Feature 'What are the Government's plans to retain and access data on UK citizens?'

The Home Office conducted a consultation in June 2003 about the development of a voluntary code of practice to be applied to the implementation of data retention.

In addition, a parallel consultation looked at the rules governing access to such data by a wide range of government bodies, under the Regulation of Investigatory Powers Act.

On September 12th, the The Home Office laid Regulation of Investigatory Powers orders before parliament. They will now be passed to various committees and the House of Lords for debate.

In their responses to the laying of orders, the Internet Service Providers Association and Human Rights groups maintain their recommendations to ISPs that they do not subscribe to the voluntary code of practice under the Home Office’s data retention proposals.

CONTENTS	1. Consultation	2. Background
3. Access to communications data	4. Voluntary retention of data	5. Campaigns
6. Resources

Consultation documents	GreenNet responses	FIPR responses	ISPA UK responses
Access to communications data	[ ]	[ ]	[ ]
Voluntary retention of communications data	[ ]	[ ]	[ ]

Background The Anti-Terrorism Crime and Security (ATCS) Bill was introduced as emergency legislation following the attacks in the United States on 11th September 2001.

The Bill was first read on November 12 2001. A consultation period with industry, human rights groups and other stakeholders with a view to developing the detail of a Code of Practice. It received Royal Assent on 14th December 2001.

The ATCS Act contains a number of measures which aim to deal with 'terrorism' and protecting 'national security'. Read the Toolkit Briefing on the ATCS and related issues here >>

Part 11 of the ACT (Retention of Communications Data) is the section that deals most significantly to telecommunications companies and Internet Service Providers. It enables the Secretary of State for the Home Department to draw up a voluntary Code of Practice to allow Communication Service Providers (CSPs) to retain data for use by law enforcement agencies in their investigations.

Under the Regulation of Investigatory Powers Act 2000, the Home Office attempted to authorise a more extensive list of public authorities that could access communications data (June 2002). If passed, this would have allowed every local authority and a number of other public bodies to have access to phone, email and Internet data, without judicial oversight. Until then, such powers had been the domain only of the police, MI5, MI6, the government listening post GCHQ, customs and excise and the Inland Revenue.

Following significant public opposition, the Home Office was forced to temporarily withdraw the proposal but is now attempting once again to extend access to communications data to additional public authorities and to propose a voluntary code of conduct for communication service providers to follow. Even though the number of authorities has been reduced, the Home Office proposals will still have a significant impact on the privacy of individuals in the UK according to human rights activists at the "Scrambling for Safety 6" conference organised by the Foundation for Information Policy Research (FIPR) and Privacy International. The summary below outlines some of the main concerns of the human rights organisations, privacy groups and commercial ISPs who are opposed to the proposals.

Access to communications data

According to the Home Office, the aim of this document is to extend access to communications data to additional public authorities in order to ‘protect the public from crime.’

Those who are opposed to government proposals cite a number of concerns including:

Lack of judicial oversight: According to current practice and proposals, access to documents by public authorities does not require approval by the judiciary in order to determine whether the need to access such information is proportional to the individual's right to privacy. According to Privacy International, for example, ‘BT has fully automated its service to government to the point where any information on any BT customer going back seven years can be obtained by any authorised government agency merely by sending an email.’ Many believe that the current proposal to allow access to communications data without judicial oversight contradicts the European Human Rights Act that states that there must be sufficient reason to interfere with personal data.

Cost and liability: Smaller ISPs are especially concerned with the high costs of retaining and, more importantly, servicing requests for data from public authorities. ISPs are also concerned that, if they do subscribe to the voluntary code, they may subsequently be prosecuted by users if their actions are considered unlawful according to human rights law.

Extent of surveillance: Authorities that currently have access to communications data make approximately half a million requests for communications data annually (http://www.homeoffice.gov.uk/docs/consult.pdf, Chapter 2, para. 6). According to a number of sources, there has been an exponential rise in data requests in recent years. There is a concern that this number will increase when access to communications data is extended to additional authorities.

Data preservation rather than retention: Many ISP’s favor a lower impact scheme of targeted data preservation, where service providers would retain data on specified individuals at the request of the police, rather the current retention proposals which propose to retain data ‘in case’ it becomes useful in the future. Communication service providers have asked the government to show why the current system is insufficient.

Voluntary retention of data

According to the Home Office, the intention of the ‘Voluntary Code of Practice’ is ‘to outline how communication service providers can assist in the fight against terrorism by meeting agreed time periods for retention of communications data that may be extended beyond those periods for which their individuals company currently retains data for business purposes’ (page 20).

According to human rights groups such as Privacy International, ISPs have long complained to government about the subsidy that would be required to make data available to government authorities, where the most critical threat that is being ignored by such groups is, in fact, the privacy rights of their customers.

In many ways, a code that seeks to clarify the role and responsibility of service providers in retaining data would be welcome, especially for consumers whose data is often held for unlawful periods and distributed to other agencies. This code, however, should also develop an effective oversight and complaints mechanism to allow redress for users and should engender the trust of users in the security of the system.

The issue of trust is critically important for groups that use the Internet to allow, for example, women’s groups that support victims of abuse and trafficking, to have a private space where they are able to express themselves free from the threat of surveillance. For such groups, privacy concerns are critical to their use of the Internet for the purpose of supporting individuals who, if it were not for the medium of the Internet, would otherwise not be given this opportunity.

Many ISPs have not developed internal policies on data retention, and are, in fact, accumulating vast amounts of personal information about their customers for periods that are illegal under current Data Protection Act 1998. The government has proposed to subsidise service providers to retain and service access requests for their customers’ data, but what may be more effective, according to one ISP, would be to subsidise the development of ethical codes of practice for the industry on data retention. Such codes, detailing the process by which communication data may be accessed by authorities and under what conditions, would assist in developing the trust and accountability factors necessary for the growth of the industry in this country.

Campaigns

'Know Your Data' is a campaign launched by Privacy International that calls on UK consumers to demand access to their records held by telephone, mobile and Internet companies. Visit the site to obtain model letters that request records from telecommunications companies under the Data Protection Act 1998. You can modify the letters to include your personal and account information and cut and paste the address for the company you are writing.

Resources

Download these slides to find out exactly what data is logged by ISPs when a user logs onto the Internet.

Read the fact sheet on data retention to find out the basics

"Scrambling for Safety 6" was a conference that brought together representatives from government, industry and human rights organisations to discuss the issues that these documents raise with interested members of the public.

The Foundation for Information Policy Research (FIPR) has a resource page on 'Communications Data' which explains the concerns, gives links to campaigns and links to latest news on the issue.

What can *you* do?

Download the data protection toolkit briefing to find out about the protection of privacy and your rights to information held by others about you (PDF >>)