Tag Archive for 'communications service providers'

3.3 The Safeguards

Published on April 27, 2009 in Consultations. Closed Tags: access communications data, Built-in management information systems, Communications Commissioner, communications data, communications service providers, European Union, High Court, Information Commissioner, Information Commissioner's Office, Investigatory Powers Tribunal, judge, Paul Kennedy, secure communications networks, senior officer, United Kingdom.

This document proposes a way in which the current capability to store and access communications data can be maintained in the face of technological change. As far as possible the proposals reflect the arrangements which are currently in place.

The Government does not intend to pursue an approach which involves storing all communications data required by public authorities in a single place under Government control. Communications service providers will continue to collect and store data in their own data stores.

The regulations governing access to data will continue to be separate from the regulations governing its retention. As is currently the case, public authorities will only be able to acquire communications data on a case-by-case basis from service providers under the strict regulatory framework provided under RIPA. Public authorities will only ever access a very small proportion of the data that communications service providers will continue to collect and retain and will do so primarily in the context of a criminal investigation or threat to life.

In all of the options discussed in this document, the range of strict statutory safeguards, currently provided by RIPA (set out in Part 1) would continue to apply. In summary, these are that:

* Data which has been retained can only be accessed by public authorities for a purpose stated in law;

* Data can only be obtained by a public authority specified in legislation, and only when authorised by a senior officer, holding a rank, office or position also specified in legislation;

* Data can only be obtained by a public authority when it is necessary in a given investigation;

* Data can only be obtained by a public authority when the interference with privacy that it will cause is proportionate;

* There is a statutory code of practice setting out how the legislation should be used and operated;

* There is external independent oversight of the application of the law; provided by the Interception of Communications Commissioner (currently Sir Paul Kennedy a former High Court judge);

* There is a right of complaint to the Investigatory Powers Tribunal if a member of the public believes that their data has been acquired unlawfully.

Independent oversight would also continue to be provided by the Information Commissioner to ensure data protection principles were being observed.

Furthermore, an additional safeguard is provided through the offences contained in the Data Protection Act 1998 and the Computer Misuse Act 1990. These would ensure that appropriate penalties would exist for anyone who sought to either gain unauthorised access to (“hack”) or modify any communications data held on a computer system, and that penalties also existed for those who tried to obtain or disclose, or procure the disclosure of, communications data in such a system without a lawful authorisation or notice under RIPA¹⁵ .

In addition to these safeguards, a statutory limit would be imposed on the duration for which additional data collected by communications service providers could be retained. This would relate to the data that service providers were required to collect and keep by law from services that were not offered by them, but which crossed their networks. The statutory limit would be set at 12 months, in line with the voluntary code approved under the ATCSA and in line with the UK transposition of the EU Data Retention Directive.

This period might need to be extended in specific cases in certain circumstances – where the data was needed for specific legal proceedings. Any such exemptions would also have to be set out in primary legislation. After the retention period all retained data would be destroyed in line with data protection principles.

With regard to technical and physical safeguards, the confidentiality and integrity of communications data throughout the system will be ensured by working with communications service providers, suppliers and designated public authorities. Physical and procedural security will ensure no single point of vulnerability.

Procedurally, compliance with the HMG Security Policy Framework, the obligations of the Data Protection Act and applicable guidance from the Information Commissioner’s Office will be enforced. Acquisition of communications data will be limited to those who have a need to know following properly authorised requests. Information will be destroyed once its designated period of retention has expired.

Physical and technical security safeguards will include:

* physical and system access control to prevent unauthorised access, amendment or removal of data;

* accredited secure communications networks for the transport of sensitive information;

* encrypted stored data where appropriate;

* security monitoring and audit to ensure compliance and to detect any attempts to breach security.

Built-in management information systems will aid external scrutiny such as that provided by the Interception and Information Commissioners.

15. Under the Computer Misuse Act 1990 (as amended), the maximum penalty for the unauthorised access offence (“hacking”) is currently 2 years’ imprisonment, on conviction on indictment. Under the same Act, the maximum penalty for the unauthorised access offence with the intent to commit further offences (e.g. to gain access to sensitive information held on the computer with a view to blackmailing the person to whom that information related) is 5 years imprisonment, on conviction on indictment. Unauthorised acts with intent to impair the operation of a computer carry a maximum penalty on conviction on indictment of 10 years’ imprisonment. Unlawful obtaining or disclosure of personal data is an offence under the Data Protection Act 1998, attracting a fine on conviction on indictment.

