Investigatory Powers Bill
Written evidence submitted by Dr C. N. M. Pounder, Amberhawk Training Limited (IPB 51)
Suggestion for an amendment to the Investigatory Powers Bill to apply the Data Protection Act to the Processing of Personal Data by the National Security Agencies
1.1 This contribution suggests amendments (see sections 6 and 7) to ensure that data protection considerations are included in the double lock protection of the Investigatory Powers Bill ("IP Bill").
1.2 In my evidence to the draft IP Bill Committee ("Amberhawk Training Limited; evidence to the draft IP Bill Committee published as (IPB0015), I stated that any national security exemption from the Data Protection Act (Section 28) should form part of the warrant procedures so that the exemption is honed to fit the purpose of any bulk personal dataset acquisition. This is especially the case as "the nature of the set is such that it is likely that the majority of the individuals are not, and are unlikely to become, of interest to the intelligence service in the exercise of its functions" (bulk personal dataset definition: Clause 174(1)(b); my emphasis).
1.3 The draft IP Bill Committee agreed with my recommendation; however, the Government in its response to the Committee indicates that it is NOT going to implement the Committee’s recommendations. Without an amendment of the form I suggest in this document, data protection considerations will NOT be subject to the double lock protection.
A. The Committee should implement amendments that ensure that the national security exemption in the Data Protection Act should be applied as part of all warrant application approvals (e.g. whenever a bulk personal dataset is collected). In this way, the double lock applies to the processing of personal data subject to the national security exemption every time the exemption is needed.
B. Similar amendments should apply to the collection of any personal data using warrant powers in this Bill. (I have not drafted these, as I assume the Committee will first want to discuss the principle of such inclusion).
C. If no amendment is made, then Ministers will be able to sign a few general Section 28 national security certificates to exempt the Data Protection Act for all bulk personal dataset collections for well into the future. No double lock will apply.
2. Recommendations from the draft IP Bill Committee
2.1 The Committee that considered the draft Bill recommended:
"We acknowledge the importance of data protection in relation to EI activities. We recommend that the assessments undertaken by Judicial Commissioners when authorising warrants should give consideration to data protection issues". (Para 52 of the Conclusions and Recommendations of the Committee).
"We believe that a draft Code of Practice on BPDs should be published when the Bill is introduced to provide greater clarity on the handling of BPDs, not least in relation to the provisions of the Data Protection Act 1998. To the greatest extent possible, the safeguards that appear in the Data Protection Act 1988 should also apply to personal data held by the security and intelligence agencies" (Para 74 of the Conclusions and Recommendations of the Committee).
2.2 This was the position I stressed to the Committee in my evidence which gives further background to the amendments that I propose (see "Amberhawk Training Limited-written evidence to the draft IP Bill Committee published as (IPB0015)).
2.3 The Government’s response to this was to state that the national security agencies were already subject to the Data Protection Act unless an exemption applied. Such an exemption ‘is required for the purpose of safeguarding national security. By virtue of section 28(2) of the DPA, a Minister may certify that exemption from the Data Protection Principles is so required".
2.4 The response also confirmed that Ministerial Certificates have been issued for each of the security and intelligence agencies (SIA) and
"those certificates certify that personal data that are processed in performance of their functions are exempt from the first, second and eighth data protection principles (and are also exempt in part from the sixth data protection principle)"
"the certificates do not exempt the SIA from their obligation to comply with the Fifth and Seventh Data Protection Principles (dealing with retention and security of processing)"
2.5 It is clear that the Government intend to continue the Section 28 certificated exemption from the Data Protection Act; this is confirmed by paragraph 11.9 of the Code of Practice relating to bulk personal data:
"Each of the Security and Intelligence Agencies (SIA) is a data controller in relation to all the personal data that it holds. Accordingly, when the Security and Intelligence Agencies use any bulk data that contain personal data, they must ensure that they comply with the Data Protection Act 1998 (except in cases where exemption under section 28 is required for the purpose of safeguarding national security)".
2.6 However, this approach ignores the key facts about national security certificates; once they are signed by the relevant Cabinet Minister (e.g. Home Secretary), they exist for all-time, unless they are reviewed. These certificates are outside the double lock protection of the IP Bill when they should be inside the double lock.
2.7 The timeless nature of the Certificates is illustrated by the Investigatory Powers Tribunal case involving Privacy International in October last year ( UKIPTrib 13_77-H; delivered on 05/12/2014, paragraph 19). In statements made to the Tribunal, the barrister for GCHQ produced a certificate signed by David Blunkett thirteen years previously (in 2001) to show that key obligations in the Data Protecting Act were exempt. This to my mind is unacceptable as it implies that all Ministers since Mr. Blunkett may be unaware of any Certificate signed by him.
