Joint Committee On Human Rights Appendices to the Minutes of Evidence

1.  Comments of the Information Commissioner on the provisions of the Anti-Terrorism, Crime and Security Bill relating to the retention of communications data


  The Information Commissioner (the Commissioner) has statutory responsibility for promoting and enforcing the Data Protection Act 1998 (the 1998 Act). The Act sets legally enforceable standards in relation to the processing of personal data, it also gives the Commissioner a statutory duty to raise awareness and promote good practice in relation to the processing of personal data. The Act provides a number of safeguards to protect individuals where others are handling their personal information, but it also contains provisions modifying these where they would be likely to prejudice the prevention or detection of crime, the apprehension and prosecution of offenders or where national security would be affected. In short, the Act and the European Union Directive upon which it is based, seek to balance respect for the privacy of individual citizens and the need of society to protect itself against criminal and other subversive activity.

  The Human Rights Act 1998, emphasises the need to interfere with individuals rights only in limited circumstances and only to do so in a way that is proportionate to these other pressing needs. The Commissioner's role is to offer advice on how an appropriate balance is to be struck.


  The Commissioner has been aware for some time of pressure from the law enforcement community to require communications providers to retain details of communications data. This, it is claimed, would assist the detection of particular crimes and help with criminal intelligence gathering. Although such calls have been made it has not always been clear to what extent such retention is required beyond the period for which the communications providers would retain this for their own business reasons. Neither is it clear what additional retention is realistically required to meet the law enforcement community's investigatory needs. Questions relating to the extent of the information required have also remained largely unanswered. For example, are all aspects of communications data important or just those elements that may be described as "the connection data" (limited to matters such as IP address, connection times and calling line identity)?

  Important issues are the relevance of the personal data, the length of the data retention period for the needs of the law enforcement community and how far this goes beyond existing industry practice. Attaching the appropriate weight to these factors is necessary to avoid affecting the privacy of individual citizens disproportionately and also placing additional cost burdens upon communications providers in having to retain large collections of personal data and continue to manage these to the standards set down in the 1998 Act.

  The Commissioner is aware that the law enforcement agencies have taken action in relation to communications data to enable them to follow up particular lines of enquiry resulting from events on the 11 September. It appears that existing retention practices have not caused problems in pursuing these lines of enquiry. More routine law enforcement activities would, therefore, seem to be relevant when seeking a justification for continued retention.


  A number of the Act's provisions are relevant, but of most immediate significance is the requirement that personal data be held for no longer than necessary for the purpose for which they were processed. A data controller should not hold personal data for longer than necessary for its own purpose for processing the data (5th Principle). The Telecommunications Regulations 1999 introduce more specific provisions relating to traffic and billing data held by communications providers; the need for retention would be judged against the continued necessity for its business purposes such as for sending out a bill, dealing with a disputed matter or ensuring the security of the network.

  Other compliance issues can arise in connection with the need to process personal data fairly and lawfully, including having a legitimate basis for processing (1st Principle) and to ensure that data are relevant and not excessive in relation to the purpose for processing (3rd Principle). Communications data may contain, for example, in e-mail headers, information of a specially sensitive nature (such as health information). Directive 95/46/EC and the 1998 Act impose strict rules regulating the circumstances in which such data can be processed. Failure to comply with these Principles can lead to enforcement action by the Commissioner or legal action by an individual who suffers damage or distress as a result of the contravention.

  Continued retention of communications data by a communications provider beyond the completion of its own processing need, in order to satisfy the needs of others, is likely to contravene the 1998 Act's requirements. The clauses providing for retention based on the provision of a code of practice or agreement would not necessarily remedy the situation.

  The Bill raises a number of concerns about its compatibility with Convention rights. While the Bill might engage a number of Convention rights, the Commissioner's comments focus on the Article 8 right to respect for private and family life. The starting point must be that the proposed legislation will involve an interference with the Article 8 rights of individuals. The question is whether that interference can be justified under Article 8(2).

  The first requirement of Article 8(2) is that the measures proposed are "in accordance with the law". This requires that interference must have some basis in national law. The proposed legislation would satisfy this bare requirement. However, the phrase "in accordance with the law" in terms of the Convention further requires that the law concerned must be accessible and precise (ie foreseeable in its consequences). Where the state has power to carry out investigations involving an interference with the right to privacy, Article 8 requires a positive framework of legal rules circumscribing the exercise of any such power, and incorporating legally binding safeguards against abuse. The law must indicate the circumstances in which such interference can occur, its duration, and the limits of the authorities' powers. Without sight of the proposed statutory code of practice (clause 101(1)), any agreement with a communications provider (clause 101(2)) and/or secondary legislation (clause 102) envisaged under the proposed legislation it is not possible to assess what the legal framework will be in this area. There must therefore be a concern that the proposed legislation would be incompatible with Convention rights as it fails to satisfy this basic requirement for precision and foreseeability in the delineation of the Secretary of State's powers.


  This clause in the Bill provides for the Secretary of State to issue a code of practice relating to the retention by communications providers of data obtained or held by them. The Commissioner understands the attraction of the flexibility in such an approach, particularly where the precise needs have yet to be determined. The clause provides for the Secretary of State to include such provisions as he deems necessary for crime prevention and detection purposes. The clause provides no further guidance on the matters to be included in such a code or its relationship with the code produced under section 71 of the Regulation of Investigatory Powers Act 2000 dealing with the accessing of communications data. The lack of specific provision gives the Commissioner cause for concern that any code produced on the basis of the clauses contained in existing draft provisions would have a number of significant defects particularly in terms of compliance with the requirements of the Human Rights Act. The continued absence of clarity as to what information is necessary for law enforcement purposes, what the realistic retention needs of these agencies amount to and the effect on those who seek to comply with the code's provisions present real difficulties.

