|Back to Table of Contents
|Lords Hansard Home Page
The Deputy Chairman of Committees (Baroness Gould of Potternewton): Before the Minister moves that the first order be considered, perhaps I may remind noble Lords that, in the case of each order, the Motion before the Committee will be that it do consider the order in question. The Motion to approve the order will be moved in the Chamber in the usual way.
The noble Lord said: The Private Security Industry Act 2001 provides for the regulation of the private security industry through the licensing of individual operatives working in the private security industry. At present, the licensing requirement applies only to England and Wales. In Scotland, licensing will become a requirement from 1 November 2007.
The main purpose of this order is to amend Schedule 2 to the 2001 Act to ensure that, in line with similar functions in England and Wales, certain prison- and police-related activities carried out in Scotland are not caught by the licensing requirement.
The order also makes a number of minor and technical amendments. The 2001 Act sets out certain types of activity for which an SIA licence is required. These activities, which are designated by orders made under Section 3(3) of the Act, are listed in Schedule 2. They include manned guarding, door supervision, the transport of cash and valuables, and key-holding. When licensing becomes compulsory in Scotland, from 1 November 2007, those activities will also be designated in respect of Scotland. Crown employees who hold office and undertake security activities, such as police officers and prison officers, are outside the scope of the 2001 Act.
However, the original legislation had the unforeseen effect of extending to security guards who undertook manned guarding activities while working under contract in prisons, in immigration centres, as prisoner escorts and in other similar areas under the control of the police and prison authorities. They were subsequently excluded in respect of England and Wales. Article 2 will ensure that the position is the same in Scotland.
Article 3 makes a minor, technical amendment. Article 4 ensures that the restriction and/or removal of vehicles is not caught by the licensing requirement
17 July 2007 : Column GC2
Paragraphs (2) and (5) of Article 5 bring the position in Scotland into line with that in England and Wales to ensure that the door supervision requirements apply to licensed premises only when alcohol or entertainment is being provided. Article 5(3) is intended to establish beyond doubt that licensable security activities in respect of cash and valuables in transit and close protection are not caught by the door supervision requirements. It applies to all areas.
Article 5(4) avoids potential problems caused by an incorrect paragraph number used in a similar amendment made by the Gambling Act 2005. The amendment makes it clear that casinos and bingo halls do not fall under the door supervision requirements in addition to requiring a premises licence under the Gambling Act.
Once the order is passed, implementation of the licensing requirement in Scotland will require an order made by the Scottish Parliament applying the offence provisions of the Act to Scotland from 1 November 2007.
Moved, That the Grand Committee do report to the House that it has considered the Private Security Industry Act 2001 (Amendments to Schedule 2) Order 2007. 19th report from the Statutory Instruments Committee.(Lord Bassam of Brighton.)
Viscount Bridgeman: I thank the Minister for his explanation of the order, which, as he explained, is intended largely to bring the legislation in Scotland into line with that of England and Wales. I would welcome his assurance that the order is, as the Government said, appropriate and proportionate both in England and Wales and in Scotland. My party did not oppose the Act when it was brought into force, and I would welcome the Ministers assurance that the Government have in mind not to penalise excessively the smaller businesses in this industry. We have no other objections to the measure.
Lord Dholakia: I add my thanks to the Minister for his explanation of the order. Like the noble Viscount, Lord Bridgeman, I want to ask whether it is appropriate and proportionate. The second and only other query that I have is why there is an exception for casinos under Article 5(4).
Lord Bassam of Brighton: I am grateful to both noble Lords for their kind comments of welcome to this order. The noble Viscount, Lord Bridgeman, is right to ask about its appropriateness and proportionality.
17 July 2007 : Column GC3
The noble Lord, Lord Dholakia, asked about casinos. My understanding is that casinos are already exempted, so the order need not apply and it is therefore entirely workable. There is no explanation other than that.
Lord Bassam of Brighton rose to move, That the Grand Committee do report to the House that it has considered the Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007.
These orders, made under Section 71 of the Regulation of Investigatory Powers Act 2000, were laid before Parliament on 14 June. The purpose of the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order is to secure approval of a draft code of practice relating to the acquisition and disclosure of communications data under the 2000 Act, its acquisition by public authorities and its disclosure by communications service providers.
Communications data, such as telephone and internet subscriber information, allocation of internet addresses, itemised call records and mobile phone location data, remain a vital tool in the prevention and detection of crime and in safeguarding the public. It is data about who contacted whom and when; it provides evidence of associations between individuals and events in time and place; it can corroborate the testimony of victims and witnesses; it can also provide evidence of innocence. Most importantly, it is not about the content of communications and what was said in telephone calls or written in e-mails.
