|
Home Page | About Us | Press Enquiries| Reports | Policy Issues | News Items | Press Releases | Mailing Lists | Bookstore |
[This version is provided by http://www.cyber-rights.org]
An Act to amend the Terrorism Act 2000; to make further provision about terrorism and security; to provide for the freezing of assets; to make provision about immigration and asylum; to amend or extend the criminal law and powers for preventing crime and enforcing that law; to make provision about the control of pathogens and toxins; to provide for the retention of communications data; to provide for implementation of Title VI of the Treaty on European Union; and for connected purposes. [14th December 2001]
See below for the Explanatory Notes to Anti-Terrorism, Crime And Security Act 2001 - published 20 February, 2002
28. Part 11 contains provisions facilitating the retention by communications providers of data about their customers' communications for national security purposes so that they can be accessed by the security, intelligence and law enforcement agencies by means of a statutory code of practice to be drawn up in consultation with industry and the Information Commissioner and approved by Parliament by affirmative resolution procedure.
29. The Act ensures that data which communications service providers would otherwise be obliged to erase when it is no longer needed for billing purposes may be retained if it is necessary to safeguard national security or to prevent, detect or prosecute crimes related to national security.
30. The Regulation of Investigatory Powers Act 2000 (Part 1, Chapter 2) sets out limits on the purposes for which the security, intelligence and law enforcement agencies may request access to data relating to specific communications. These provisions complement the 2000 Act by clarifying the lawful basis for the retention of data by communications service providers. They do not affect the access framework and safeguards set out in RIPA.
31. There is also a reserve power to review the voluntary arrangements under the code of practice and issue directions if necessary. If still needed, it must be renewed by an affirmative order every two years, unless the power is exercised.
257. Part 11 sets up a structure within which the Secretary of State can issue a code of practice relating to the retention of communications data by communications service providers, such as telephone and internet companies. Communications data is data relating to telephone, Internet and postal communications which does not include the substance of the communications itself.
258. The Telecommunications (Data Protection and Privacy) Regulations 1999 regulate the retention of such data by communication service providers providing that such data can only be retained for certain specific purposes. Otherwise it must be erased or made anonymous. Communications data can be a useful tool for law enforcement agencies and if held by a communications service provider is accessible by a public authority under Chapter II of Part I of the Regulation of Investigatory Powers Act 2000. However, whilst the Regulations permit the retention of communications data on national security and crime prevention grounds, they do not give any general guidance as to when these might apply. Accordingly, before these provisions were introduced communications service providers did not have a clear lawful basis for retaining communications data beyond the period for which it was required for their own business purposes.
259. Part 11 establishes a structure to regulate the continued retention of such data on national security and crime related to national security grounds so that it may then be accessed by public authorities under the Regulation of Investigatory Powers Act 2000. Under section 102 the Secretary of State can issue a voluntary code of practice which will provide a basis for retention of communications data. Section 104 provides that if the voluntary scheme proves ineffective the Secretary of State may by affirmative order be authorised to impose mandatory retention directions on communications service providers. Section 105 provides that the power to invoke the mandatory scheme in section 104 will itself lapse unless renewed by affirmative order.
260. Subsection (1) sets out that a voluntary code of practice will be drawn up and issued by the Secretary of State. The code will be applicable to communications providers and will apply to communications data that they have generated or is otherwise in their possession.
261. Subsection (2) explains that the Secretary of State may enter into further agreements with specific communications providers, with the consent of both parties. These will specify in greater detail than the generic code the type of data that is retained, and the conditions of retention and retrieval. The aim of these individual agreements is to provide greater clarity as to each provider's retention practices for public authorities who are eligible under the Regulation of Investigatory Powers Act 2000 to access communications data.
262. Subsection (3) sets out that the code and any agreements may contain provisions necessary to safeguard national security, or to prevent or detect crime and to prosecute offenders where this is directly or indirectly related to national security.. Data retained in accordance with the code will therefore be held for national security and law enforcement purposes, without prejudice to the communication provider's own business purposes.
263. Subsection (4) makes it clear that the code is voluntary: there are no penalties for non-compliance.
264. Subsection (5) allows the code or any agreement drawn up under this section to be used in legal proceedings brought against a communications provider by a person whose communications data they hold. Adherence to the terms of the code or agreement may be used as evidence that the retention of data is justified for national security or law enforcement purposes. This provision is intended to prevent a communications provider facing civil liability for retaining data in accordance with the code when they have no further need of it for business purposes.
265. Subsections (1), (2), (3) and (4) explain that the code of practice will be drawn up in two stages: firstly consultation with the Information Commissioner and communications providers to whom the code applies, leading to the publication of a draft, and secondly public consultation during which comments may be taken from any quarter.
266. Subsections (5), (6) and (7) require the Secretary of State to use an affirmative statutory instrument to bring the code into force, so ensuring that Parliament have the chance to consider and approve the code. The code may contain transitional provisions, covering for example data collected before the code is finalised or no longer judged necessary for the purposes of this Act under subsequent revisions of the code.
