many local authorities. NAFN is an unincorporated, not for profit organisation created and managed by local authorities to provide specialist data and intelligence services. The IoCC's inspection team has reported that "The Accredited SPoCs at NAFN are providing an excellent service".[113]

175.  Some of our witnesses suggested that the internal authorisation procedure was not sufficiently independent or robust and they argued that all or most applications for communications data should be subject to judicial approval. For example Justice stated that:

"JUSTICE considers that the administrative authorisation procedure provided for in clauses 9 and 10 provide for inadequate independent scrutiny of the need for access to data. These provisions are largely modelled on RIPA. In Freedom from Suspicion, we explained our view that prior judicial approval should be the default authorisation mechanism for most surveillance activities, including access to communications data. While it is no doubt true that senior members of organisations are typically well-placed to supervise the operational decisions of their subordinates, and more mindful of their ultimate accountability to the public, it is also clear that senior and junior members of the same organisation will inevitably share an interest in achieving the necessary results."[114]

176.  Liberty agreed:

"Liberty maintains that even if a designated officer is not directly involved in an investigation it is entirely unacceptable for public authorities to be able to self-authorise access to revealing personal data, particularly when the access regime is so broadly framed. Considerations of necessity and proportionality should be assessed by a member of the judiciary who will be both independent and adept at conducting the Article 8 balancing exercise. We do not seek to impugn the integrity [of] senior employees of our law enforcement agencies, but rather point out the reality that their primary concern will relate to the operational capacity of their agency. This is a matter of organisation culture and is perfectly understandable, but it is also a reality which mitigates in favour of independent third party authorisation."[115]

177.  We explained in paragraph 135 how, following some high profile cases where local authorities misused communications data, the law was changed on 1 November so that authorisation for a local authority to access communications data now needs the approval of a magistrate. Civil liberties groups called for this model to be extended to all public authorities.

178.  We understand the principles behind these views but we are not convinced that in reality a magistrate would provide a tougher authorisation test that the current system. Magistrates would not have access to the SPoC expertise to advise them on the necessity and proportionality of each request. There are also practical considerations; the sheer volume of communications data requests would place a huge burden on the judiciary and a judicial authorisation process would lead to delays in access to communications data. Such delays could prove harmful to live investigations. It is our view that the current internal authorisation procedure is the right model. Having said that, there are ways that the internal authorisation model could be strengthened.

179.  The first step to strengthening the current model is to ensure that the advice of an expert SPoC is always sought. The SPoC system is an integral part of the RIPA request process. The role is referred to in the Code of Practice for the Acquisition and Disclosure of Communications Data (a statutory code which was made pursuant to section 71(3) RIPA, brought into force by  the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007).[116] The Code sets out what amounts to best practice which authorities are required to have regard to when seeking communications data. The failure to adhere to the Code of Practice would be taken into account by a court in any proceedings against an authority for misuse of its powers to obtain data. It is our view that the SPoC service should be made a statutory requirement for all authorities which have access to communications data.

180.  The second step to strengthening the current model is to encourage more pooling of SPoC resources along the lines of the NAFN model. It should be obligatory that all local authorities use the NAFN service and that other infrequent users of communications data also use a centralised service.

181.  The third step is to strengthen the inspection regime. The public do not have confidence in the internal authorisation model but if the inspections of the IoCC were more thorough and the reports of the inspectors were more detailed then this could build confidence.

182.  Representatives from the police were keen that more should be done to demonstrate how robust the current system is. Detective Superintendent Allan Lyon told us "I think the inspection process, which is independent and separate from the police, may be an opportunity to develop some sort of public communication programme that can reassure the public that Greater Manchester Police treats this particular sensitive tactic with the utmost respect and we deal with it in a very lawful and transparent way".[117] Sir Peter Fahy agreed "I think it is frustrating that the public and some of the commentators do not seem to understand. I regard it very, very seriously, because this is an important capability. If there is any concern whatsoever from the public that we are using this inappropriately, that would be a huge damage to policing and a huge damage to victims of crime."[118]

183.  The role of the Interception of Communications Commissioner and his inspection regime are discussed in greater detail in the next section.