The provisions of Chapter 2 were implemented in January 2004 and brought long overdue regulation to
17 July 2007 : Column GC4
A draft code of practice has been in place since these provisions were implemented. It has been extensively revised to take account of actual practice and to address issues on which public authorities and communications service providers have sought guidance or clarification. Sir Paul and his inspectors have contributed significantly to the development of the code of practice, as have respondents to a public consultation on the draft. The code presented to Parliament sets out procedures that ensure proper respect for individuals human rights and reflect the reality of operational and investigative work.
The application of the code will significantly reduce unnecessarily bureaucratic processes. For example, it makes clear that a senior officer can authorise the obtaining of subscriber information without needing to know which service provider operates the phone number. It also makes clear that it is unnecessary to undertake a subscriber check prior to, or separate from, checking call records; that a single authorisation can cover the acquisition of specific data and the additional data necessary to interpret that; and that, where data is required in an emergency, no special internal paperwork is required but the public authority must collate the evidence of its decision-making from operational logs, which must be available to the commissioners inspectors.
The code also makes clearthis reflects operational practice over many yearsthat where the connection of a 999 emergency call is lost and information is needed to provide emergency assistance to the caller within the so-called golden hour, that is outside the arrangements of the Act.
The code makes clear that only appropriately trained and accredited investigators who understand the legislation can engage with communications service providers and spare them from ill informed, impractical or unlawful inquiries.
The Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order seeks the approval of a draft code of practice relating to the exercise and performance of the powers and duties under Part 3 of the Act to require the disclosure of protected electronic data in an intelligible form or to acquire a key, or a password, to that data. Part 3 gives public authorities no new powers to seize or acquire data, but it does give them powers, to be used only when necessary and appropriate, to require data they possess or are likely to possess to be made intelligible or to require disclosure of the key that will make the data intelligible.
These provisions are not in force. It has taken longer than was expected in 2000 for the same technologies that have enabled electronic commerce to develop to be taken up by terrorists and criminals to secure their information and to protect and conceal evidence of unlawful conduct.
Equally, encryption tools have remained cumbersome to use properly. That has been exploited by technical facilities such as the National Technical Assistance Centre (NTAC), which processes protected data on behalf of law enforcement and intelligence agencies.
However, these tools are becoming easier to use and are being installed in the standard operating systems of consumer devices. The impact of encrypted data on the work of investigators and their ability to work within statutory custody time limits will continue to increase.
The code of practice addresses issues on which Parliament sought clarification when the primary legislation was considered and debated. It takes account of the comments of respondents to the public consultation. The code makes it clear that the overriding purpose of the provisions is to enable investigators to access lawfully acquired information in an intelligible form, not to access the keys to data.
The power to require disclosure of key material can be expected to be used only where a person who is able to put protected information into an intelligible form indicates that they will not exercise that ability either voluntarily or on compulsion. The power is most likely to be exercised in relation to individuals who are the subject of investigation and responsible for protecting information that the authorities have obtained lawfully and believe to be evidence of unlawful conduct or relevant material to the investigation.
Once the provisions are in force, it will be an offence knowingly to fail to comply with a disclosure requirement, with a maximum penalty of five years imprisonment in national security cases or two years in other cases. We have consulted on whether that five-year penalty should be available in cases relating to possession of indecent images of children. I should report to the Committee that there is support for that, which would require amendment of the primary legislation. We will consider taking that step after assessing how well the provisions are used.
When this legislation was debated in Parliament, much concern was expressed that it would criminalise people with poor memories or would reverse the burden of proof in the case of those who claimed to have forgotten or lost keys to their data. The code makes it very clear that, where a person claims not to have had a key to the data, the prosecution must prove the contrary beyond reasonable doubt. If a person claims that they no longer have a key or do not know a key to the data, the prosecution must prove the contrary beyond reasonable doubt.
In direct response to concern expressed in public consultation that technical expertise is required to understand and apply this legislation appropriately, the code of practice makes it clear that no public authority may serve on any person a Part 3 notice without the prior written approval of NTAC. In this way, NTAC will have the crucial role of ensuring that
17 July 2007 : Column GC6
Recognising the critical importance of the integrity of information security in the financial services sector, and in response to the concerns expressed by Parliament and the public, the code makes it clear that no requirement to disclose a key to protected information should be imposed on any company or firm authorised by the Financial Services Authority without prior notification to the chief executive of the authority or a person designated by him for that purpose.
