Template-Info

RETOUR

FERMER

The Evolving Bill: Capabilities

We recommend that the Government should publish in a Code of Practice alongside the Bill advice on how data controllers should seek to minimise the privacy risks of subject access requests for ICRs under the Data Protection Act 1998.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

The Government has made amendments to the Bill to ensure that it contains a single definition of ICRs – see Clause 54. The Government has redrafted Clause 54 of the Bill to widen the purposes for which law enforcement may seek toaccess ICRs, including which internet service is being used. Further guidance on access to ICRs can be found in Chapter 7 of the draft Code of Practice on Communications Data.Chapters 2 and 7 of the draft Code of Practice on Communications Data provide further information and guidance on the definition and uses of ICRs, including examples of ‘internet services’ and ‘internet communications services’ to assist with the interpretation of those terms.

When setting out the steps that a CSP needs to take to meet its security obligations, the Government already draws upon a set of recognised security standards. Detailed guidance is contained in Chapter 16 of the draft Code of Practice on Communications Data. It is important that CSPs can put in place security safeguards that are appropriate to the nature of the data being retained. The Government will, however, consult the Information Commissioner's Office, the National Technical Assistance Centre and GCHQ with a view to being able to provide clear and consistent standards for CSPs retaining data under the obligations in the Bill.

As the communications data will be held for purposes that are not related to the CSP’s own business purposes, we agree that the Government should provide CSPs with whatever technical and financial support is necessary to safeguard the security of the retained data. While we do not agree that 100% cost recovery should be on the face of the Bill, we do recommend that CSPs should be able to appeal to the Technical Advisory Board on the issue of reasonable costs.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recommend that the Government should publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

Clause 84(4) of the Bill has been added to enable CSPs to disclose the existence and contents of a notice with permission of the Secretary of State. As set out in Chapter 18 of the draft Code of Practice on Communications Data, this will provide for disclosure to relevant oversight bodies and other CSPs served with a notice.

We acknowledge, though, the call for greater safeguards for the bulk powers. We believe that it is difficult to make a thorough assessment of the effectiveness of further safeguards without a greater understanding of the way in which bulk powers are operated in practice. We recommend that the Investigatory Powers Commissioner, within two years of appointment, should produce a report to Parliament considering the safeguards that exist and making recommendations for improvements if required.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

A draft Code of Practice on Equipment Interference, covering both the security and intelligence agencies (SIAs), and law enforcement agencies (LEAs), has been published alongside the Bill at introduction. This builds on the existing Code of Practice for the use of Equipment Interference, which was approved by Parliament in January 2016 and which provides for the SIAs’ use of EI.

GCHQ’s use of equipment interference and the safeguards in place have recently been subject to litigation. The Investigatory Powers Tribunal (IPT) handed down their judgment in the case of Privacy International and Greennet & Others (IPT 14/85/CH, IPT 14/120-126/CH) on 12 February 2016. The IPT supported the lawfulness of the current EI regime, including the safeguards provided in the existing Code of Practice.

Chapter 2 of the draft Code of Practice on Equipment Interference provides further information on the key terms to ensure greater clarity.

Chapters 2 and 8 of the draft Equipment Interference Code of Practice provides guidance on this matter for law enforcement agencies. Further advice and operational guidance will continue to be provided by relevant oversight and governance bodies, including the Investigatory Powers Commissioner (IPC). The Government will also continue to work with law enforcement agencies, the College of Policing and the Crown Prosecution Service to consider how the guidance and training provided in relation to using EI-derived information in court can be developed further.

Clause 112 of the revised Bill requires the Secretary of State to ensure that there are arrangements in place for the security and protection of data acquired under EI. Chapter 6 of the draft Equipment Interference Code of Practice provides further information on data protection both in regard to agency systems and those systems which may be interfered with when using EI capabilities.

The documentation produced in support of the Bill makes clear that CSPs will not be in breach of their data protection obligations in giving effect to an EI warrant, as all activity carried out under a warrant is lawful.

Chapter 6 of the draft Equipment Interference Code of Practice provides further information on the impact of the Data Protection Act.

We recommend that the Intelligence and Security Committee, in their analysis of BPDs, should assess the extent to which the concerns expressed by witnesses are justified.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

Limiting the bulk interception and equipment interference powers to overseas-related communications provides an important safeguard, and ensures that these powers are not directed at individuals in the UK. The operational case for bulk powers provides further examples of how they are used to gather overseas-related communications.The communications or data of individuals in the UK may only be intercepted or obtained in so far as that is necessary to do what is expressly authorised by a bulk interception or bulk equipment interference warrant. Examination of the content of a UK person’s data acquired by these means will require a targeted examination warrant issued by the Secretary of State and approved by a Judicial Commissioner.

Considerations of such risks will be integral to the determination of the proportionality of any warrant application. Chapter 3, 4 and 5 of the draft Equipment Interference Code of Practice provides further guidance on how collateral intrusion should be considered in any decision to issue a warrant, and Chapter 3 elaborates on the considerations that should be made in regards to the security of networks and systems.