267. Subsections (8), (9) and (10) provide for the code to be revised and re-issued following consultation with the Information Commissioner and those communications providers who would be affected by the revisions. The order bringing a revised code into force would also need to be approved by both Houses of Parliament.
268. This section permits the Secretary of State to issue compulsory directions if he is not satisfied that the operation of the voluntary code of practice is effective. Directions may only be given if the Secretary of State is authorised to do so by affirmative order and for the purposes of safeguarding national security and the prevention and detection of crime or the prosecution of defenders which may relate directly or indirectly to national security.
269. Subsection (1) provides that the Secretary of State may by order authorise the giving of directions under this section.
270. Subsection (2) explains that the mandatory directions may apply to any of three categories: either all communications providers, a particular type of communications providers, or one or several specific communications providers.
271. Subsection (3) explains that the statutory order authorising the giving of directions must specify the maximum period for which any communications provider can be directed to retain any particular type of data.
272. Subsection (4) obliges the Secretary of State to consult with those who may be affected by the mandatory directions, or their representatives, before giving them. If the requirement is only being placed on particular communications providers (as in subsection 2(c) above), the Secretary of State must consult with them directly.
273. Subsection (5) explains that any direction must be explicitly brought to the attention of those to whom it applies.
274. Subsection (6) puts a duty on the communications provider to comply with any direction given under this section that applies to him.
275. Subsection (7) sets out the consequences of non-compliance with any direction. The Secretary of State may bring civil proceedings against the communications provider, seeking an injunction, or other appropriate relief.
276. Subsection (8) requires that the Secretary of State lay a draft of any order made under subsection (1) before Parliament and seek the approval of both the House of Commons and the House of Lords for that order.
277. This section provides for the renewal every two years of the Secretary of State's power under section 104(1) to authorise the issue of compulsory directions. The power will lapse unless it is either exercised or renewed.
278. Subsection (1) provides that the power to authorise the issue of compulsory directions ceases to have effect unless an order is made under section 104 before the end of the initial period.
279. Subsections (2), (3) and (4) define the initial period as two years beginning from the day on which the Act is passed and provide for it to be extended by order more than once, so long as the order extending the period is made within the two years. The extension may only be for two years at a time.
280. Subsection (5) requires that an order extending the initial period must be approved by affirmative resolution.
281. This section allows for payment arrangements to be made in order to compensate communications providers for the costs of adhering to the provisions of the code of practice or any agreements. It is consistent with similar provisions in the Regulation of Investigatory Powers Act 2000 (sections 24 and 52 of that Act).
282. Subsection (1) puts a duty on the Secretary of State to set up arrangements for paying an appropriate contribution of the costs incurred by communications providers acting in accordance with the code of practice or any agreements.
283. Subsection (2) clarifies that the Secretary of State may make arrangements for payments to be made out of money provided by Parliament.
284. This section provides a definition of the terms used in the Part.
285. Subsection (1) lists definitions of a number of terms. The terminology is consistent with that used in the Regulation of Investigatory Powers Act 2000.
286. Subsection (2) specifies that the provisions of any code of practice, agreements or directions under this Part are applicable to all data obtained or held by the communications provider, including that which came into their possession before the code, agreements or directions took effect.
A B I L L TO
Amend the Terrorism Act 2000; to make further provision about terrorism and
security; to provide for the freezing of assets; to make provision about
immigration and asylum; to amend or extend the criminal law and powers for
preventing crime and enforcing that law; to make provision about the control of
pathogens and toxins; to provide for the retention of communications data; to
provide for implementation of Title VI of the Treaty on European Union; and for
connected purposes.
The Full text of
the Anti-Terrorism, Crime, and Security Bill
is available
as a PDF file
An html version of the Bill is provided by Cryptome.Org
See also the Explanatory
Notes for the Bill
Check also Internet related
Policy Issues and developments following the Attacks on America on 11 Sept.
2001
Note also the House of Lords and House of Commons Joint Committee On Human Rights
13/11/01 - Information Commissioner Contributes to Scrutiny of Anti-Terrorism Bill
- added below
-
Second Report
on the Anti-Terrorism, Crime and Security Bill, HL 37, HC 372,
16 November 2001
New - Home Office, Retention
of Communications Data: Supplemental Regulatory Impact Assessment.
An html version of this document is also available through Cryptome.Org
Home Office Anti-Terrorism,
Crime and Security Bill pages
New
- House of Commons Library Research Paper,
The Anti-terrorism, Crime and Security Bill, Parts III & XI: Disclosure and retention of information
[Bill 49 of 2001-02], No: 01/98 of 2001, 19 November,
2001
House of
Lords and House of Commons Joint Committee On Human Rights -
Second Report on the Anti-Terrorism, Crime and Security Bill,
HL 37, HC 372,
16 November 2001
"We note that as the Bill is
presently drafted, the Code of Practice relating to the retention of
communications data will not be subject to any parliamentary
procedure. We also have in mind that a Code of Practice may be used as
evidence in courts and tribunals, and that a direction given by a
Secretary of State may give rise to legal obligations. In the light of
these factors, we consider that measures should be put in place to
ensure that the Code of Practice and any directions are compatible
with the right to respect for private and family life, home and
correspondence under Article 8 of the ECHR, and that those measures
should be specified, so far as practicable, on the face of the
legislation. We accordingly draw these provisions to the attention of
each House."
