Previous Section Back to Table of Contents Lords Hansard Home Page

Lord Goldsmith: My Lords, I am grateful to the noble Lord for giving me notice of his point and I shall take up his proposal with regard to advice. Others have heard his question and I shall come back to it with an answer.

The Countess of Mar: My Lords, while the noble and learned Lord is having a break, may I ask him whether he considers that the commissioner, who I understand has a staff of only four people and receives in the region of half a million inquiries every year, has sufficient capacity to deal with the work that he is expected to do?

Lord Goldsmith: My Lords, again, I shall take advice. However, I think the answer is that if the commissioner considers that he does not have adequate resources and staff to his job, then he will make that plain to the Government. I shall come back

13 Nov 2003 : Column 1532

to the noble Countess if I can give her any further information. Certainly no one has suggested heretofore that the commissioner will not be in a position properly to carry out his important functions, ones which the Government now want him to be able to exercise in relation to access to communications data, which is in part why we have brought forward this order.

I shall make an additional point. Whatever the commissioner may decide to do, anyone who thinks that their data have been wrongly acquired will have the right to go to the Investigatory Powers Tribunal. The Home Secretary has made it quite clear that the commissioner will have the resources he needs to carry out his duties effectively; that is, to report to Parliament and the public. That is the assurance given by the Home Secretary. It corresponds exactly with what I have just said in response to the noble Countess, Lady Mar.

All the public authorities listed in this order must follow the procedures set down in the code of practice on acquisition of communications data explaining the statutory provisions in detail. A draft code has been published, has completed a public consultation exercise, and exists in draft for public authorities to follow. Further, the draft code will be laid before Parliament for approval.

In addition, public authorities may develop their own guidance material to foster professional standards. The Association of Chief Police Officers, working with the Association of Chief Police Officers in Scotland and Customs and Excise, has developed a manual of standards for accessing communications data under the Regulation of Investigatory Powers Act. That manual has already been published.

There are further administrative safeguards. These include a "double lock" safeguard where the acquisition of certain types of data, such as itemised call records, by certain authorities is granted only after prior approval by the Interception of Communications Commissioner. He will determine which authorities should be subject to such additional approval.

Specialist training for public authorities will support the proficient and appropriate use of the provisions, building on that developed jointly with the communications service industry by the police service and Customs and Excise. The accreditation of trained officials and authorising officers will ensure that those with legitimate and necessary access to such information know the legal and technical issues, which provides another safeguard. Accreditation of authorised officers will also support the authentication of disclosure notices served upon communications service providers.

I have spelt out a number of the safeguards that are in or lie behind the draft order. The regulation it provides and the clarity it introduces is welcomed by public authorities; it is welcomed by the communications service industry; and it was broadly welcomed by the public in response to the consultation issued by the Government last summer.

13 Nov 2003 : Column 1533

The scope of the order is constrained by what primary legislation permits it may cover. I know that in Committee in another place and in various public meetings concerns were expressed about the order. I anticipate that noble Lords will raise some of those concerns today and it may be helpful to noble Lords if I indicate the Government's response to them. This will enable noble Lords who wish to speak to them to know in advance the Government's position.

As we understand it, the concerns do not relate to the principle of regulating public authorities' acquisition of communications data—I hope that no one will disagree with the proposition that that is highly desirable—or the enhanced protection that will be provided to an individual's human rights. The concerns are not about what the order will put in place but about the practical arrangements and how the legislation will work in practice.

Let me deal with those concerns, one of which relates to the so-called legacy powers. At the moment, various public authorities undertaking their statutory function use powers that they have already for compulsory disclosure of information—usually defined in terms of information not restricted to communications data—to acquire communications data. RIPA approves a regulated scheme for acquisition of communications data which is specifically designed to be compliant with the purposes permitted by the ECHR.

The public authorities have identified that they can best demonstrate their compliance with the Human Rights Act by using the new specific legislation—the RIPA legislation—rather than relying, as they do now, on the pre-Human Rights Act legislation that gives access to this range of information. I hope noble Lords will agree that that is a very important step to bring their acquisition of communications data within the specific, human rights-compliant, regulated scheme.