Finally, as an additional safeguard against abuse, both these codes of practice make it clear that, if an oversight commissioner establishes that an individual has been adversely affected by any wilful or reckless failure by any person within a public authority to comply with the Act, the commissioner shall, subject to the need to safeguard national security, inform the affected individual of the existence of the Investigatory Powers Tribunal, which considers complaints about unauthorised or inappropriate conduct and should enable that person effectively to engage the tribunal.
Subject to Parliaments approval, both codes and the provisions of Part 3 will commence on 1 October. Arrangements for delivering briefings to practitioners and other interested parties on the detail of the new provisions and the codes are being planned.
The primary responsibility for any democratic state is to protect its citizens, whether from the threats posed to us all by terrorism or from the threats posed to our most vulnerable citizens by sexual predators. It is right that in so doing the Government strike the right balance between the rights of communities and those of individuals. The guidance in both codes of practice does just that. I beg to move.
Moved, That the Grand Committee do report to the House that it has considered the Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007. 19th report from the Statutory Instruments Committee.(Lord Bassam of Brighton.)
Viscount Bridgeman: I am grateful to the Minister for that comprehensive explanation of the two orders, and the remarks with which he finished about the increasing sophistication of terrorists and of the criminal fraternity in general. I am pleased to hear that there was extensive consultation on both orders, and we welcome the safeguards provided under both the codes: first, the Interception of Communications Commissioner and, then, a further appeal to the Investigatory Powers Tribunal.
In the second order the controls on public authorities to ensure that the use of the powers is undertaken appropriately and in compliance with the requirements and principles of Part 3 and the code of practice are, again, reassuring. I am grateful to the Minister for recognising the question of the burden of proof, on which we are reassured. We have no objections to either order.
First, there is the secrecy requirement. Paragraph 10.8 of the code of practice details the possible provision mandating that the person to whom a Section 49 notice is delivered keeps the existence of the notice secret. The enactment of such a secrecy provision, in combination with the fact that an individual may be ordered to disclose encryption keys to which he has access with a business or personal associate, means that authorities might be able to encrypt an individuals information without their knowledge.
Secondly, paragraph 3.19 notes that encryption key material can be retained in the memory of an individual. The Minister explained at some length how the provision would work. Paragraph 10.5 states that if an individual provides evidence to the effect that he or she does not have possession of the key, the burden is on the prosecutor to prove the contrary beyond reasonable doubt, but it is unclear how that would work in the case of memorised passwords.
Thirdly, the sentencing guidelines seem to provide some bizarre incentives. Paragraph 10.2 lays out the penalties for failure to comply with an order: a maximum of two years imprisonment in most cases, rising to five years in national security cases. However, if an individual were in possession of an encryption key that would reveal their involvement in, say, a terrorist plot or other crimes such as child pornography, they would get off far easier by refusing to give the key and going to prison for non-compliance than they would by revealing the evidence of their other crimes.
Fourthly, the penalties for the abuse of power under Part 3 of RIPA need to be laid out. At present, only failure to protect disclosed information is covered, but there is a danger that public authorities will misuse their investigative power, and that remains unaddressed.
Finally, no mention is made of the need to protect the confidentiality of financial services. I refer to paragraphs 6.8 to 6.9. There are concerns that, if a bank is required to disclose keys that enable investigators to track the flow of money into and out of suspect bank accounts, the same data could be used to monitor other accounts. It would be helpful if the Minister could give his observations on the five points I have raised.
Lord Bassam of Brighton: I am grateful to both noble Lords, particularly the noble Viscount, Lord Bridgeman, for his helpful observations. We have had fairly widespread support for both orders, and from wider than the usual suspects. We have had very welcome support from Liberty, which now thinks it wise to implement these powers and that they are actually quite helpful in the protections that they offer for the benefit of people who may be affected. This broad welcome was reflected in noble Lords comments today.
The noble Lord, Lord Dholakia, understandably sought reassurance on points relating to the second
17 July 2007 : Column GC8
Lord Dholakia: I appreciate that there are some detailed points. It might be better, as this matter will come to the main Chamber, if in the mean time the Minister wrote to me with some details. That would help me.
The noble Lord asked how the powers would operate with regard to a memorised key. In reality, it would not work that way, as even hardened paedophiles write down their passwords. They suffer from the same memory problems as all of us.
|Back to Table of Contents
|Lords Hansard Home Page