184.  The SPoC process should be enshrined in primary legislation. A specialist centralised SPoC service should be established modelled on the National Anti-Fraud Network service which currently offers SPoC expertise to local authorities. The Home Office should consider allowing police forces to bid to run this service. This new service should be established by statute, and all local authorities and other infrequent users of communications data should be required to obtain advice from this service.

185.  In the case of local authorities it should be possible for magistrates to cope with the volume of work involved in approving applications for authorisation. But we believe that if our recommendations are accepted and incorporated into the Bill, they will provide a stronger authorisation test than magistrates can.

186.  Although approval by magistrates of local authority authorisations is a very recent change in the law, we think that if our recommendations are implemented it will be unnecessary to continue with different arrangements applying only to local authorities.

The Interception of Communications Commissioner

187.  An additional safeguard was the creation by section 57 of RIPA of the office of Interception of Communications Commissioner (IoCC), one of whose duties is "to keep under review … the exercise and performance, by the persons on whom they are conferred or imposed, of the powers and duties conferred or imposed by or under Chapter II of Part I [of RIPA]". In other words, he inspects the working of the system for access to communications data to make sure that it is done entirely in accordance with the statute, and makes recommendations for improvement when errors occur. The purpose is to reassure the public that intrusion is kept to a minimum and their privacy is respected as far as is consistent with the aims of the legislation.

188.  This is only one of the duties of the IoCC. He also has to keep under review the Secretary of State's use of interception warrants, the investigation of electronic data protected by encryption, and the adequacy of the safeguards; and he has undertaken to oversee the interception of the communications of prisoners. Sir Paul Kennedy, the current Commissioner,[119] gave us written and oral evidence. In addition, his annual report for 2011[120] contains a great deal of useful material and is more comprehensive than earlier reports.

189.  The annual report explains that where a public authority has submitted only a small number of communications data applications "it is likely that they will all be examined". Public authorities which make only a handful of requests every year—or perhaps only in some years—inevitably have less experience of the system and are more likely to make errors.[121] We do not know how a "small number" is defined, or how likely it is that they will be examined. The example Sir Paul gave was that "when my inspectors go to a small user who has made seven applications—and that would be quite a lot sometimes—for data over the last two years, they inspect them all, so there is no question there of any type of sampling."[122] We would prefer to be assured that in the case of every authority submitting fewer than, say, 100 applications a year, they were all routinely examined.

190.  For the remainder of the half million requests made during 2011 the inspectors can only select a random sample and check that they have been dealt with strictly in accordance with the Act and the Code of Practice. It is clear from the annual report that inspections of the main law enforcement authorities find only a very small proportion of errors—though a small proportion of half a million is still a significant number. And, as we have shown in Chapter 4, the proportion of errors made by local authorities is twenty times the average of other public authorities.

191.  It is not only the public authorities which make errors. The annual report shows that in two cases a CSP disclosed incorrect data in response to a request, the police took action on the basis of this data, and members of the public were wrongly detained and accused of crimes.

192.  We think it a fair summary of Sir Paul's evidence to say that in his view the system is broadly working well, that comparatively few errors are made, that only a few of these are serious, and that his inspectors do a thorough job through which they can discover where the system is failing, and make recommendations to put this right which are followed. However, one of the purposes of the inspections is to reassure the public, and the evidence is that they are not reassured. The written evidence of Caspar Bowden contains lengthy and detailed criticisms of the role of the IoCC and the way his role is discharged. The view of Angela Patrick, the Human Rights Officer of JUSTICE, was that the inspectors were looking mainly at factual compliance, but that "the Commissioner either does not see looking at necessity and proportionality as a core part of his role or, alternatively, they [the inspectors] simply do not have the expertise or the resources to be able to apply that kind of balance."[123]

193.  The IoCC does not explain in his annual report how his team assess necessity and proportionality. Sir Paul told us that in his view it was not possible to develop a formula, but he believed it was something that is easy to assess when looking at individual cases.[124] Several civil liberties campaigners were concerned about this apparent lack of transparency. Caspar Bowden asked: "What does the IoCC consider "necessary and proportionate"? Under the UK regime, almost all jurisprudence about interception and communications data takes place invisibly within the cranium of the IoCC, and almost nowhere else".[125] The Open Rights Group stated that the lack of concrete information illustrating what is and is not judged acceptable raises questions about the spirit of ECHR compliance.[126]

194.  We accept that these concepts are not easy to define. We believe that it would at the very least be helpful if the IoCC, rather than simply saying in his annual report that "my inspectors seek to ensure … that the disclosure required was necessary and proportionate to the task in hand", could give examples of where they have thought that this test was satisfied, and where they believe it was not.