But it would not be right to repeal the legislation that is already in existence—which still provides powers for necessary and proportionate disclosure of other information—because, since the introduction of the Human Rights Act, public authorities have to exercise those powers, however they are expressed, in accordance with that Act.

There has been only one example subsequent to the coming into force of the Human Rights Act and the passage of the Regulation of Investigatory Powers Act where Parliament approved specific provision—in the Social Security Fraud Act—for benefit fraud investigators, primarily those in the Department for Work and Pensions, to acquire communications data. That is why the Department for Work and Pensions and the Social Security Agency in Northern Ireland are absent from the public authorities listed in the schedule to the order.

These bodies have a requirement to acquire communications data to prevent and detect benefit fraud, and they intend to exercise that requirement using the legislation that Parliament has relatively recently approved—and, as I said, since RIPA and the Human Rights Act were passed—for that specific purpose.

13 Nov 2003 : Column 1534

I turn now to the next issue: for what purpose may data be acquired? I hope I have made it clear, because it runs through all that I am saying, that the permitted purposes under the Act are derived directly from Article 8.2 of the European convention. In their consultation paper the Government invited views on whether public authorities' access to communications data under the Act could be restricted not only by purpose but also by function. Although the functions of some public authorities can be captured in a way that is meaningful in law, the functions of many others responsible for enforcing wide and diverse pieces of legislation cannot.

The Government have concluded that it is not necessary to restrict by function because, as I said to the noble Baroness, Lady Williams, public authorities which try to do something that is not within their statutory remit would be acting ultra vires. They would not be acting in accordance with the law as required by the European convention and they could not properly and lawfully do so.

I know that there is some concern about the definition of communications data within Section 21 of the 2000 Act. The definition was deliberately conceived to be technology neutral and, as my note puts it, durable in a time of very rapid technological advance. Noble Lords will not need to be reminded how quickly this area can and does change—new methods of technology seem to come on stream all the time—and it was important that the definition should be neutral as to the form of technology so that it would be a durable provision. Parliament approved that definition rather than a complex and technically precise menu of categories of data. Those who work with the legislation will interpret the statutory definition. There was a guide to interpretation included in the consultation paper and, where necessary, the courts will interpret the definition.

I know that there is a concern about the transfer overseas of communications data. That subject will be raised later in an amendment and, given the length of time that I have been on my feet, I will deal with it when we come to that particular aspect.

The order represents a significant move to ensure protection and to ensure a regulated system of things which are happening already.

I turn now to the two orders arising under the Anti-terrorism, Crime and Security Act—that is, the Retention of Communications Data (Code of Practice) Order and the Retention of Communications Data (Extension of Initial Period) Order. I apologise for having to withdraw and relay the order originally laid on 11th September 2003. This was due to human error as the reference under Article 2 of the initial order for the code of practice did not precisely replicate the title of the code.

Part 11 of the 2001 Act allows for the publication of the code of practice for the voluntary retention of communications data by the communication service providers. It is not about the retention of the content of communications—it is not about the content of telephone calls and e-mails—but about the retention of related communications data such as telephone

13 Nov 2003 : Column 1535

subscriber information, numbers dialled or addresses to which e-mails have been sent. It is, again, a vital tool in the investigation of terrorist incidents.

The purpose of the order is to bring into force the draft code of practice on the retention of communications data. The code relates to that information which is already kept by the communications service providers for their own business purposes. It does not require additional information to be stored. It sets out two matters: first, it identifies the kind of data that the Government would like to see retained by the communications service providers; secondly, it details the length of time for which they would like to see that data retained.

Terminologically, I should draw a distinction between "retention" and "preservation". "Data retention" means storage of everyone's communications data; "data preservation" relates to specific individuals—for example, those who are already under suspicion.

Past experience has shown that we are unlikely to know the identity of perpetrators of any attack at the time it takes place. Only painstaking investigative work after the event—which may depend upon identifying the communication trail of those who have committed such an outrage—will enable that to be done. The reason for the provision in the Act is the threat of terrorism. Regrettably, that threat is as clear and present today as it was when the Act was passed.