"It remains to be seen whether the government will take into account what the Joint Committee said about the data retention proposals which have been included within the Anti-Terrorism, Crime, and Security Bill. However, there needs to be measures of legal protection in law against arbitrary interferences by public authorities especially where a power of the executive is exercised in secret without the knowledge of the citizens." Yaman Akdeniz, Director of Cyber-Rights & Cyber-Liberties (UK)
RETENTION OF COMMUNICATIONS DATA
101 Codes and agreements about the retention of communications data
102 Directions about retention of communications data
103 Lapsing of powers in section 102
104 Arrangements for payments
105 Interpretation of Part 11
Intelligence Services Act 1994
114 Amendments of Intelligence Services Act 1994
PART 11 RETENTION OF COMMUNICATIONS DATA
101 Codes and agreements about the retention of communications data
(1) The Secretary of State shall issue, and may from time to time revise, a code of practice relating to the retention by communications providers of communications data obtained by or held by them.
(2) The Secretary of State may enter into such agreements as he considers appropriate with any communications provider about the practice to be followed by that provider in relation to the retention of communications data obtained by or held by that provider.
(3) Before issuing or revising a code of practice under this section the Secretary of State shall consult with the communications providers to whom the code will apply or, as the case may be, who will be affected by the revisions, or with the persons appearing to him to represent those providers.
(4) Where the Secretary of State issues or revises a code of practice under this section, he shall publish the code or, as the case may be, the revised code in such manner as he considers appropriate for bringing it to the attention of the communications providers to whom it applies.
(5) A code of practice or agreement under this section may contain any such provision as appears to the Secretary of State to be necessary—
(a) for the purpose of safeguarding national security; or
(b) for the purposes of the prevention or detection of crime or the prosecution of offenders.
(6) A failure by any person to comply with a code of practice or agreement under this section shall not of itself render him liable to any criminal or civil proceedings.
(7) A code of practice or agreement under this section shall be admissible in evidence in any legal proceedings in which the question arises whether or not the retention of any communications data is justified on the grounds that a failure to retain the data would be likely to prejudice national security, the prevention or detection of crime or the prosecution of offenders.
102 Directions about retention of communications data
(1) If, after reviewing the operation of any requirements contained in the code of practice and any agreements under section 101, it appears to the Secretary of State that it is necessary to do so, he may by order made by statutory instrument authorise the giving of directions under this section.
(2) Where any order under this section is in force, the Secretary of State may give such directions as he considers appropriate about the retention of communications data—
(a) to communications providers generally;
(b) to communications providers of a description specified in the direction;
or
(c) to any particular communications providers or provider.
(3) An order under this section must specify the maximum period for which a communications provider may be required to retain communications data by any direction given under this section while the order is in force.
(4) Before giving a direction under this section the Secretary of State shall consult—
(a) with the communications provider or providers to whom it will apply;
or
(b) except in the case of a direction confined to a particular provider, with the persons appearing to the Secretary of State to represent the providers to whom it will apply.
(5) A direction under this section must be given or published in such manner as the Secretary of State considers appropriate for bringing it to the attention of the communications providers or provider to whom it applies.
(6) It shall be the duty of a communications provider to comply with any direction under this section that applies to him.
(7) The duty imposed by subsection (6) shall be enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988 (c. 36), or for any other appropriate relief.
(8) The Secretary of State shall not make an order under this section unless a draft of it has been laid before Parliament and approved by a resolution of each House.
103 Lapsing of powers in section 102
(1) Section 102 shall cease to have effect at the end of the initial period unless an order authorising the giving of directions is made under that section before the end of that period.
(2) Subject to subsection (3), the initial period is the period of two years beginning with the day on which this Act is passed.
(3) The Secretary of State may by order made by statutory instrument extend, or (on one or more occasions) further extend the initial period.
(4) An order under subsection (3)—
(a) must be made before the time when the initial period would end but for the making of the order; and
(b) shall have the effect of extending, or further extending, that period for the period of two years beginning with that time.
(5) The Secretary of State shall not make an order under subsection (3) unless a draft of it has been laid before Parliament and approved by a resolution of each House.
104 Arrangements for payments
(1) It shall be the duty of the Secretary of State to ensure that such arrangements are in force as he thinks appropriate for authorising or requiring, in such cases as he thinks fit, the making to communications providers of appropriate contributions towards the costs incurred by them—
(a) in complying with the provisions of any code of practice, agreement or direction under this Part, or
(b) as a consequence of the retention of any communications data in accordance with any such provisions.
(2) For the purpose of complying with his duty under this section, the Secretary of State may make arrangements for the payments to be made out of money provided by Parliament.