195.  For these inspections the IoCC is assisted by a chief inspector, five inspectors and two administrative staff, who also have to support the IoCC in his other duties. Section 57(7) of RIPA requires the Secretary of State to provide the Commissioner with "such staff as are sufficient to make sure that the Commissioner is able properly to carry out his functions". Clearly, there is no way in which a staff of six inspectors can scrutinise the exercise and performance of the system for accessing communications data in a way which will reassure the public. The numbers must be increased at least to a level where they can fully scrutinise each public authority every year, and carry out a full scrutiny of those that only rarely make use of the system.

196.  The IoCC should carry out a full review of each of the large users of communications data every year. While sampling is acceptable as a way of dealing with large users, the requests of users making fewer than 100 applications in a year should be checked individually. The annual report of the IoCC should include more detail, including statistics, about the performance of each public authority and the criteria against which judgments are made about performance. It should analyse how many communications data requests are made for each permitted purpose. For this the IoCC will need substantial additional resources, both as to numbers and as to technical expertise. There should be full consultation with him on this. His role should be given more publicity.

197.  The IoCC's brief should explicitly cover the need to provide advice and guidance on proportionality and necessity, and there should be rigorous testing of, and reporting on, the proportionality and necessity of requests made.

198.  Sir Paul Kennedy told us that he had yet to be given enough information about the Request Filter fully to understand his new responsibilities for operating it, but that he expected it would need new expertise within his office:

"So far as the second part of what is envisaged is concerned, that is the filtering side of the operation, I think—and I am only guessing here because we have not yet got anything in place against which you can run the tests—that will require a degree of expertise that at the moment we do not have in-house. For that purpose it may well be necessary to recruit someone with an IT background, either on a full-time or a part-time or a consultancy basis, to discharge the obligation that is placed upon the commissioner by the Bill if it becomes law."[127]

199.  The IoCC will be key to public confidence in the Request Filter. The IoCC will need the necessary expertise properly to examine the operation of the Request Filter. He will have to report on the scale of searches via the Request Filter and rigorously test the necessity and proportionality of requests put to the Filter. All this information should be included in the public section of his annual report so that if there are any signs that the Filter is resulting in more intrusive requests Parliament can review the legislation.

The Information Commissioner

200.  As in the case of the IoCC, oversight by the Information Commissioner is intended to be one of the safeguards which ensure that the powers under the draft Bill are not misused or abused. The only provision of the draft Bill imposing obligations on the Information Commissioner is clause 22(5):

"(5) The Information Commissioner must keep under review the operation of—

(a) sections 3 and 6 of this Act, and

(b) any provisions in an order under section 1 of this Act which relate to the security of communications data held by telecommunications operators."

201.  Clause 3 imposes on telecommunications operators a duty to secure the quality, security and protection of data, and to protect its integrity; clause 6 provides for the destruction of data "in such a way that it can never be retrieved—a problem we deal with later in this chapter. Clause 1 we have dealt with in the previous chapter.

202.  Christopher Graham, the Information Commissioner, had this to say about his duties under paragraph (a): "It is not clear what the duty to 'keep under review' the operation of sections 3 and 6 is meant to achieve in practice ... If the intention is for the Information Commissioner to play an active role in inspecting and then assessing whether safeguards are being adhered to in practice then this wording falls short of achieving the desired objective. The Information Commissioner's existing powers to assess processing are also insufficient … [they] fall short of the powers needed to undertake ongoing, effective and proactive scrutiny of a telecommunications operator's activities ... It may be possible, with the close co-operation of telecommunications operators and other relevant regulators, to build up an impression of whether the provisions are being adhered to; but that might only be of partial and limited value given the complex technical nature of the proposals. It is hard to see that it would provide the level of safeguard envisaged by those promoting this legislation…"[128] It is clear that the Information Commissioner could not monitor compliance with clauses 3 and 6 in the case of data kept overseas by providers not based in the United Kingdom.