Sometimes this information may be the only piece of evidence that links a terrorist suspect to an attack. It may be available to identify any co-conspirator belonging to the same terrorist cell and ultimately it can provide clues as to how that cell links to others all over the world. There are many investigations in which the crucial steer for investigators has been communications data. I know that a number of issues have been raised about this—again, I will deal with them so far as they are raised by noble Lords.

Finally, the purpose of the Retention of Communications Data (Extension of Initial Period) Order is to extend the powers of the Secretary of State in Section 104 which would otherwise lapse on 14th December this year. It will extend those powers for a further two years. The powers in question allow the Secretary of State to give directions that he considers appropriate about the retention of communications data. Before using those powers, he must consult the communications service providers to whom it will apply.

The period of nearly two years between the passage of the Act and the presenting of the code to Parliament has been taken up with the consultative process required by the Act, but during that time the threat to the United Kingdom from terrorist activity has not diminished. This extension is necessary because by the time the voluntary code of practice has been in operation for three months and reviewed, the powers under Section 104 would have lapsed. It is essential that the Secretary of State should retain the ability to make such directions. I beg to move.

13 Nov 2003 : Column 1536

Moved, That the draft order laid before the House on 11th September be approved [28th Report from the Joint Committee].—(Lord Goldsmith.)


Baroness Blatch rose to move, as an amendment to the above Motion, to leave out all the words after "That" and insert "this House declines to approve the draft order laid before the House on 11th September".

The noble Baroness said: My Lords, I should like to take the opportunity to address all five orders and the associated amendments. I have to say that we regret that the retention orders have not been withdrawn and their inclusion on the Order Paper.

I thank the noble and learned Lord the Attorney-General for his speech, particularly as I believe he was posted in only last night to deal with these extremely complex orders.

These orders have had a chequered passage so far. The Home Office has not distinguished itself in the process. The parent Act for the amendments to the first three orders is, as Home Office officials and Ministers have admitted, flawed. Sadly, that means that many of our concerns that will be expressed during the course of this debate cannot properly be addressed without amendment of the primary Act. This is an issue which I hope the noble and learned Lord accepts requires urgent redress.

When these orders were produced last year, there was widespread concern about them—so much so, that the Secretary of State withdrew them. Unfortunately, when they were re-presented, they were hardly changed. When the Home Office was asked about this, officials replied that the time was used not to amend the orders but to improve the presentation of their case. Although some concerns have been allayed by the process of consultation, it still has to be recognised that the substance of the orders remains substantially unchanged from the text of a year ago, which earned the tag "snoopers charter".

The orders before us pose a huge dilemma. However, let me make one thing crystal clear right from the start. We do not underestimate the immense value of communications data in the fight against crime and terrorism. None of us on these Benches disputes that. Nor, in opposing these orders, are we seeking to obstruct or undermine the superb service that our agencies of law enforcement, especially the police, provide. Quite rightly, they have an expectation that they will be granted all appropriate means to safeguard our citizens.

We accept that some form of data retention should be part of their armoury, and we endorse the desirability, as expressed by law enforcement agencies, of having an effective system of data access in place as a matter of urgency. However, the Government's proposals in respect of data retention access justify what some have described as flawed legislation. That said, this House has a responsibility to ensure that what is enacted into law not only is fit for purpose but affords the ordinary citizen adequate protection—the more so, given the Human Rights Act.

13 Nov 2003 : Column 1537

I recognise that several problems are more relevant to primary legislation, aspects of which are to be found at the margins of these orders. We find the first order the least controversial. The arguments put during debate on these issues in another place, coupled with discussions I have had with the noble Viscount, Lord Colville of Culross, an Assistant Surveillance Commissioner, have eased my worries. However, could the noble and learned Lord provide the answer for the questions outstanding from another place which have yet to be answered? For example, can he comment on how the proposed regime in Ireland will differ from that in England, Wales and Scotland? Why was it that the powers given to the Northern Ireland Prison Service could not have been exercised through the Northern Ireland Police Service?

To comment generally on the communications data order and the directed surveillance order, I simply make the obvious point that the Joint Committee on Human Rights highlighted grave misgivings regarding the risk of,

    "undermining the proportionality of the statutory scheme".