3.2 A range of approaches

Published on April 27, 2009 in Consultations. Closed Tags: Association of Chief Police Officers, changing communications technology, communications data, communications data relating, communications data requirements, communications device, communications event, communications providers, communications service, communications service providers, communications technology, emergency services, European Union, GBP, Jon Murphy, law enforcement, law enforcement agencies, United Kingdom.

The Government has no plans to create a centralised database to store all communications data.

This would require the collection and retention of both communications data relating to the services offered by UK communications service providers, and also the additional third party data from services that UK communications service providers do not offer but that are carried over their networks.

This data would then be sent in near real time to a single location at which it would be stored. All this data would then be automatically arranged and organised, where appropriate, to enable subsequent lawful queries from public authorities to be answered quickly and effectively and in the timescales required, in accordance with the relevant safeguards.

This approach would have several advantages. It would be the option most likely to come close to maintaining the historic capability of public authorities in their use of communications data. It would be the most effective at delivering fast and efficient access in support of the law enforcement and intelligence agencies and emergency services; the least challenging technically to implement; and the cheapest to build and run.

However, this approach would also represent the most significant shift from the current system. Today, communications data is collected and retained by different companies in separate locations. Under this approach, all the data would be held together in one place.

The Government recognises the privacy implications in holding all communications data from the UK from a 12-month period in a single store. The Government therefore does not propose to pursue this approach.

There are therefore, only two further options, which are outlined in section iii) below (“A middle way?”).

II. Doing nothing

This document has already set out the impact of changing communications technology on the way communications data is currently used by the law enforcement and other agencies. Failure to take action would leave only a limited and diminishing capability to continue to use communications data for the purposes for which it is currently used.

Nor is the use of communications data easily substituted by using other covert investigative methods, also regulated under RIPA. These techniques are more expensive, more manpower-intensive and slower. They cannot provide a record of a past event where communications data can. Communications data is generated by every communications event and it can therefore give an historical account of what happened to both criminals and victims. Other approaches would be much more intrusive, requiring physical or technical surveillance of a much larger number of people than is presently the case (or than current resources permit). Such techniques are also more high-risk and therefore less secure for both the public and the investigating agencies.

Jon Murphy, National Co-ordinator for Serious and Organised Crime for the Association of Chief Police Officers (ACPO) has said:

“The access to communications data is a fundamental investigative capability which is used daily by police officers to investigate serious crime and save lives, as well as being used routinely as a core element of the prosecution evidence in court. I could not contemplate a situation whereby law enforcement agencies were deprived of such crucial and compelling information.”

The Government therefore believes it would be failing in its duty to protect the public if it allowed the capability of public authorities to use communications data to degrade and made no effort to address it. Doing nothing is not therefore an option.

A middle way

The Government is therefore consulting on a range of “middle way” options that seek to balance the rights to privacy and security.

These options are all based on the model for collecting and retaining data that exists today: the communications service provider would collect the data and store it and allow access by the authorities on a case-by-case basis under RIPA. All the data would therefore continue to be distributed around and held by different communications providers.

As a first step, the Government would legislate to ensure that all the data that public authorities might need, including the third party data, is collected and kept in the UK. Communications service providers based in the UK would therefore continue to collect and retain communications data relating to their own services but also collect and store the additional third party data crossing their networks. This would therefore include communications data which does not come under the scope of the EU Data Retention Directive.

All the data retained by the communications service providers would continue to be accessible on a case-by-case basis to public authorities, subject to the same rigorous safeguards that are now in place.

This option would put additional demands on industry, especially around the collection and retention of third party communications data not required for the business purposes of communications service providers. The Government is therefore actively seeking the views of industry on these proposals through this consultation.

This option would resolve the problem that some communications data which may be important to public authorities will not otherwise be retained in this country. However, it would not address the problem of fragmentation: as data is increasingly held by a wider range of communications service providers, it might take longer than it does at present to piece together data from different companies relating to one person or communications device. The current capability would therefore diminish.

To mitigate this problem the Government would require communications service providers not only to collect and store data but to organise it, matching third party data to their own data where it had features in common (for example, where it relates to the same person or to the same communications device). This would require additional legislation.