203.  He was similarly perplexed about what he was supposed to do in relation to clause 1, and how: "It is not clear whether the details of the operators to whom these notices are issued will be in the public domain or even available to the Information Commissioner for his supervisory activities. Not only does the Information Commissioner need the powers over telecommunications operators and the resources necessary to provide the oversight he is expected to deliver, he also needs a right to receive relevant information from the Secretary of State."[129] Notices under clause 1 will be secret.[130] Whether they will be shown to the Information Commissioner is not clear to him or to us.

204.  We asked Mr Graham what the Home Office had told him about these proposed additional duties. He replied:

"I have not heard from the Home Office whether this is merely an expression of the responsibilities that the Information Commissioner has anyway in relation to data protection or whether something new and extra is envisaged, because if one is going to be part of a framework of reassurance where safeguards are built into the Bill, frankly it has to be more than aspiration. I am told that I am to keep things under review, but I would like to know how and with what."[131]

205.  A little later he added:

"What I have not had is any discussions with the Home Office about how the regime is expected to work. I did not see the Bill. I saw the draft clauses that concern the Information Commissioner I think the day before, possibly the week before. I have had one telephone call with the Minister responsible since, and that is it."[132]

206.  We found it hard to understand how additional duties could be imposed on the Information Commissioner without first consulting him, asking him what duties he thought sensible and feasible, whether he would be able to comply with them, and what additional resources he might need to do so. We put this to Home Office officials on 24 October, and Charles Farr replied:

"The Information Commissioner had seen the draft clauses of the Bill which affected him in advance. He had a meeting with the Minister; he had three hours with Richard going through the detail of the legislation."[133]

207.  As in the case of the consultation with the CSPs, which we discussed in the preceding chapter, this evidence appeared to contradict what the Information Commissioner had told us. Subsequently however the Home Office agreed that the reference to a "meeting" with the Minister was an error; this was in fact a phone call following the publication of the draft Bill. As to the draft clauses affecting him, the Information Commissioner has told us in a letter of 6 November that he asked on 23 May to see them in advance of a meeting on 31 May; his request was refused, and it was only at that meeting that he was given a copy of those clauses. He was sent a copy of the draft Bill the day before it was published.

208.  In a note sent to us subsequently the Home Office suggested that the Information Commissioner's duties under the draft Bill were little more than an extension of his duties in relation to the Data Retention Directive under Regulation 6(2) of the Data Retention (EC Directive) Regulations 2009, which states: "It is the duty of the Information Commissioner, as the Supervisory Authority designated for the purposes of Article 9 of the Data Retention Directive, to monitor the application of the provisions of these Regulations with respect to the security of stored data." The Information Commissioner replied that his duties under the Bill would be "on a different scale" and "more challenging". He noted in particular the new requirement to monitor the destruction of data in such a way that "it can never be retrieved", which in his view will involve extensive work needing additional specialist technical expertise.[134]

209.  The Information Commissioner told us several times that he would need additional resources for any duties imposed on him, and that he had not been consulted on this.[135] On 24 October, Charles Farr said: "We have consulted with him. We believe that the sum is about £150,000, and that it is affordable as part of the £1.8 billion."[136] In his letter of 6 November the Mr Graham said that the figure of "about £150,000" was one he quoted in his phone call to the Minister on 14 June. He added: "There has been no consultation at all on resources. There has been no discussion around a business plan, either the ICO's or the Home Office's. The ICO has not been asked for a business plan and has not submitted one, for the reasons I gave in my evidence."

210.  In a note submitted to us on 9 November, the Home Office said: "The Information Commissioner has provided an estimate of £150,000 per year in additional costs for meeting his responsibilities under the legislation. We are discussing with him how he envisages carrying out his responsibilities (which are largely the same as today) and the business case for the additional costs. As with the Interception Commissioner, we will meet any legitimate costs in meeting his responsibilities under the legislation."