105 Interpretation of Part 11
(1) In this Part—
"communications data" has the same meaning as in Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act 2000 (c. 23);
"communications provider" means a person who provides a postal service or a telecommunications service;
"legal proceedings", "postal service" and "telecommunications service" each has the same meaning as in that Act;
and any reference in this Part to the prevention or detection of crime shall be construed as if contained in Chapter 2 of Part 1 of that Act.
(2) References in this Part, in relation to any code of practice, agreement or direction, to the retention by a communications provider of any communications data include references to the retention of any data obtained by that provider before the time when the code was issued, the agreement made or the direction given, and to data already held by that provider at that time.
Intelligence Services Act 1994
114 Amendments of Intelligence Services Act 1994
(1) In section 7 of the Intelligence Services Act 1994 (c. 13) (authorisation of acts outside the British Islands), in subsection (3) —
(a) in paragraphs (a) and (b)(i), after "the Intelligence Service" insert, in each case, "or GCHQ"; and
(b) in paragraph (c), after "2(2)(a)" insert "or 4(2)(a)".
(2) After subsection (8) of that section insert—
"(9) For the purposes of this section the reference in subsection (1) to an act done outside the British Islands includes a reference to any act which—
(a) is done in the British Islands; but
(b) is or is intended to be done in relation to apparatus that is believed to be outside the British Islands, or in relation to anything appearing to originate from such apparatus;
and in this subsection ‘apparatus’ has the same meaning as in the Regulation of Investigatory Powers Act 2000 (c. 23)."
(3) In section 11(1A) of that Act (prevention and detection of crime to have the same meaning as in Chapter 1 of Part 1 of the Regulation of Investigatory Powers Act 2000), for the words from "for the purposes of this Act" to the end of the subsection substitute—
"(a) for the purposes of section 3 above, as it applies for the purposes of Chapter 1 of Part 1 of that Act; and
(b) for the other purposes of this Act, as it applies for the purposes of the provisions of that Act not contained in that Chapter."
Retention of communications data
28. Part 11 contains provisions to allow communications service providers to retain data about their customers' communications for access by law enforcement agencies and for national security purposes and to enable a code of practice to be drawn up in consultation with industry.
29. The code of practice will allow communications service providers to retain data about their customers' communications for access by law enforcement agencies. Currently communications service providers are obliged to erase this data when they no longer need it for billing purposes.
30. These provisions fall within the Regulation of Investigatory Powers Act 2000 which sets out the limits on the purposes for which the law enforcement, security and intelligence agencies may request access to data relating to specific communications.
31. There is also a reserve power to review the arrangements and issue directions if necessary. If still needed, it must be reviewed by an affirmative order every two years. As soon as the power is exercised, there is no need for further review.
PART 11: RETENTION OF COMMUNICATIONS DATA
Overview
259. Part 11 sets up a structure within which the Secretary of State can issue a code of practice relating to the retention of communications data by communications service providers, such as telephone and internet companies. Communications data is data relating to telephone, Internet and postal communications which does not include the substance of the communications itself. The Telecommunications (Data Protection and Privacy) Regulations 1999 regulate the retention of such data by communication service providers providing that such data can only be retained for certain specific commercial purposes. Otherwise it must be erased or made anonymous. Communications data can be a useful tool for law enforcement agencies and if held by a communications service provider will be accessible by a public authority under Chapter II of Part I of the Regulation of Investigatory Powers Act 2000 which is shortly to come into force. However, whilst the Regulations permit the retention of communications data on national security and crime prevention grounds there is currently no general guidance given as to when these might apply. Accordingly, communications service providers do not currently have a clear lawful basis for retaining communications data beyond the period that they require it for their own business purposes. Part 11 establishes a structure to regulate the continued retention of such data on national security and crime prevention grounds so that it may then be accessed by public authorities under the Regulation of Investigatory Powers Act 2000. Under clause 101 the Secretary of State can issue a voluntary code of practice which will provide a basis for retention of communications data. Clause 102 provides that if the voluntary scheme proves ineffective the Secretary of State may by affirmative order be authorised to impose mandatory retention directions on communications service providers. Clause 103 provides that the power to invoke the mandatory scheme in clause 102 will itself lapse unless renewed by affirmative order.
Clause 101 Codes and agreements about the retention of communications data
260. Subsection (1) sets out that a voluntary code of practice will be drawn up and issued by the Secretary of State. The code will be applicable to communications providers and will apply to communications data that they have generated or is otherwise in their possession.
261. Subsection (2) explains that the Secretary of State may enter into further agreements with specific communications providers, with the consent of both parties. These will specify in greater detail than the generic code the type of data that is retained, and the conditions of
retention and retrieval. The aim of these individual agreements is to provide greater clarity as to each provider's retention practices for public authorities who are eligible under the Regulation of Investigatory Powers Act 2000 to access communications data.
262. Subsection (3) puts a requirement on the Secretary of State to consult with those who may be affected by the code, or their
representatives, before issuing or revising it.
263. Subsection (4) requires the Secretary of State to publish the code of practice and any revised code in a way which brings it to the
attention of the communications service providers to whom it applies.