In particular, we are profoundly concerned about the disparity between the requested retention of data under the anti-terrorism legislation and the retention orders for national security, and the access of this data using Clause 22(2) of RIPA for other purposes.

Linked with this is the idea that Parliament really needs to make a judgment about whether the level within each public authority at which authorisations for data access are determined are, in fact, appropriate to take the decision regarding whether the necessity and proportionality of individual requests are compliant with the Human Rights Act 1998 and the Data Protection Act. For example, should a team member of the Environment Agency have power to access forms of communication data or a service manager at a county or district council? Just as a matter of interest, will the noble and learned Lord tell me what a service manager is? Could it be the head of catering services of an LEA? Could it be the head of refuse collection at a district council? There is no qualification or definition of these posts.

The communications data order specifically extends the list of public authorities which will have access to data under RIPA. These bodies are, according to the Home Office, already accessing data using other statutory powers. This raises two questions for consideration: first, those using previous legislation are apparently accessing communications data under the definition of "information". There is some question as to whether the use of "information" in the 48 different Acts used to collect data would have been designed with communications data in mind.

The oldest Act on the list was enacted in 1930. There is no way that in 1930 Parliament could have envisaged the mobile phone and Internet system that we have now. Therefore, there is a very real question about whether the Home Office is exceeding its legislative

13 Nov 2003 : Column 1538

authority in applying an information rather than a communications data test to assess which public authorities should be included in the RIPA regime.

There is no provision to rescind any of the existing orders under RIPA when it comes into force. How crazy—the whole rationale for introducing this system was to replace the old, disparate system.

I understand but do not accept that other powers are tied up in the old laws so that they cannot be rescinded. The Home Office has made it perfectly clear to public authorities and communications service providers alike that RIPA is the only scheme to be used. Whatever the Home Secretary may say, as long as the legacy powers remain on the statute book, the Home Secretary has no power to prevent them being exercised legitimately and legally. That situation is unacceptable.

I support each of the amendments in the names of the noble Lord, Lord Lester, my noble friend Lord Northesk, and the noble Lord, Lord Phillips. They will speak in detail to their amendments, so I will be brief in my comments on them.

The noble Lord, Lord Lester, is rightly concerned about the interaction and tension between the working of the RIPA scheme and other statutes, particularly focusing on personal privacy.

In his amendment, my noble friend Lord Northesk addresses a real anomaly. If the new RIPA system is designed to be inclusive and bring in all the disparate bodies under one regulatory umbrella, it makes no sense whatever to leave on the outside the Department for Work and Pensions or the Northern Ireland social security office. Even, as my noble friend will argue, notwithstanding the Social Security Fraud Act 2001, nothing that the Home Office has said convinces me about the rationale of that anomaly.

The noble Lord, Lord Phillips, has raised an extremely important point—that a person could be adversely affected by the wilful and/or reckless abuse of the system. That issue requires remedy along the lines of the noble Lord's amendment.

The issue of oversight of the system is particularly crucial, and the Interception Commissioner has been particularly silent on his methods of oversight. That is yet another flaw to which the Home Office has admitted, arguing that it cannot pre-empt what the commissioner might want or need to fulfil his role with regards to RIPA. Yet we, in this House, are being asked to agree legislation without knowing what proper safeguards are in place.

Some of us heard at a gathering last week that there is little communication between the various commissioners who will have oversight of the RIPA scheme. Will the noble and learned Lord tell me what is being done to improve collaborative working between the different oversight bodies? I take it from what he has already said that there is an absolute commitment that the office of the Interception Commissioner and all oversight policing of the activities that we are discussing will be adequately funded to do a thoroughly effective job.

13 Nov 2003 : Column 1539

My amendments focus on the international dimension in the communications data order. This is a non-fatal amendment, as can be seen, exhorting the Government to consider an area linked to these issues, which I and various NGOs consider to have been sorely neglected. Much of the debate to date has focused on the necessary grounds listed under Section 22(2) of RIPA, under which data can be accessed, and the list of UK authorities which would be able to use RIPA to access communications data.