211.  These discussions would have been better conducted at the beginning of the year rather than the end. What is clear to us is that the Government has chosen to include in a draft Bill which had a very long gestation a clause imposing on the Information Commissioner additional duties, and that prior to the publication of the Bill there was no consultation with him about those duties, about the information he would need to carry them out, about whether it would in fact be possible for him to undertake those duties, about whether he would need further powers, and about what extra resources he might need. If they hoped that, by inserting this clause in this way, they would be providing an additional safeguard which might allay concerns about the draft Bill, we can only say that they were mistaken.

212.  Clause 22(5) should be reviewed. If the Government believe that additional safeguards can be provided by the Information Commissioner, they should undertake detailed discussions with him as to what such safeguards might be, how they might be undertaken, and what additional powers and resources he might need. The Bill should make clear that the Information Commissioner will need to be shown all notices issued under clause 1.

Other surveillance commissioners

213.  The Information Commissioner sent us what he described as a draft of a Surveillance Road Map.[137] It sets out all the United Kingdom surveillance legislation, and lists the roles and responsibilities of the Commissioners who regulate surveillance in the United Kingdom:

  • Information Commissioner
  • Interception of Communications Commissioner
  • Chief Surveillance Commissioner, overseeing the use of covert surveillance, so that his role overlaps to some extent with oversight of intrusive and directed surveillance under RIPA, and with the Information Commissioner's powers under the Data Protection Act 1998;
  • Intelligence Services Commissioner;
  • Investigatory Powers Tribunal, which can hear complaints from individuals about interference under RIPA by public bodies;
  • Investigatory Powers Commissioner for Northern Ireland;
  • Surveillance Camera Commissioner and Biometric Commissioner, both appointed under the Protection of Freedoms Act 2012.

214.  The Surveillance Road Map sets out the circumstances where individuals can complain, and to whom, and the gaps that still need to be filled by secondary legislation (in accordance with the Protection of Freedoms Act).

215.  The Information Commissioner referred to the conclusion of the House of Commons Home Affairs Committee "that there ought to be either a single privacy commissioner or a sort of primus inter pares".[138] He made the point that his responsibilities extend beyond data protection to freedom of information, and so relate to both privacy and open government. For this reason he asserted that his responsibilities should not be altered. However, the seven other Commissioners have been set up under a variety of statutes, and it does not seem that much thought has been given to whether any new duties could be carried out by a Commissioner already in existence, without creating yet another. This does not strictly fall within our consideration of the draft Bill, but we suggest that some thought should be given to a merger of their powers and responsibilities.

216.  Work should be done to rationalise the number of commissioners with responsibility for different areas of surveillance. This work should aim to simplify the situation and make it easier for the public to understand, while ensuring that all surveillance powers are subject to rigorous oversight. Consideration should be given to a new unified Surveillance Commission reporting to parliament with multi-skilled investigators and human rights and computer experts.

Security and destruction of data

217.  The inevitable consequence of the draft Bill is that a larger quantity of communications data will be stored relating to a larger number of people. This makes it ever more important to ensure that data can be stored securely and disposed of permanently.

218.  The draft Bill addresses storage and destruction in several ways. Clause 1 allows a notice served on a CSP to provide for the processing, retention or destruction of data. clause 6 provides for the destruction of communications data at the end of the retention period. The data must be destroyed in such a way that it can never be retrieved. The deletion of data must take place within a month of the end of the retention period.

219.  Several of our witnesses questioned whether it was possible to guarantee the safe storage and permanent destruction of data. We took evidence from Glynn Wintle, an IT security expert paid by companies to test the security of their systems, who stated "From my personal experience of trying to break into systems, you may find one person who does a really good job. If you gave me 10 companies and said, "Pick one of them", I know that I am going to get into one of them".[139] Professor Sadie Creese questioned whether CSPs could guarantee that they would be able to identify where data was physically located in order to ensure it was stored and destroyed correctly: "you may find that behind closed doors people in their evidence will be willing to tell you that they do not always know where everything is, do not know where some of this digital stuff has moved to, and cannot absolutely guarantee to you that it has been "destroyed", to use the language of the Bill."[140] In fact none of the CSPs were willing to admit to this but Vodafone did raise concerns about the requirement to destroy data so that it can never be retrieved: "We also have concerns about the requirement for an operator to destroy data "in such a way that it can never be retrieved." "Never" is an unrealistic requirement, because we are not in a position to determine the state of the art in the future".[141]