264. Subsection (5) sets out that the code and any agreements may contain provisions necessary to safeguard national security, to prevent or
detect crime and to prosecute offenders. The code and agreements may therefore contain any provision relative to those ends. Data retained in
accordance with the code will therefore be retained for national security and law enforcement purposes, without prejudice to the communication
provider's own business purposes.
265. Subsection (6) makes it clear that the code is voluntary: there are no penalties for non-compliance.
266. Subsection (7) allows the code or any agreement drawn up under this section to be used in legal proceedings brought against a
communications provider by a person whose communications data they hold. Adherence to the terms of the code or agreement may be used as
evidence that the retention of data is justified for national security or law enforcement purposes. This provision is intended to prevent a
communications provider facing civil liability for retaining data in accordance with the code when they have no further need of it for business
purposes.
Clause 102 Directions about retention of communications data
267. This clause permits the Secretary of State to issue compulsory directions if he is not satisfied that the operation of the voluntary code of
practice is effective. Directions may only be given if the Secretary of State is authorised to do so by order.
268. Subsection (1) provides that the Secretary of State may by order authorise the giving of directions under this section.
269. Subsection (2) explains that the mandatory directions may apply to any of three categories: either all communications providers, a
particular type of communications providers, or one or several specific communications providers.
270. Subsection (3) explains that the statutory order authorising the giving of directions must specify the maximum period for which any
communications provider can be directed to retain any particular type of data.
271. Subsection (4) obliges the Secretary of State to consult with those who may be affected by the mandatory directions, or their
representatives, before giving them. If the requirement is only being placed on particular communications providers (as in subsection 2(c) above),
the Secretary of State must consult with them directly.
272. Subsection (5) explains that any direction must be explicitly brought to the attention of those to whom it applies.
273. Subsection (6) puts a duty on the communications provider to comply with any direction given under this section that applies to him.
274. Subsection (7) sets out the consequences of non-compliance with any direction. The Secretary of State may bring civil proceedings
against the communications provider, seeking an injunction, or other appropriate relief.
275. Subsection (8) requires that the Secretary of State lay a draft of any order made under subsection (1) before Parliament and seek the
approval of both the House of Commons and the House of Lords for that order.
Clause 103 Lapsing of powers in section 102
276. This section provides for the renewal every two years of the Secretary of State's power under clause 103(1) to authorise the issue of
compulsory directions. The power will lapse unless it is renewed.
277. Subsection (1) provides that the power to authorise the issue of compulsory directions ceases to have effect unless an order is made
under clause 103 before the end of the initial period.
278. Subsection (2) defines the initial period as two years beginning from the day on which the Act is passed.
279. Subsection (3) provides that this period may be extended by order more than once.
280. Subsection (4) requires the order extending the period to be made before the end of that period. The extension may only be for two years
at a time.
281. Subsection (5) requires that an order extending the initial period must be approved by affirmative resolution.
Clause 104 Arrangements for payments
282. This clause allows for payment arrangements to be made in order to compensate communications providers for the costs of adhering to
the provisions of the code of practice or any agreements. It is consistent with similar provisions in the Regulation of Investigatory Powers Act
2000 (sections 24 and 52 of that Act).
283. Subsection (1) puts a duty on the Secretary of State to set up arrangements for paying an appropriate contribution of the costs incurred
by communications providers acting in accordance with the code of practice or any agreements.
284. Subsection (2) clarifies that the Secretary of State may make arrangements for payments to be made out of money provided by
Parliament.
Clause 105 Interpretation of Part 11
285. This clause provides a definition of the terms used in the Part.
286. Subsection (1) lists definitions of a number of terms. The terminology is consistent with that used in the Regulation of Investigatory Powers
Act 2000.
287. Subsection (2) specifies that the provisions of any code of practice, agreements or directions under this Part are applicable to all data
obtained or held by the communications provider, including that which came into their possession before the code, agreements or directions took
effect.
Data Retention
9.Costs to business will result from the voluntary agreement with communications service providers (CSPs) to retain data for law enforcement
purposes and will fall upon public telecommunications operators, international simple voice resale providers and internet service providers.
Although many of the larger CSPs do currently retain their data for the period envisaged in this legislation (up to 12 months), this is not
standard practice across the industry.
10.The costs to industry fall into three categories: technical investment, technical running costs and staff costs. Some of these costs are already
incurred by service providers retaining data for their own business purposes, for which substantial retention capabilities may already exist.
11.Estimates vary upwards from £9m per annum across the industry. The costs to internet service providers are anticipated to be greater than
those for public telephone operators, and have been estimated to be on average in the region of a few hundred thousands pounds per year
for each provider.
12.Government will discuss what arrangements might be appropriate to compensate communication service providers for any additional costs
under these provisions, particularly since those that will be most affected will be small/niche-market businesses. The Government has given
assurances that measures taken in the context of the emergency legislation should not commercially disadvantage UK business or impact on
the confidence of users and operators in the UK as the best place to do e-business. Details of the requirements will be covered in the code of
practice.