Organising data together would help to ensure that communications service providers would be better able to respond to a request from public authorities for all the data relevant to a specific communications device or subscriber. It would significantly decrease the turnaround time for requests and in life-threatening situations greatly help public authorities. In particular, where all the data that a public authority needed for an investigation was held by one communications service provider, this option would mean it was available quickly in a readily understandable form.

To maintain the capability set out in this document, the Government recommends taking the steps outlined above, specifically: that it legislates to ensure that all data that public authorities might need, including third party data, is collected and retained by communications service providers; and that the retained data is further processed by communications service providers enabling specific requests by public authorities to be processed quickly and comprehensively.

To assist us in complying with Better Regulation requirements this document is intended to stimulate discussion and elicit views both from those likely to be affected and any interested stakeholders. Any legislative provisions brought forward following this consultation will be accompanied by a fully developed and robust Impact Assessment measuring the impact on the public, private and third sectors. Specific impact tests required alongside the Impact Assessment, such as the construction of an Equality Impact Assessment, will also be addressed.

Costs

The range of options would offer different levels of benefits to the public authorities, such as the law enforcement and intelligence agencies. Different options among the ranges available would also incur different levels of cost. Initial estimates of the implementation costs of the range of options discussed above are up to £2bn. This figure is a high level budgetary estimate of the economic costs¹⁴. As provided for in RIPA, the Government is required to ensure arrangements are in place to make reasonable contributions to communications service providers towards the costs incurred by them in complying with the Act’s communications data requirements.

14. These estimates cover all the options considered in this paper, except the ‘Do Nothing’ option”.

3.1 The requirements

Published on April 27, 2009 in Consultations. Closed Tags: cases data processing, cellular telephone, communications data, communications environment, communications event, communications networks, communications service providers, communications services, crucial communications data capability, European Union, internet communications services, internet-based services, overseas web-based e-mail account, senior officer, United Kingdom.

The fundamental requirement is for a system which, as far as possible, maintains our crucial communications data capability and, as is currently the case, balances the requirements of security and privacy in a way which commands public confidence. The more intrusive the methods, the more rigorous the safeguards need to be.

I. Privacy requirements

Any new regime must maintain the safeguards already provided for in law:

* Data which has been retained can only be accessed by public authorities for a purpose stated in law;

* Data can only be obtained by a public authority specified in legislation, and only when authorised by a senior officer, also specified in legislation;

* Data can be obtained by a public authority only when it is necessary in a given investigation;

* Data can be obtained by a public authority only when any interference with an individual’s privacy is proportionate to the aims;

* There is external independent oversight of the application of the law;

* There is a right to complain to an independent tribunal if a member of the public believes that their data has not been acquired unlawfully.

II. Technological requirements

The two major consequences of technological change will need to be addressed: not all the communications data that public authorities may need will in future be collected and kept in the UK; and in the new IP environment data will be much more fragmented, making it much harder for public authorities to understand and use it.

a) collection and retention

We need to ensure the collection and storage of communications data in connection with services accessed over UK communications networks, which is not already retained by the service providers for their business purposes. This would include third party data relating to internet-based services and communications services provided from outside the UK.

We also need to ensure that UK companies collect and store additional types of communications data about their own services, which are not included under the EU Data Retention Directive. This includes data that communication service providers do not generate or process about their services.

Data which has been collected will need to be retained by companies in the UK so that public authorities can continue to get access to it on a case-by-case basis under existing law (RIPA).

Some additional technical information (e.g. routing of internet communications services and/or domain name allocations) which is not required in the current traditional communications environment would also be required in future to help investigators understand the data around a communications event.

b) Processing the data to overcome fragmentation

Part 2 of the document described how communications data is now and will be in future distributed around an increasing number of companies – because individual users will be able to use a greater number of services and because even the data from a single service will be more fragmented. An overseas web-based e-mail account, for example, may be accessed using networks provided by many different UK companies. Fragmentation will make operations run by public authorities much slower: it will take longer to find and piece together the data needed to identify and build up a picture of a suspect, or establish the location of a missing person.

Automated processing of communications data by communications service providers once it has been collected, would make it possible for the data to be organised in a way that established the linkages between different pieces of data associated with, for example, the same phone, subscriber or number or a user ID.

In some cases data processing of this kind is already being done by UK communications service providers. Communications data associated with a single mobile phone may already be organised and collated by the company providing the service, to facilitate itemised billing.