  The Bill pursues the legitimate aims of national security, public safety and the prevention of disorder of crime. Article 8(2) imposes a further requirement that any interference be "necessary in a democratic society", ie that it fulfils a "pressing social need" and is "proportionate" to the legitimate aim pursued. The scope of the powers proposed to be given to the Secretary of State is immensely broad. The lack of any overt safeguards against abuse of such powers indicate a lack of proportionality such as to render the prospective legislation incompatible with Convention rights.

  The extent to which communications data expose private life varies. Some data reveal either directly or by implication the content of messages. It appears that those that are least revealing may be those that are of most value to law enforcement agencies. Application of the principle of "proportionality" requires that any proposals for retention address communications data item by item. A proportionate and human rights compliant approach would restrict retention to these less revealing and more valuable data.

  The Commissioner is also concerned that a communications provider would not be in a position to have confidence that adherence to the code's provisions would ensure compliance with the 1998 Act. As set out above, a number of the Act's requirements would be relevant particularly regarding processing data for no longer than necessary for the business purpose, but also in relation to having a proper basis for processing and the need to ensure data are not excessive. The clause provides for the admissibility of the code in legal proceedings. This would have the effect that the code could be taken into account by the Commissioner when assessing the processing for compliance or deciding upon enforcement action. However the simple existence of a voluntary code containing provisions relating to retention would not necessarily mean that such periods were relevant to judging whether data are held longer than necessary for the communications providers own purposes. Once data were no longer needed for the purposes of the communications provider, they should be deleted. The proposed legislation imposes no duty to retain for the law enforcement purposes of public authorities; it is not clear how the simple power proposed can overcome the duty to delete imposed by the 1998 Act. Concerns over Human Rights Act compliance would further weaken the reliance to be placed on such a code in an enforcement context.

  The clause also contains a provision relating to the Secretary of State entering into "agreements". Any such agreement would suffer from all the defects described above in relation to the code of practice. This provision has the additional problem of creating uncertainty about the relationship between an existing code and a specific agreement with a particular provider. It is not clear whether such an agreement could weaken or otherwise alter provisions set down in the proposed code benefiting from previous consultation with interested parties. This lack of precision as to effect and consequences underscores the concerns about the propriety of such an approach.

  The clause provides for consultation with communications providers at the point of production or revision of a code. There are a number of other interested parties who should be involved in any consultation process. Given the Commissioner's role in enforcing legislation affecting the retention of data it is essential that she be included formally in the consultation process. Given that it is individuals whose data will be retained and possibly accessed by third parties then consideration should be given to consulting formally on a Code with appropriate representatives of the wider community. An appropriate model may be found at section 51(3) of the 1998 Act as this requires the Commissioner to consult with both trade associations and representatives of data subjects as appear appropriate prior to production of a data protection code of practice. The final code should also be drawn to the attention of affected parties not just to communications providers.


  If there is a need to retain data for longer than a communications provider would for their own purposes in order to prevent and detect crime then a statutory duty to retain would provide the necessary certainty for communications providers that such retention would not contravene the 1998 Act. If continued retention is necessary then this approach should be adopted rather than left as an alternative to be considered at a later date. A statutory duty would provide a proper basis for processing by a communications provider.

  Although a statutory duty to retain is attractive, the mechanism envisaged by this clause is problematic. Although the Secretary of State requires an order before he can make directions, the order making power does not appear to result in the direction itself being subject to the same scrutiny. The inclusion of a requirement for an order to specify a maximum period for retention permitted in any direction is helpful. However, once the Secretary of State has the power then, subject to any necessary consultations, he will still enjoy a substantial amount of discretion over the content of any directions. This is of concern.

  The clause provides for consultation with communications providers before the Secretary of State issues a direction. The earlier comments in relation to consultation on codes of practice and agreements are equally relevant here. The Commissioner would expect to be consulted formally about directions applying to communications providers.

  The inclusions of a provision (clause 103) causing the order making power to lapse if unused for two years is a helpful mechanism to ensure scrutiny of the continued need for such a power. However, there is no linkage between the taking of the power and the issuing of directions. It is possible that the power could be taken to preserve the possibility of directions at a later date.


  If communications providers are expected to retain data beyond their own needs this will inevitably incur an additional financial burden not only in terms of storage but also in relation to the cost of ensuring that they hold the data to the standards set by the 1998 Act. They must, for example, ensure appropriate security and facilitate individuals' access rights. It is not for the Commissioner to comment on the propriety of reimbursing costs, however, consideration should be given to establishing a regime that reinforces the need for those seeking retention to act in a proportionate manner.


  The time available for consideration of this important issue may mean that other options that might have a lesser impact in terms of personal privacy are not explored. Consideration could be given to the possibility of establishing a trusted third party who would retain the communications data (perhaps in an encrypted form with restricted access to the keys) beyond the needs of the communications provider. Such a third party would need to be independent of the law enforcement community, communications industry and government: some form of judicial control might be appropriate.

  Consideration should also be given to the need to preserve data in specific circumstances rather than rely on a long period of general retention. Law enforcement agencies in many instances become aware of the need to access communications data quite soon after a crime has been committed although they may not possess the resources to examine the data before deletion. A facility to preserve communications data in limited specified circumstances might be worthy of consideration.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2001
Prepared 5 December 2001