13.However, the situation varies greatly from one firm to another according to infrastructure and retention practices. Therefore, the provisions
and any compensation will be dealt with on a case by case basis: there would not be a "one size fits all" arrangement.
House of Lords and House of Commons Joint Committee On Human Rights - Second Report on the Anti-Terrorism, Crime and Security Bill, HL 37, HC 372, 16 November 2001
Part 11 of the Bill: Retention of Communications Data
69. Part 11 of the Bill deals with the retention of communications data. These are data held by communications providers about the use made of their facilities by customers, such as the telephone numbers dialled from a particular line, the times and duration of calls, and equivalent data in respect of Email communications. They currently fall outside the regime for authorizing surveillance under Chapter 2 of Part I of the Regulation of Investigatory Powers Act 2000.
70. Clause 101 proposes that the Secretary of State should issue a Code of Practice and enter into agreements with providers about the retention of such data. Under clause 102, the Secretary of State would then be empowered to issue directions, by statutory instrument, requiring the providers to make specified provision for the retention of communications data. It would be possible to enforce the directions by civil proceedings. These powers are linked to the maintenance of national security, but also detection or prevention of crime more generally.
71. There is no express limit to the scope of the powers. They could be used to secure highly sensitive data for the purpose of investigating very minor offences, or even for monitoring people's communications without any ground for suspecting them of any offence or of threatening national security. We note that as the Bill is presently drafted, the Code of Practice relating to the retention of communications data will not be subject to any parliamentary procedure. We also have in mind that a Code of Practice may be used as evidence in courts and tribunals, and that a direction given by a Secretary of State may give rise to legal obligations. In the light of these factors, we consider that measures should be put in place to ensure that the Code of Practice and any directions are compatible with the right to respect for private and family life, home and correspondence under Article 8 of the ECHR, and that those measures should be specified, so far as practicable, on the face of the legislation. We accordingly draw these provisions to the attention of each House.
Conclusion
76. We have had to consider the
Anti-terrorism, Crime and Security Bill at great speed. We are very conscious of
the circumstances which gave birth to it, and the threat that many citizens of
this country still feel to their safety after the terrible events of 11
September. However, Parliament should take a long view, and resist the
temptation to grant powers to governments which compromise the rights and
liberties of individuals. The situations which may appear to justify the
granting of such powers are temporary—the loss of freedom is often permanent.
77. The Government has made sincere efforts to safeguard rights while addressing the threat that it assesses exists to national security. Indeed, the Home Secretary has been keen to stress that he has sought the derogation from the ECHR because he wishes to override a lesser right (to a fair trial) in order to preserve a greater one (to be free from torture or capital punishment or inhuman and degrading treatment). All such decisions involve balancing freedom and security—a balancing act of which it is difficult to judge the success because Parliament is not privy to all the information to which Ministers have access.
78. We have concluded that, on the evidence available to us, the balance between freedom and security in the Bill before us has not always been struck in the right place. In particular, although we recognise the dilemma from which the Home Secretary sought to free himself by recourse to the derogation from Article 5, we are not persuaded that the circumstances of the present emergency or the exigencies of the current situation meet the tests set out in Article 15 of the ECHR. It is now for Parliament to draw its own conclusions, and for Members of both Houses to satisfy themselves that there are adequate safeguards to protect the rights of the individual citizen against abuse of these powers .
79. On the other matters of concern which we have outlined above, we will be seeking further evidence and giving them further consideration. We may report to each House again before the Bill reaches the statute book—in whatever form it gets there. Careful consideration is not, however, aided by the decision to push a Bill of this size and complexity through Parliament at such breakneck speed. Too many ill-conceived measures litter the statute book as a result of such rushed legislation in the past.
The Information Commissioner, Elizabeth
France, today offered comments on the proposed provisions of the Anti-Terrorism,
Crime and Security Bill. The Bill contains provisions relating to the retention
of communication data by communications providers for possible later access by
law enforcement agencies.
The Commissioner, who has set out her concerns in a memorandum to inform the
public scrutiny, said:
"The proposed provisions could have a significant impact on the privacy of
individuals whose data are retained. If there is a demonstrable and pressing
need for these provisions, an appropriate balance must be struck between
personal privacy and the legitimate needs of the law enforcement community.
"I am particularly concerned that leaving matters to a voluntary code of
practice, or to agreements, may pose difficulties for data protection and human
rights compliance.
"Although recent events have prompted these measures to be brought forward,
law enforcement agencies will make use of them on a day to day basis for a
variety of matters. Careful consideration must be given to ensure that the
provisions are appropriate to addressing these more routine needs."
---ends-
Notes to Editors
The Commissioner has a statutory duty to promote observance of the Data
Protection Act 1998. Her memorandum is available on her website at www.dataprotection.gov.uk
For further information please contact Angela Nonis or Helen Corkery on 01625
545700
The Information Commissioner (the Commissioner) has statutory responsibility for
promoting and enforcing the Data Protection Act 1998 (the 1998 Act). The Act
sets legally enforceable standards in relation to the processing of personal
data, it also gives the Commissioner a statutory duty to raise awareness and
promote good practice in relation to the processing of personal data. The Act
provides a number of safeguards to protect individuals where others are handling
their personal information, but it also contains provisions modifying these
where they would be likely to prejudice the prevention or detection of crime,
the apprehension and prosecution of offenders or where national security would
be affected. In short, the Act and the European Union Directive upon which it is
based, seek to balance respect for the privacy of individual citizens and the
need of society to protect itself against criminal and other subversive
activity.