The requirement would, therefore, be for a system run by communications service providers which organised and linked the data to make it easier to answer queries submitted by public authorities under an authorised request for communications data. So in practice, if a public authority needed to ask a relatively common question (such as what numbers a certain telephone has been in contact with in the last 24 hours), the answer would more likely be available in the timescales required.

This processing is potentially more intrusive than data retention itself; it would therefore require correspondingly strong and effective safeguards. The system could be designed so that a public authority had no visibility of how the data was linked together. The authority would only be provided with the limited data that was specified in an authorisation, which would have to be necessary and proportionate.

And of course, as is the case today, access to such information should not be possible without authorisation by a senior officer of a public authority.

2.1 The technological revolution

Published on April 27, 2009 in Consultations. Closed Tags: Broadband, broadband internet access, BT, cellular telephone, circuit-switched, communications data, communications diversity, communications identities, communications market, communications networks, communications service, communications service providers, communications services, communications services providers, cricket, dozen different communications methods, European Union, Facebook, fibre optic, fixed line telephone, Ian, internet accounts, Internet Protocol, internet services, IP, Michael, microwave, mobile phone network, on-line computer game, online bank, ordinary telephony, physical network, Privy Council Review, Privy Council Review of Intercept, public telecommunications network, satellite trunks, social networking, technology advances, telecommunications environment, telephone networks, the service and the underlying network, United Kingdom, using Internet Protocol, Voice over IP, VOIP, web forum, web-based e-mail account, web-site.

The extent of these changes was summarised in February 2008 by the cross-party Privy Council Review of the use of Intercept as Evidence¹⁰:

“Over the next several years the worldwide public telecommunications network will undergo a profound change. Hitherto almost all telephone networks have been circuit-switched: whenever a call is made the provider has set up a dedicated circuit (a combination of wires, channels within fibre optic, microwave or satellite trunks, and radio links to individual phones) which connects the callers. For as long as the call lasts the callers have exclusive use of this dedicated circuit. While other services than ordinary telephony (such as data) may be available, they are generally under the control of one of a small number of suppliers, who provide both the service and the underlying network, and do any necessary processing.

Within the next 5 years we expect that most communications in the UK will instead be delivered using Internet Protocol (IP)¹¹ ¹²

Communications data is as important a tool for investigating and prosecuting crime for our European and other international partners at it is for the UK. However, although other countries will also face the same challenges as the UK and will also suffer similar degradation in capability as technology advances, we will be one of the first to be affected by these changes. This is because:

* The UK telecommunications environment is one of the most dynamic in the world, due to deregulation;

* Many of the leading Western European countries still have dominant national fixed line companies, whereas the UK has a more ‘open’ market which encourages the spread and use of broadband;

* The UK’s competitive communications market encourages companies to find new ways to offer new services and cut costs. BT, the largest network provider in the UK, is for example currently in the process of rolling out a nationwide network based on Internet Protocol.

The transition to communications based on Internet Protocol across the UK will have five major consequences relevant to the collection of communications data:

* There will be more ways to communicate: the move towards IP, coupled with the rapid expansion and take up of new internet services means that there are now many more ways for people to communicate. In future, it is unlikely that the average person will solely use a fixed line telephone, or a fixed line and mobile. Already, many of us use e-mail, instant messaging, blogs, and social network sites in addition to these more traditional methods of communicating. We can expect this diversity in the way that people communicate to increase in future¹³.

* Companies may no longer need to keep as much information on the way customers use their services: not all providers of communications services will continue to keep communications data as we know it now – records on who contacted who, when, and where. By making it cheaper and easier to provide services, Internet Protocol means that many companies have started to offer cheap, packaged or even free services. Some companies may no longer have any business need to keep information on service use by an individual subscriber.

* Anonymisation will be an increasing feature of our communications: until quite recently it was difficult to sign up to a new communications service without giving some personal information about the subscriber for identification, fraud prevention and billing purposes. But free services in particular mean there is less need for communications service providers to collect such information or to ensure it is reliable. The ability of any given person to have multiple communications identities for their fixed line numbers, mobile numbers, internet accounts and logins is making it easier for people to communicate anonymously.

* More and more service providers will be based abroad: a feature of the IP era is that any company, based in the UK or overseas, can make available communications services to UK consumers, using another company’s physical network of cable and equipment. But communications services providers in the UK will very often have no business reasons to retain the third party communications data generated by services provided from overseas which cross their own networks. And overseas companies outside UK jurisdiction are not required to disclose data under RIPA and not required to retain the data under the EU Data Retention Directive.