3. Messages that the national security agencies are sending.
3.1 In summary, the Government propose that the national security agencies continue to apply the wide certificated exemptions from the First, Second and Eighth Data Protection Principles (see bottom of page 2 of this document). For completeness the First, Second and Eighth Data Protection Principles state:
"1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in
Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes".
8. "Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data".
3.2 If the IP Bill is enacted in its current form, the application of the national security exemption subject to Ministerial Certificate as described above will continue.
3.3 In particular, the exemption from the First, Second and Eighth Data Protection Principles will mean the national security agencies will be sending completely the wrong message. Such messages could undermine public confidence in these services. For instance, it can be clearly seen that:
i. The First Data Protection Principle contains a requirement to process personal data "lawfully". If this is exempt, the message sent is that the national security agencies would like some processing of personal data to be "unlawful" in terms of this Principle.
ii. The First Data Protection Principle contains a requirement to process personal data in accordance with a Schedule 2 condition; in the context of national security this condition is that the processing "is necessary for the exercise of any functions conferred on any person by or under any enactment". If this provision is exempted, it sends the message that the national security agencies do not want to limited their processing of personal data to that processing "which is necessary for their functions established by or under an enactment" (e.g. NOT necessary for their statutory functions as required by the IP Bill).
iii. Similarly, if the First Data Protection Principle requirement to process sensitive personal data (e.g. medical records) in accordance with a Schedule 3 condition is exempt, then this also sends the message that the national security agencies do NOT want to limited their processing of sensitive personal data "for the exercise of any functions conferred on any person by or under any enactment".
iv. The Second Data Protection Principle contains a requirement to process personal data a way that is NOT incompatible with the purpose of obtaining. If this is exempt, the message sent is that the Government wants to allow the national security agencies to process personal data in a way that can be incompatible with the national security, terrorism or serious crime purposes.
v. If the Eighth Data Protection Principle requirement is exempt, it suggest the Government wants to allow the national security agencies the flexibility to transfer a bulk personal dataset to any country disregarding any privacy concerns (i.e. transfers to a country that does not offer an "adequate level of protection"). Additionally, as the Principle allows adequacy considerations to be set aside for transfers on a case-by-case basis if "transfer is necessary for reasons of substantial public interest" (Schedule 4, paragraph 4(1) of the DPA), it follows that the Certificate allows transfers in the absence of any "substantial public interest" requirement (e.g. as child protection, terrorism, serious crime, and national security would all be substantial public interest reasons for a transfer). It follows that the Certificated exemption permits transfers for reasons not in the substantial public interest.
3.4 I should add that the Government has never proffered any explanation as to why the national security agencies should be exempt from the above obligations.
4. Can the national security agencies be transparent?
4.1 The First Principle also contains a requirement to process personal data fairly and this usually means making a public statement in a Fair Processing Notice about the processing of personal data. The current Certificates under Section 28 exempt these requirements; without the proposed amendment this secrecy is likely to continue for every single bulk personal dataset collected under the IP Bill.
4.2 However, there is an example where the fairness provisions can be applied to a bulk dataset that is already collected when Congestion Charge Number plate personal data are streamed into the national security agencies. For instance with respect to Police & National Security access Congestion Charge ANPR data, the TfL website states :
"In 2012 the Mayor of London's Crime Manifesto included a commitment to instruct TfL to give the Metropolitan Police Service (MPS) direct real time access to the Automatic Number Plate Recognition (ANPR) cameras we use to enforce our Road User Charging schemes, for the purposes of preventing and detecting crime…..
….This was an expansion of a pre-existing arrangement with the MPS established in 2007, under which they were given access to TfL's ANPR data specifically for the purpose of using it to safeguard national security. This arrangement was approved by the Home Secretary, who signed a certificate confirming that TfL, and the MPS, are exempt from certain provisions of the Data Protection Act 1998 for that purpose." (my emphasis).
4.3 Clearly, if TfL’s statement had jeopardised any national security operation, then the national security agencies would have asked for it to be removed. They haven’t.
I should add that I can understand why the national security agencies should want an exemption from the above transparency obligations in many cases; however, a Certificated exemption would mean that this obligation is exempt in every case when the TfL example shows that such transparency is possible without any prejudice to the national security function.
4.4 Such transparency is necessary whenever there is bulk personal dataset collection as most of the personal data concerns data subjects who are not of interest to these national security agencies. For instance, the Annual Reports should give an opportunity to report on data protection and bulk personal dataset acquisition.