However, there are significant international dimensions to the policies, not least due to the disparity already mentioned between the ability to retain data for one purpose under the anti-terrorism order and the ability to access that data under RIPA for other purposes. The potential for overseas countries to access communications data via RIPA comes from both UK legislation and a range of international treaties. Part 1, chapter 1, Section 5 of RIPA allows, under a mutual assistance agreement, for the disclosure of interception and communications data, which may also be used for intelligence purposes.

I understand that under the EU Mutual Legal Assistance Convention, retained data will be shared across member states. That was decided originally on the grounds of international co-operation, since when there has been an EU/US international co-operation agreement, which allows for the sharing of communications data across the Atlantic. The recent Council of Europe Convention on Cybercrime also allows for mutual law enforcement assistance between nations. So far, 37 countries have signed the treaty, including ex-communist countries. Countries such as Armenia, Greece, Lithuania, Turkey, Estonia and Croatia have signed it. So, a Greek police officer could gain access to my communications data for whatever purpose he or she thinks fit. What safeguards are there in the Greek system to ensure that their requests are necessary and proportionate? What are the oversight safeguards in Croatia?

What authority do our public authorities have to assess any requests that they might channel on behalf of a foreign country? How are those making the requests identified? It has been suggested that a private investigator from, say, France or Turkey could make a request. Surely, that could break the necessity and proportionality conditions that the Government are so keen to impose. Even more chilling, can we be guaranteed that countries such as Zimbabwe would be denied access to communications data when their protection schemes leave much to be desired?

To my mind, it would be an international breach of Article 8 of the ECHR in respect of all 56 million citizens in the United Kingdom, an opinion supported in recent months and years by various sources. Groups such as Privacy International and the Foundation for Information Policy Research argue that the minimal standard of evidence and authentication required for the transfers could create dangers for many people in the United Kingdom. The current conditions for sharing communications data are such that the

13 Nov 2003 : Column 1540

transfer does not require the condition of dual criminality, and the grounds for the refusal to disclose are very limited.

Second to the USA, the UK is the most likely candidate to receive communications data requests from countries with which we have mutual legal assistance treaties. Therefore, the situation portrayed is one in which the current orders and the implementation of data retention would make communications data regarding UK citizens available to governments around the world, with little oversight or control. Data may be made available without regard to dual criminality, which may in turn be kept by foreign authorities as they see fit, and without guarantee that their data protection regime is sufficiently robust.

The Home Office has predicated the composition of the list of authorised bodies on equivalence between information and communications data. In pursuing that logically, any countries with which the UK has a tax treaty, in so far as those treaties contain information-gathering provisions, could have access to communications data about individuals within the UK. If the Minister argues that there is no difference between information and communications data, the Home Office cannot have it both ways. On one hand, it says that the reason why the legacy powers cannot be easily rescinded is because information-gathering involves more than merely access to communications data. However, the concern exists that some countries around the world could adopt the same logic and thereby gain access to communications data on any United Kingdom citizen.

I want to preface my comments on the data retention orders, for the avoidance of doubt and in order not to be misunderstood, by repeating that we agree with the need for a scheme that is properly regulated, as a tool against the fight against crime and terrorism. I also repeat that it should be introduced in a way to protect, that the legislation should be fit for purpose, and that safeguards protecting the British public should not be ignored. As the legislation stands, I am far from convinced that the Home Office has achieved that.

One can only say that the passage of the retention orders has been a chequered one. The code of practice order in particular has been chaotic. There is some doubt as to whether the order that has been published is consistent with the parent Act, Sections 102 and 103. Some of my colleagues believe that the code should have been laid before the order, but I leave that aside, as I do not believe it to be a very strong point to raise at this stage.

There has also been confusion about the availability of the code in the Printed Paper Office. We have been asking for it and were told that it was not there. Yesterday, it was there, and this morning we have been told that it has been there since 18th September. I simply say that that has caused very real confusion for those of us working on the orders.

13 Nov 2003 : Column 1541

The laying and relaying of the order has not helped. However—

12.15 p.m.

Lord Goldsmith: My Lords, given that the noble Baroness raised the question of the availability of the code, I should put it on record that the House authorities have made inquiries and are satisfied that the code was provided to the Printed Paper Office on 11th September, and has been available ever since.

Next Section Back to Table of Contents Lords Hansard Home Page