* Communications data is likely to be more fragmented in future: people are more likely to use a greater range of communications services in future; and data relating to a single communications service might cross a number of different communications networks.

More communications services will be offered by different companies. For that reason, the data from one person’s communications is more likely to be dispersed across a greater number of different companies and retained in different locations. With an increasingly competitive communications market, this trend will accelerate. Until now, data has been collected and retained by a relatively small number of UK firms about their own services. In the future it will be more difficult to identify the relevant company holding the data about a communication and that may include companies not based in the UK.

It is also possible that the data from a single service will be more fragmented. A web-based e-mail account, for example may be accessed using networks provided by many different UK companies – for example a Wi-Fi network provided in an airport or coffee shop, or a mobile phone network.

Case-study: communications diversity

The following example, included in the report of the independent cross-party Privy Council Review of Intercept as Evidence (2008), demonstrates the increasing diversity of communications services.

“Three friends Ian, Michael, and Stuart are planning a trip to the cricket. Stuart texts Ian from work to ensure he will be at his computer a little later to organise the trip. He then goes home and turns on his computer. He sends an Instant Message to see if Ian is online, which he is. Both then log onto their favourite Voice over IP (VoIP) package and begin discussing the trip.

They quickly realise it would be easier if they could both see the fixture list, so Stuart e-mails to Ian a link to the cricket club’s web-site. This fails, so instead he posts the link to a web forum they both use. They carry on their discussion and agree which match they wish to see. Michael is also online but does not have the same VoIP package so can’t join in the conversation. However he and Ian are playing the same on-line computer game, and so use the in-game text-based chat function to discuss the details, Ian acting as a relay between Michael and Stuart.

Finally all agree that Ian will buy the tickets. The others use an online bank (PayPal) to send the money to him. This in turn generates confirmation e-mails. So over the course of 30 minutes the three friends have used half a dozen different communications methods, not with any intention to conceal their activities but because it’s a convenient and natural way to use the technology.”

10. The cross-party Privy Council Review of Intercept as Evidence was established in July 2007 to advise the Government on whether a regime to allow the use of intercepted material in court could be devised that facilitates bringing cases to trial while meeting the overriding imperative to safeguard national security

11. The international standard used for delivering material across the Internet.

12. Privy Council Report on Intercept as Evidence, page 27, paragraphs 107-8

13. The OFCOM annual report 2008 confirms that people in the UK are moving towards new ways of communicating. In 2007, the average person in the UK spent 14 hours online per week – an increase of 6.5 hours since 2004. Half of all people using the internet in the UK use “social networking” websites such as Facebook or Bebo. Sixty percent of all households have broadband internet access. These all provide evidence that people in the UK are changing their behaviour, choosing to communicate through new technology rather than picking up the telephone. This evidence means that if we are to maintain public protection we need to change how we use communications data to do that

1.4 Access to communications data by public authorities and privacy: the safeguards

Published on April 27, 2009 in Consultations. Closed Tags: Assistant Chief Officer, Assistant Head, authorising officer, cellular telephone, Commissioner, Communications Commissioner, communications data, communications service, communications service providers, Governor, High Court, Information Commissioner, Investigatory Powers Tribunal, judge, law enforcement, miscarriages, mobile telephone, Paul Kennedy, police superintendent, Prime Minister, senior officer, senior responsible officer, superintendent, United Kingdom.

There is an important distinction to be drawn between the collection and retention of communications data by communications service providers and the acquisition of that data by public authorities in accordance with the requirements of the law. The vast majority of all communications data that is collected and retained today is never accessed by public authorities. The ability for public authorities to acquire stored communications data on a case-by-case basis to support investigations is also supported by strong safeguards so that access by public authorities to any of that data is tightly controlled.

I. The European Convention on Human Rights and the Regulation of Investigatory Powers Act

The acquisition of communications data by public authorities is regulated by RIPA. This legislation has a series of strict safeguards intended to ensure that the acquisition of communications data by public authorities is fully compliant with the European Convention on Human Rights.

Since much of communications data is personal information (on where people live or where they are using a mobile telephone, for example), its retention and subsequent access by public authorities interferes with an individual’s right to respect for private and family life under Article 8 of the European Convention on Human Rights. Article 8(1) states that:

“Everyone has the right to respect for his private and family life, his home and his correspondence.”

