UK: Data retention and access consultation farce

Government to allow access for crime purposes to records which can only be held for “national security”

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

This analysis first appeared in Statewatch bulletin, volume 13 no 2, April 2003

In March 2003 the Home Office issued two consultation papers, one on the retention of communications data, the other on access to communications data. The deadline for responses is 3 June. The latter came about after the government tried to rush through a Statutory Order giving over 1,039 public authorities the right to request communications data - after widespread objections by civil society this was withdrawn on 18 June 2002.

The former, on data retention, dates from the passing of the Anti-Terrorism, Crime and Security Act in December 2001. Section 103 says that the Home Secretary has to issue a consultation paper before the government brings in a voluntary Code of Practice by statutory instrument. It has taken the Home Secretary 16 months to issue the consultation paper. The ATCS Act says that the Home Secretary can order mandatory data retention if the voluntary scheme does not work (Section 104). However, Section 105 limits this power to two years from the passing of the Act which will be 13 December 2003 - the Code is unlikely to be operative by this date so the Home Secretary will have to put through another statutory instrument extending his powers for another two years (Section 105.4).

This begs the obvious questions: In December 2001 the ATCS Act was rushed through parliament on the grounds that the new powers were urgently needed to combat "terrorism" - does this mean that the security, intelligence and police agencies do not have access to communication data to combat "terrorism" or does it mean they already have all the powers they need? Does excessive delay not tell us that data retention is more to do with combating crime in general than terrorism?

The retention of data - what the Act says

Under the Act the Home Secretary can issue a code of practice (voluntary or mandatory) as is necessary:

"(a) for the purpose of safeguarding national security: or
(b) for the purpose of prevention or detection of crime or the prosecution of offenders which may relate directly or indirectly to national security"
(Section 102.3, emphasis added)

The Act is thus unequivocal, the Home Secretary can lay down a Code for the retention of communications data which is directly or indirectly related to "national security".

What the government is trying to do is to extend this legal definition to cover crime in general and in the case of some agencies to those who deal with health and safety, trading standards and local authority agencies.

Home Office officials try to argue that the Home Secretary made it clear during the debate on the ATCS Act that it would apply to crime in general. What the Home Secretary may have said during the debate has no bearing on the legal situation, it is what the Act says that counts. Moreover, if every statement by every government Minister during the passage of legislation had legal standing the courts would be in chaos.

Whatever the spin and glossy consultation document says the government is assuming that the telecommunications industry will cooperate and that the unlawful practice of accessing communications data for law enforcement in general will become the norm.

Consultation - data retention

The consultation paper on data retention under the ATCS Act admits that powers are only available to retain data for the purpose of "national security" and related crimes but then refers to crime in general throughout. It states that the "Home Office does not consider" that data retained for the purposes of national security "and not for any other reason, should prevent the police or other public authorities having access to that data when they can demonstrate a proportionate need for it" - ignoring the fact that "proportionate" is only relevant where an underlying power exists in the first place.

The Information Commissioner (the re-named Data Protection Commissioner) who was consulted sits on the fence by saying that in relation to data protection (as distinct from the underlying law) access would not automatically be "unlawful.. but that it may be in certain circumstances". The Commissioner’s advice to communications service providers is that they should notify their office that they are processing data for the purpose of national security and crimes directly or indirectly associated (citing the text of s.102.3 of the ATCS Act) which can hardly be re-assuring if faced with a legal challenge. The Home Secretary, David Blunkett, has apparently assured the industry that he will stand side-by-side with them if they face any data
protection or human rights legal challenges - which is pretty meaningless unless the Home Secretary is also sued.

Under the draft Code of practice subscriber information and telephony data (date, time, location etc) would be kept for 12 months and e-mail data for 6 months.

Consultation - access to communications data

Powers to access communications data is defined as traffic data (including location of the users of mobile phones), service data and subscriber data (names, addresses etc) under Chapter II of Part 1 of the Regulation of Investigatory Powers Act 2000 (see Statewatch vol 10 no 1).

Access under RIPA 2000 referred to current, "real-time" (as a conversation is happening for example) or to further surveillance - and not to data retention which only became an issue under the ATCS Act 2002.

The reason the Statutory Order was withdrawn last year was because it was revealed that some 1,039 public authorities would have the right to request access to communications data. The consultation paper seeks to justify access for a number of authorities such as the Office of Fair Trading, the Immigration Service and Serious Fraud Office but is utterly silent on exactly how many authorities will have these powers under a so-called revised list. This list still includes all local authorities in the country, only parish councils (who have few powers anyway are to be excluded). A list of potential authorities is provided on an obscure Home Office page (see below) which is interesting not just for some dubious justifications but because it shows that hundreds of thousands of requests for access to communication data are already being made by agencies even though there is no legal power to do so (except for those agencies directly specified in RIPA 2000 like the police).

What is evident from the detailed information is that you cannot have hundreds of agencies authorising themselves to demand access to communications data. The paper is much exercised to find a mechanism to authorise them. One obvious option is judicial authorisation but this would be a "burdensome duty on the courts", another is the toothless Interception of Communications Commissioner (see below) which the Home Office favours.

"Independent oversight" is to be provided by the Interception of Communications Commissioner which is hardly likely to engender public confidence. The holders of this post, and the Tribunal to which members of the public can complain about surveillance, were created under the 1985 Interceptions of Communications Act (now replaced by RIPA 2000) have never in the eighteen years of their existence upheld a complaint.

The paper ends with the following extraordinary observation that where "intrusion into privacy is possible" and when people are aware of this and oversight is in place:

"Those who then engage in conduct, knowing from information placed in the public domain, that as a consequence their privacy is liable to compromise, accept the risk to their privacy"

Source: The two consultation papers are available on the Statewatch website:

Access to communications data (RIPA 2000) (pdf, 1.2 MB)
Access to communications data (RIPA 2000) (Word, 291k)
Data retention (ATCS 2002) (pdf)

Government forced to withdraw surveillance plans
Analysis of the Regulation of Investigatory Powers Bill
The full-text of the Regulation of Investigatory Powers Act: RIPA (link)

see also: UK: Surveillance of communications goes through the roof - doubling under the Labour government: Special Statewatch Report

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error