TITLE
1. Voluntary retention of communications data by communications service
providers for the purposes of national security or the prevention or detection
of crime or the prosecution of offenders.
PURPOSE AND INTENDED EFFECT OF THE MEASURE
Issue and objective
2. Issue: Communications data is an important investigative tool: it allows investigators for example to establish links between suspected conspirators (itemised bill) or to ascertain the whereabouts of a given person at a given time, thereby confirming or disproving an alibi (cell site analysis). Data is distinct from content: taking the example of a mobile telephone call, data includes the originating/destination telephone line, and the time and place of the call, whereas content is what was said during the conversation.
3. There are currently no provisions for communications service providers to retain communications data for the purposes of the law enforcement, security and intelligence agencies. Under the Telecommunications (Data Protection and Privacy) Regulations 1999, service providers are obliged to erase or anonymise data which is not needed for specific business purposes (e.g. management of billing and traffic, customer enquiries, prevention or detection of fraud and marketing of telecommunications services). The Regulation of Investigatory Powers Act 2000 regulates access to communications data by authorised public authorities, but makes no provisions to ensure that such data is available when public authorities request it.
4. Objective: This legislative proposal is intended to ensure that communications service providers have a clear legal basis for retaining communications data for law enforcement purposes, and that public authorities have a clear picture of what data is being retained and for how long.
5. This objective will be achieved by means of a voluntary code of practice which will be admissible in legal proceedings as evidence that the data has been retained for the purpose of preventing and detecting crime and prosecuting offenders. The Secretary of State will have reserve powers to impose a mandatory code of practice by order if the voluntary arrangements are considered not to be working satisfactorily.
Risk Assessment
6. Changes to the business model are leading to a reduction in the amount of data which is needed for billing purposes (e.g. pre-pay/ subscription/ "always on"). Combined with pressure from the privacy lobby, this is leading to a decrease in data retention overall. The risks associated with data retention fall in four main areas: security, civil liberties, domestic competition and international competition.
Security
7. Communications data have played a vital part in the terrorist investigations relative to the events of 11 September 2001. Future investigations would be seriously hampered by a lack of available data.
Civil Liberties
8. Data relating to specific individuals under investigation will only be available if data relating to the communications of the entire population is retained, since a criminal's data cannot be distinguished from anyone else s at the time of collection/retention. Mass retention has obvious civil liberties ramifications (even though this is data, not content, and retention, not access). A balance must therefore be drawn between security and privacy.
Domestic competition
9. Equally, there are risks to communications providers. Retaining and retrieving data is expensive and may require the development of new systems. Marginal costs will vary according to the retention specification: the longer the period and the broader the definition of data affected, the higher the costs. Smaller or niche-market firms might suffer disproportionately from a blanket requirement. However, there has already been considerable investment in retention capability across the industry: a report produced for the Home Office estimated that £20 million had already been spent in tailor-made systems, developed by the industry for law enforcement purposes.
International Competition
10. Concern has been expressed that the UK s competitiveness in the e-commerce market might suffer. However, we are not the only country to address this issue. In the EU, France, Germany, Belgium, the Netherlands, Denmark and Italy either have or are on the point of introducing retention policies. Consistency in approach under the Third Pillar has been proposed and further negotiations will follow.
11. For these reasons, the legislative proposal is for a voluntary code of practice which will specify a maximum recommended period for the retention of data. This period is expected to be twelve months (it will not be more); it has not been specified on the face of the bill since the start date of the retention period will vary for different types of data (e.g. point of collection/transfer/cancellation). This level of detail will be worked up in the code of practice.
OPTIONS
12. Three options have been identified:
Option 1: Self-regulation
Option 2: Voluntary code of practice, and individual agreements
Option 3: Mandatory code of practice
ISSUES OF EQUITY AND FAIRNESS
13. None of the identified options would seem likely to discriminate against any particular element of society.
BENEFITS
14. The proposed provisions for the Bill reflect Option 2. This option appears to offer the best compromise between the conflicting risks of security, privacy and competition.
15. Option 2 will provide a framework for negotiation between the two groups of parties affected by the issue of data retention: the security, intelligence and law enforcement agencies and the communications service providers. It will ensure that the needs of law enforcement are addressed, without corralling communications service providers into an arrangement which is disadvantageous for their business interests. It also has the advantage of a high level of flexibility: agreements between the Government and individual service providers can be tailored to the business practices of each service provider.
16. The other two options have clear disadvantages: Option 1 would be unlikely to preserve the necessary data and may result in unequal implementation of the proposals. It would not give a clear role to the law enforcement community in negotiating the code of practice.