Article 8 is, however, a qualified right which means that any interference with an individual’s rights by the state is permissible so long as it is necessary (and not just reasonable) for a legitimate aim⁷ and proportionate. Furthermore, the interference must have a clear legal basis.

RIPA put a regulatory framework around a range of investigatory powers to do just this. Specifically, Part I Chapter II of RIPA sets out a strict regime for the acquisition and disclosure of communications data:

* Data which has been retained can only be accessed by public authorities for a purpose stated in law;

* Data can only be obtained by a public authority specified in legislation, and only when authorised by a senior officer, holding a rank, office or position also specified in legislation;

* Data can only be obtained by a public authority when it is necessary in a given investigation;

* Data can only be obtained by a public authority when the interference with privacy that it will cause is proportionate;

* There is a statutory code of practice setting out how the legislation should be used and operated;

* There is external independent oversight of the application of the law; provided by the Interception of Communications Commissioner (currently Sir Paul Kennedy a former High Court judge);

* There is a right of complaint to the Investigatory Powers Tribunal if a member of the public believes that their data has been acquired unlawfully.

Communications data may only be acquired⁸:

* in the interests of national security;

* for the purpose of preventing or detecting crime or preventing disorder;

* in the interests of the economic well-being of the UK (where a threat to this may threaten national security);

* in the interests of public safety;

* for the purpose of protecting public health;

* for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department;

* for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health;

to assist investigations into alleged miscarriages of justice;

for the purpose of:

1. assisting in identifying any person who has died otherwise than as a result of crime or who is unable to identify himself because of a physical or mental condition, other than one resulting from crime, or

iii. obtaining information about the next of kin or other connected persons of such a person or about the reason for his death or condition.

Public authorities that have requirements to gain access to communications data under RIPA must also be specified in the Act itself or designated in an order approved by Parliament. Authorisations to obtain communications data must be approved by a person holding a senior office, rank or position with the relevant public authority specified by Parliament to be able to do so.

Restrictions also apply to the purposes (listed above) for which individual public authorities may acquire communications data and the types of communications data they may acquire. So, for example, a local authority can only obtain communications data if a senior individual with that authority (i.e. an Assistant Chief Officer or Assistant Head of Service level or equivalent) believes that it is necessary and proportionate to obtain the data and only then for the purpose of preventing or detecting crime. With respect to the different types of communications data, more detail on which is provided in Annex B, local authorities are only permitted to acquire subscriber information (e.g. registered name and address) and service usage information (e.g. numbers called from a telephone). They are not entitled to acquire traffic information – such as location information on a mobile phone.

II. Necessary and Proportionate

To satisfy the tests of necessity and proportionality, the authorising officer must first consider whether obtaining communications data is necessary for a statutory purpose. A police superintendent overseeing the work of an investigation team can only grant an authorisation if he believes that acquiring the data is necessary to prevent or detect crime. Furthermore, the designated person – in this case the superintendent – may not be directly involved in the investigation for which the authorisation is sought⁹.

In determining proportionality, the authorising officer must consider whether securing the objective in a specific case, for example preventing a particular crime or apprehending an offender, justifies the level of intrusion into privacy caused by the acquisition of the communications data.

Only if the authorising officer believes that obtaining the communications data would be both necessary for a statutory purpose, and proportionate to what is sought by obtaining the data, can an authorisation be granted.

A code of practice, approved by Parliament, provides more detailed guidance to public authorities seeking access to data under RIPA. This code of practice is available online at: http://security.homeoffice.gov.uk/ripa/publication-search/ripa-cop/acquisition-disclosure-cop.pdf?view=Binary

III. Training for Communications Data Investigators

Communications data investigators – who work in law enforcement, intelligence agencies, and other public authorities – are normally highly specialised and undergo significant levels of training.

The single point of contact system (SPoC), extended beyond police to all relevant public authorities following the enactment of RIPA, created trained and accredited experts in each public authority who understand how to interpret the information that is held by communications service providers. This group, trained partially by industry to know what data is available to support investigations, helps to ensure effective working relationships between investigators and companies.

These communications data experts offer advice and assistance to investigating officers in their public authorities, making sure that they fully understand what questions to ask, and what data to ask for. They can also provide advice on the least intrusive way to obtain the information that public authorities need, and the likely level of impact on privacy of asking a given question of a communications service provider.