220.  Another concern was the cost of storage and destruction. Glynn Wintle raised this: "I was quite surprised that the Home Office did not talk about the cost of destroying data when they talked about costs; they said that their biggest costs were going to be on training. Getting rid securely of all that data—destroying it—is a very nontrivial thing to try to do, especially in the volumes that they will be dealing with. Securing this data, likewise, is going to be an interesting problem".[142]

221.  One of the safeguards in the draft Bill is that clause 22(5) places a duty on the Information Commissioner to keep under review the operation of provisions relating to data security and the destruction of data. Whether or not this safeguard will be effective will depend on the powers and resources that will be given to the Information Commissioner as discussed in the previous section. Christopher Graham told us that in relation to this specific duty "The first thing I would have to do would be to employ specialist staff to complete this work, given the complex and technical nature of what is being asked of us. I will certainly need the compulsory audit powers under the Data Protection Act to be able to take on that work. These are all conversations that we need to have, but obviously the public will need reassurance that the obligation to delete will be honoured and there will not be a temptation on the part of communications service providers having been asked to hang on to material that they would not have hung on to in any other circumstances to do something with it".[143] He also called into question whether he would be able to ensure that data can never be retrieved:

"The overarching concerns of the Information Commissioner are how achievable the destruction envisaged in the Bill is in practice and how he can keep under review the operation of these requirements short of a power to inspect the relevant information systems of operators to actually check that data is no longer being retained.

Further, even if the Information Commissioner had inspection and/or audit powers it would still be technically and practically challenging for him to establish that data that have supposedly been destroyed 'can never be retrieved'."

222.  Security of data can never be completely guaranteed; the higher the level of security, the greater the cost. This legislation will require more to be stored, and more to be stored overseas. It therefore increases the risk of security breaches.

223.  We consider that the Home Office's cost estimates may underestimate the cost of security and destruction. Since the cost of security and destruction will ultimately be borne by the taxpayer, the Home Office will have to carry out a careful cost/benefit analysis and obtain advice and assurances from a wider body of experts than the companies that stand to earn money from devising secure storage solutions.

Offence of misuse of communications data by a public authority

224.  There is already a huge quantity of highly personal data collected and potentially accessible by a large number of individuals. The draft Bill would greatly increase opportunities for misuse and abuse. The public needs to be reassured that appropriate legislation is in place to provide both a deterrent and a punishment.

225.  We agree with the Home Office that there is no need for criminal offences to punish minor administrative errors made by officials in public authorities while seeking to acquire communications data. Where appropriate, disciplinary action should suffice. But wilful or reckless conduct is another matter. The Home Office believes that there are already enough offences on the statute book to deal with this, including:

  • Unauthorised access to computer material, contrary to section 1 of the Computer Misuse Act 1990, which carries a maximum sentence of two years' imprisonment;
  • Unauthorised access with intent to commit another offence, such as fraud, contrary to section 2 of the Computer Misuse Act 1990, which carries a maximum sentence of five years' imprisonment;
  • Knowingly or recklessly obtaining, disclosing or procuring the disclosure of personal data without the consent of the data controller under section 55 of the Data Protection Act 1998, which carries a maximum penalty of an unlimited fine but not, at present, a custodial sentence;
  • The common law offence of misconduct in public office. It is committed when the office holder wilfully acts (or fails to act) in a way that he knows is wrong and is calculated to injure the public interest. The maximum penalty for this offence is life imprisonment.