4.5 Back in 1979, the Lindop Report into Data Protection (Cmnd 7341, paras 23.21-23.24) stated that the national security agencies should be subject to a data protection Code of Practice that was independently supervised (e.g. this could be the BPD Code). The Report concluded that it was important to take the national security agencies out of their "hermetically sealed" environment in order to ensure that these agencies would be "open to the healthy - and often constructive - criticism and debate which assures for many other public servants that they will not stray beyond their allotted functions".
4.6 All I would say that the Snowden allegations are all about such "straying" and that transparency, wherever possible, serves to reassure the public. That is why it should be included inside the double lock and not, as the Government propose, outside the double lock.
5. What could a certificated exemption mean?
5.1 An example should suffice. Suppose there is an autocratic country that is friendly to the UK and wishes to buy multi-billions worth of advanced weaponry; suppose further this country let it be known that it "will sign the deal but we want regular updates on what certain dissidents are doing in London".
5.2 If the Government wanted the national security agencies to do this kind of surveillance work, then these agencies would need to continue the Certificated national security exemption. This, in summary, is what the Government is legitimising in the IP Bill by not implementing the draft IP Bill Committee’s recommendations (i.e. by allowing the processing for a secret purpose, possibly unlawful, possibly unconnected with national security, terrorism or crime where transfers of personal data to that autocratic regimes can take place without any substantial public interest threshold).
6. Amendment to clause 178(4): Specific BPD warrants
6.1 If you want me to draft all the exemptions that are needed, I can do so. However, amendments need to be inserted into all clauses detailing warrant applications where personal data are processed by the national security agencies. I provide one example in relation to BPD provisions so that the principle of the amendment can be debated.
6.2 Other amendments (not drafted here) are needed to disapply the Certificated Section 28 exemption in the DPA whenever personal data are processed using powers in the IP Bill, to allow for the Judicial Commissioners to look at all data protection issues, and to allow for Annual Reports to contain appropriate detail on the processing of bulk personal datasets. However, the following gives an idea of what is needed in the context of bulk dataset warrants.
6.3 At the moment Clause 178(4) at Line 20, page 138 states
(4) The application must include-
a description of the bulk personal dataset to which the application
a case where the intelligence service wishes to examine the bulk
personal dataset, the operational purposes for which the intelligence
service wishes to do so.
6.4 The amendment would in sert new sub-clause s 4(c) , 4(d) to 4(e)
(4) The application must include-
( a) a description of the bulk personal dataset to which the application relates, and
(b) in a case where the intelligence service wishes to examine the bulk personal dataset, the operational purposes for which the intelligence service wishes to do so,
(c) a description of any data protection obligation, principle or right which is to be exempt from the Data Protection Act on the grounds that such an exemption is necessary for the purpose of safeguarding national security ,
(d) a description of the reasons why any exemption specified in subsection 4(c) is necessary , and
(e) a description of the evidence that will be used to assess whether the exemption should be maintained if the application were to be successful and any resultant warrant were to be renewed.
7. Amendment re Codes of Practice BCD and Communications Data
7.1 Both Codes of Practice should make reference to the Data Protection Principles, and not the "Ersatz Principles" identified below (reasons in my evidence "Amberhawk Training Limited-written evidence to the draft IP Bill Committee published as (IPB0015)" from paragraph 22)
7.2 Schedule 7, paragraph 3(2) at Line 40 , page 215 states :
3(2) Such provision must, in particular, include provision about-
(a) why , how and where the data is held,
(b) who may access the data on behalf of the authority,
(c) to whom, and under what conditions, the data may be disclosed,
(d) the processing of the data for purposes otherwise than in connection with the purposes for which it was obtained or retained,
(e) the processing of the data together with other data,
(f) the processes for determining how long the data should be held and for the destruction of the data.
7.3 Replace paragraph 3(2) with:
2) Such provision must, in particular, include provision about compliance with the data protection principles in Schedule 1 of the Data Protection Act 1998
8. About myself
8.1 I have been a data protection practitioner for 30 years and am a founder member of Amberhawk Associates and a Director in Amberhawk Training Limited since the company was founded in 2008. The company specialises in training staff who are responsible for data protection, Freedom of Information, and information security and other aspects of Information Law.
8.2 In 2012, I was appointed to two Government Advisory Committees. I am a member of the Identity Assurance, Privacy and Consumer Advisory Group (advising the Cabinet Office on "privacy friendly" use of identity assurance techniques and on data sharing) and the Data Protection Advisory Panel (advising the Ministry of Justice on its approach to the EU’s Data Protection Regulation and Directive in the field of law enforcement).
8.3 I have given oral and written evidence before various Parliamentary Select Committees where issues of privacy, data protection and security have arisen (e.g. ID Cards, Surveillance, Computer Misuse Act, data retention policies, supervision of the national security agencies). I have also been asked to give a presentation to European MEPs when the European Parliament was discussing the General Data Protection Regulation.