IV. Further Safeguards and oversight of RIPA

The process for obtaining communications data is rigorous. But there are also stringent statutory oversight arrangements to make sure the system works in practice. The Interception of Communications Commissioner keeps under review the powers and duties conferred by Chapter II Part I of RIPA. The person appointed as the Interception of Communications Commissioner must hold or have previously held a high judicial office. It is currently held by the Right Honourable Sir Paul Kennedy.

Oversight by the Interception of Communications Commissioner ensures that the authorisation procedures for obtaining communications data created by RIPA are applied lawfully and consistently. Part of the Commissioner’s role is to protect people in the United Kingdom from any unlawful or unnecessary intrusion into their privacy.

The Commissioner has a team of inspectors who visit public authorities and examine the quality of decision-making and the use made of the data obtained, working to ensure that public authorities fulfil the requirements of the law set out in RIPA and its statutory Code of Practice. Inspections of public authorities take place throughout the year, and the Commissioner reports annually to the Prime Minister. His report is laid before Parliament.

These inspections look at a proportion of the cases where communications data has been acquired, and ensure that the authorising officer was of the necessary rank, and went through a full and thorough process of considering necessity and proportionality. The code of practice requires every relevant public authority to have a senior responsible officer who must be responsible for the integrity of the process to acquire communications data and, where necessary, to oversee the implementation of recommendations from inspections.

Furthermore, if any person believes that any of his communications data have been acquired unlawfully under RIPA, he is entitled to address a complaint to the Investigatory Powers Tribunal. This Tribunal has full powers to investigate and decide any case within its jurisdiction, which includes the acquisition and disclosure of communications data under the Act. The Tribunal is made up of senior members of the judiciary and the legal profession and is independent of Government.

The Tribunal can be contacted through: http://www.ipt-uk.com/

Regulation of Investigatory Powers Act 2000 – Acquisition and Disclosure of Communications Data.

Safeguards in brief:

* Any individual request to obtain communications data must be made by a “relevant public authority” specified by Parliament in accordance with Chapter II of Part I of RIPA;

* Each request must be necessary and proportionate in order to be granted;

* Each request can only be for one or more of the grounds set out in section 22(2) of RIPA (listed on page 17);

* The Interception of Communications Commissioner has a duty to keep under review the use of the statutory powers;

* The Investigatory Powers Tribunal has jurisdiction to examine claims or complaints relating to these powers.

V. The Data Protection Act 1998

Because communications data will often include personal data about the subscriber or user of a communications service, it is also subject to the provisions of the Data Protection Act 1998.

This Act works in two ways. First, it provides that anyone who processes personal information must comply with eight principles designed to ensure that personal information is:

* Fairly and lawfully processed;

* Processed for limited purposes;

* Adequate, relevant and not excessive;

* Accurate and up to date;

* Not kept for longer than is necessary;

* Processed in line with a person’s rights;

* Secure;

* Not transferred to other countries without adequate protection.

Secondly, the Act provides individuals with certain qualified rights, including the right to find out what personal information is held about them by businesses and organisations, subject to certain exclusions set out in the Act, for instance where national security might be undermined. The Act also provides a framework to ensure that personal information is handled properly.

The Information Commissioner, appointed under the Data Protection Act, has various powers of enforcement and oversight, including:

* The power to serve enforcement notices on data controllers who have contravened or are contravening any of the data protection principles; and

* The power to assess whether personal data is being processed in compliance with the provisions of the Act.

7. A “legitimate aim” under article 8 of the ECHR includes the aims of national security, public safety, protection of the economy, prevention of crime, the protection of health or morals or the protection of the rights and freedoms of others.

8. The statutory purposes for which communications data may be accessed are listed in RIPA, Part I, Chapter II and in its associated statutory instruments: Statutory Instrument 2003 – Number 3172: http://www.opsi.gov.uk/si/si2003/uksi_20033172_en.pdf; Statutory Instrument 2005 – Number 1083: http://www.opsi.gov.uk/si/si2005/20051083.htm; Statutory Instrument 2006 – Number 1878: http://www.opsi.gov.uk/si/si2006/uksi_20061878_en.pdf

9. This additional requirement is imposed by virtue of Paragraph 3.11 of the Code of Practice on the Acquisition of Communications Data.