226.  An unlimited fine for an offence under section 55 of the Data Protection Act 1998 is on the face of it a severe penalty; but the Information Commissioner told us that in practice it is "not a very scary provision".[144] In evidence to the House of Commons Justice Committee on 13 September 2011 he explained that the going rate was a fine of £100 to £150, and that this was "simply not a deterrent".[145] But the remedy is on the statute book, in the shape of section 77 of the Criminal Justice and Immigration Act 2008.[146] Under section 77 the Secretary of State has power by order to increase the penalty to allow a custodial penalty. Mr Graham told us: "I have spent three years urging Parliamentary committees to commence sections 77 and 78 of the Criminal Justice and Immigration Act because it contains the power to impose a penalty up to and including prison in serious offences."[147] The House of Commons Justice Committee recommended that the power under section 77 of the Criminal Justice and Immigration Act 2008 should be exercised "without further delay".[148] Nearly a year later the Home Affairs Committee reached the same conclusion.[149] We agree with the Information Commissioner and with both these Committees that this power to allow custodial sentences to be imposed in appropriate cases should be exercised without delay.

227.  It has been suggested that the Government may be awaiting the outcome of Lord Justice Leveson's inquiry. Section 78 of the 2008 Act, which has not been brought into force, would provide a specific defence for journalists in the case of an offence under section 55 of the Data Protection Act, and the two provisions are therefore connected. Unless the report of the Leveson inquiry, which will be published just after we agree this report, contains recommendations to the contrary, we see no reason for further delay in the Secretary of State exercising her powers under section 77 of the 2008 Act.

228.  Even once these powers have been exercised, we believe there is still a need for a specific offence aimed at wilful or reckless conduct in relation to communication data. We cannot tell whether the offences listed at paragraph 224 would cover all such conduct, or whether the courts would deal with such offences with sufficient severity. We believe the public would be reassured to know that there was a specific offence on the statute book which might act as a deterrent for such conduct, and a punishment if and when it took place.

229.  The draft Bill should provide for wilful or reckless misuse of communications data to be a specific offence punishable in appropriate cases by imprisonment.


102   Q 1144 Back

103   Q 434 Back

104   ISPA written evidence, para 29 Back

105   S.I. 2010/480.This consolidates previous Orders but the position as to acquisition of subscriber data remains unchanged. Back

106   Demos written evidence Back

107   Demos, supplementary written evidence Back

108   See Appendix 4. Back

109   Q 1108 Back

110   Q 1113 Back

111   See Appendix 5. Back

112   ISPA written evidence Back

113   Annual report of the IoCC 2011, July 2012, HC 496, page 39. Back

114   JUSTICE, written evidence, paragraph 28 Back

115   Liberty written evidence, paragraph 73 Back

116   SI 2007/2197 Back

117   Q 1118 Back

118   Q 1120 Back

119   He will be retiring at the end of 2012. His successor will be Sir Anthony May, also a former Lord Justice of Appeal.  Back

120   July 2012, HC 296. Back

121   The Business Cases for access by public authorities show, for example, that in the last 3 years the IPCC has made 42 requests, the OFT has made 28 requests, HSE has made 26 requests, the Criminal Cases Review Commission has made 2 requests, while the Food Standards Agency and the Pensions Regulator have made none. Back

122   Q 662 Back

123   Q 241 Back

124   Q 668 Back

125   Caspar Bowden written evidence Back

126   Open Rights Group written evidence Back

127   Q 672 Back

128   Information Commissioner's written evidence, paragraphs 16-19 Back

129   Information Commissioner's supplementary written evidence, 6 November 2012. Back

130   Peter Hill, Q 917 Back

131   Q 694 Back

132   Q 696 Back

133   Q 859  Back

134   Information Commissioner's supplementary written evidence, 6 November 2012. Back

135   QQ 694-700 Back

136   Q 893 Back

137   Not submitted as evidence to our inquiry and so not published with the written evidence. Back

138   Q 694 Back

139   Q 361 Back

140   Q 360 Back

141   Vodafone written evidence Back

142   Q 361 Back

143   Q 700 Back

144   Q 695 Back

145   http://www.publications.parliament.uk/pa/cm201012/cmselect/cmjust/1473/11091302.htm Back

146   Section 77 came into force on the passing of the Act: see section 153(1). Back

147   Q 709 Back

148   Ninth report, session 2010-2012, paragraph 9. Back

149   Fourth report, session 2012-2013, paragraph 47. Back


 
previous page contents next page


© Parliamentary copyright 2012
Prepared 11 December 2012