17. Option 3 would risk imposing substantial costs on industry which would severely impact business. Its advantages for the law enforcement agencies would be total clarity about what data is retained across the industry; and for communications service providers, less vulnerability to civil liability if they retain data longer than is needed for their own business purposes.
QUANTIFYING AND VALUING THE BENEFITS
18. Security and liberty are notoriously difficult to quantify, although highly valued. Similarly with competition, it is hard to state what the quantitative impact of the proposals will be on companies competitiveness.
19. In terms of international competition, these provisions are in line with legislation being introduced in other EU countries. UK business should not suffer unduly in comparison to competitors operating abroad as a result of these provisions.
COMPLIANCE COSTS FOR BUSINESS, CHARITIES AND VOLUNTARY ORGANISATIONS
Business sectors affected
20. The legislative proposals affect three key business sectors: public telecommunications operators, international simple voice resale providers, internet service providers, and postal carriers. Given the rapid development of technology in the telecommunications sector, it is expected that other groups will be affected in the longer term as technological innovations are introduced into the communications marketplace.
21. Public telecommunications operators (PTOs) are licensed under Sections 7 and 8 of the Telecommunications Act 1984, and their systems designated as public telecommunication systems under Section 9. They include some cable companies and mobile operators. In total they number around 280, although most of the market share is held by less than a dozen operators.
22. International simple voice resale providers (ISVRs) are licensed under Section 7 of the Telecommunications Act, and buy bulk international line space from PTOs to resell the calls. 570 were licensed by the Department of Trade and Industry as of November 2001, of which around 60% are currently active in the market.
23. Internet service providers (ISPs) are also licensed under Section 7 of the Telecommunications Act. The Internet Service Providers Association lists around 100 members, although not all of these are ISPs; and the London Internet Exchange lists over 80. In total there are now over 300 operating in the UK.
Compliance costs
24. Technically there will be no compliance costs since the proposal is for a voluntary code of practice. However, the Government hopes that retention periods will increase both as a result of industry negotiations during the consultation process and due to the increased protection from civil liability afforded by a statutory code which is admissible in legal proceedings.
25. Retention costs fall into three
categories: technical investment, technical running costs and staff costs. If
service providers are asked to retain more data for longer periods, they may
need to invest in new systems to hold and retrieve the data. These systems will
then have associated running costs. Managing the process will also require the
time of engineering staff and senior managers who will be diverted from their
core business functions. There may be associated recruitment and training costs,
together with increased time spent assisting the agencies or in court verifying
data produced as evidence.
26. Some of these costs are already incurred by service providers retaining data for their own business purposes, for which substantial retention capabilities may already exist.
27. Estimates vary upwards from £9m per annum across the industry. The costs to internet service providers are anticipated to be greater than those for public telephone operators, and have been estimated to be on average in the region of a few hundred thousands pounds per year for each provider.
28. However, the situation varies greatly from one firm to another according to infrastructure and retention practices. Therefore, the provisions and any compensation will be dealt with on a case by case basis: there would not be a "one size fits all" arrangement.
Total compliance costs
29. If the number of requests for access to communications data increases as a result of these provisions, this might lead to an increase in public authority spending on accessing communications data (a cost-recovery scheme is currently in operation). Alternatively, the number of requests could be capped by putting an upper spending limit on the budget for communications data requests.
30. The provisions placing a duty on the Secretary of State to put in place arrangements to compensate communications service providers for the costs of adhering to the code of practice or any agreements are consistent with similar provisions in the Regulation of Investigatory Powers Act 2000.
RESULTS OF CONSULTATIONS
31. Full consultation will take place in the context of drawing up the code of practice: the Secretary of State will have a statutory duty to consult with industry before issuing it.
32. Initial meetings with industry
representatives about the Government s proposals have already taken place: they
met with a cautious welcome. A report on current data retention practices in
industry was commissioned before the events of 11 September and has just
reported. It gives a good picture of the complexity of the issue. There is also
on-going consultation in the form of the Government Industry Forum and the
Association of Chief Police Officers Telecommunications Industry Liaison Group.
Further presentations have been planned with law enforcement agencies and
communications service providers respectively.
SUMMARY AND RECOMMENDATIONS
33. Option 2 offers the best solution in terms of offering clarity to both service providers and law enforcement about the lawful basis for retaining communications data and its availability, without having the high cost implications of Option 3.
34. Its main benefit lies in its flexibility, and adaptability to the business practices of each communications service provider by means of individual agreements. It can only work with industry co-operation, which the Government anticipates to be forthcoming, based on experience to date.
ENFORCEMENT, SANCTIONS, MONITORING AND REVIEW
35. A reserve power to introduce a mandatory code of practice under secondary legislation, subject to affirmative resolution, will also be put forward. This power will be subject to a review every two years, and discarded if no longer felt to be necessary.
Contacts:
Michael Gillespie
Organised and International Crime
Directorate
Queen Anne s Gate
50 Queen Anne s Gate
London
SW1H 9AT
Michael.Gillespie@homeoffice.gsi.gov.uk