Access to communications data needs judicial approval

The questions of retention of communications data, and access to that communications data, are controversial elements of RIPA. The Government is due to bring into effect the relevant provisions of the Act, but is running late, as its first attempt was thwarted by a public outcry last summer.

Communications data is data retained by telephone companies, ISPs, interactive television service providers and the like. It covers subscriber details – i.e. the name and address of the subscriber - but can also include telephone billing data, e-mail logs, personal details of customers and records showing the location where mobile phone calls were made. It does not include the content of the communications.

Combined, this array of data creates a comprehensive dossier on the contacts, friendships, interests, transactions, movements and personal information on almost everyone in the UK. A single customer file can involve thousands of items.

Not surprisingly this sort of information is regarded by law enforcement and security agencies as priceless in the fight against crime and terrorism, but it has clear implications for an individual's right to privacy.

A draft Order was laid before Parliament last year, setting out who would have access to communications data retained by ISPs and telcos. The list did not limit itself to the enforcement agencies, but included many government agencies and public authorities.

As the FIPR put it at the time, the draft Order "apparently intended for every Whitehall or Town Hall bureaucrat to have access to this highly sensitive data." It was quickly dubbed a 'Snoopers' Charter', and subsequently dropped. The Government's consultation will result in a replacement.

The FIPR's main concern relates to the retention of and access to data other than basic subscriber information. This is already accessed regularly – the group estimates that "one million such requests are made every year in the UK."

The more controversial data is that relating to an individual's use of communication and the traffic generated. The FIPR is of the view that:

"The interception of communications is clearly the most invasive type of surveillance. It should require explicit judicial rather than ministerial authorisation. A set of security-cleared judges should deal with national security cases; the rest of the judiciary are already experienced in dealing with sensitive material in cases of serious crime."

The group added:

"additional agencies should only be provided with access to traffic and usage data after presenting the strongest case. The emergency services and specialised police agencies are the only bodies that appear to have such a case.

"Other agencies should conduct joint investigations with the police where traffic or usage data is required. They do not have, and will not obtain, the experience necessary to properly identify, request and analyse traffic and usage data given the low volume of their requests."

Overseeing the access requests will be, according to the government, an Interception Commissioner, but FIPR questions whether he and his centralised office will be sufficiently resourced to deal with over one million requests per year. The group therefore recommends that the individual who is the subject of the access request should be notified of the request. This would ensure that the individual concerned has an opportunity to complain if an abuse, unseen by the Commissioner, has taken place.

The FIPR also comments on the consultation taking place with regard to the retention of communications data. At present data can be retained under the Anti-Terrorism, Crime and Security Act 2001 where national security is an issue. However there are proposals to extend the use that this data can be put to. The consultation document states:

"The Home Office do not consider that the fact that data is held by a communication service provider under the Code of Practice for national security purposes, and not for any other reason, should prevent the police or other public authorities having access to that data when they can demonstrate a proportionate need for it."

The FIPR is not happy with this extension of access, which it regards as contrary to the European Union position.

ISPs are not happy with the proposal either, citing huge costs in retaining the data, but with no clear evidence of benefit. They have already said they do not want to implement the data retention proposals voluntarily.

The group therefore urges the Government to drop all plans to extend the data retention powers.

The results of the consultations are not yet available, but are likely to be released in the next few months.