An operational case for the use of bulk powers has been published alongside introduction of the revised Bill. Further classified documentation has been provided to the Intelligence and Security Committee (ISC), the Interception of Communications Commissioner and the Intelligence Services Commissioner in parallel.

The Government has provided further information to the ISC on the BPD provisions in the Bill and will provide the Committee with any further information it requires. A detailed draft Code of Practice on the security and intelligence agencies’ retention and use of Bulk Personal Datasets has been published alongside the revised Bill. Chapters 4, 5 and 7 include guidance relating to safeguards. Each of the security and intelligence agencies is a data controller in relation to all the personal data that it holds. Accordingly, the agencies are in general required by section 4(4) of the Data Protection Act 1998 (DPA) to comply with the Data Protection Principles in Part I of Schedule 1 to the DPA. That obligation is subject to sections 27(1) and 28(1) of the DPA, which exempt personal data from (among other things) the Data Protection Principles if the exemption ‘is required for the purpose of safeguarding national security’. By virtue of section 28(2) of the DPA, a Minister may certify that exemption from the Data Protection Principles is so required.

We recommend that the Home Office should produce its case for bulk personal datasets (BPDs) when the Bill is published.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

The provisions in the Bill do not provide a power to acquire BPDs but instead apply robust, consistent safeguards to the handling of BPDs acquired by the security and intelligence agencies, including through the introduction of a new ‘double lock’, so that warrants authorised by the Secretary of State must be approved by a Judicial Commissioner. BPDs can be collected by a range of means, including through the use of other investigatory powers and through voluntary disclosures. The primary bases in law for the acquisition of bulk personal datasets are sections 2(2)(a) of the Security Service Act 1989 and 2(2)(a) and 4(2)(a) of the Intelligence Services Act 1994, sometimes referred to as the information gateway provisions. To separate acquisition of this type of data from other types when there is an existing framework for data acquisition would add undue complexity to the Bill and would risk undermining the existing information gateway provisions. Retaining the ability to obtain BPD under these provisions in law does not exempt the agencies from applying the strict safeguards in the Bill.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

While we recognise that ICRs could prove a desirable tool for law enforcement agencies, the Government must address the significant concerns outlined by our witnesses if their inclusion within the Bill is to command the necessary support.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

The documents supporting the revised Bill on introduction provide further detail and address the points on the technical feasibility of ICRs which were raised with the Committee. The Government will continue to discuss ICRs with those service providers likely to be affected by the obligations in the Bill. The Government has amended Clause 46(7)(g) of the revised Bill now Clause 53 to remove the words ‘in an emergency’ to make it clear that law enforcement can always acquire communications data for the purpose of saving lives.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recommend that the definition of Internet Connection Records should be made consistent throughout the Bill and that the Government should give consideration to defining terms such as ‘internet service’ and ‘internet communications service’. We recommend that more effort should be made to reflect not only the policy aims but also the practical realities of how the internet works on a technical level.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We agree that all of the proposed purposes for which access to ICRs could be sought are appropriate. Furthermore, we recommend that the purposes for which law enforcement may seek to access ICRs should be expanded to include information about websites that have been accessed that are not related to communications services nor contain illegal material, provided that this is necessary and proportionate for a specific investigation.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recommend that the Government should publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We urge the Government to consider the suggestion to work with the Information Commissioner’s Office, the National Technical Assistance Centre and the Communications-Electronics Security Group at GHCQ, which has recognised expertise in this area, to draw up a set of standards for CSPs.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

The Government has included a section relating to subject access requests in Chapter 11 of the draft Code of Practice on Communications Data, which has been published alongside the revised Bill.

We recommend that the Government should publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recommend that the Government should publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recommend that the Government should publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

The Government has redrafted Clause 54 of the Bill to widen the purposes for which law enforcement may seek to access ICRs, including which internet service is being used. Further guidance on access to ICRs can be found in Chapter 7 of the draft Code of Practice on Communications Data.

We agree with the Government’s intention not to require CSPs to retain third party data. The Bill should be amended to make that clear, either by defining or removing the term “relevant communications data”.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recommend that the Government should clarify the types of data it expects CSPs to generate and in what quantities so that this information can be considered when the Bill is introduced.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We understand the Government’s position for not allowing the fact that a data retention notice has been served to be referred to in public. We suggest that some forum or mechanism, perhaps through the Technical Advisory Board, is made available so that CSPs subject to such notices can share views on how best to comply with them.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We agree with the intention of the Government’s policy to seek access to protected communications and data when required by a warrant, while not requiring encryption keys to be compromised or backdoors installed on to systems. The drafting of the Bill should be amended to make this clear.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

The Government welcomes the Committee’s acknowledgement that there are important differences between the ICR proposal in the Bill and the system used in Denmark. The Government has published an assessment of those differences alongside introduction of the Bill.

Our view is that the Government should provide statutory guidance on the cost recovery models, and that particular consideration should be given to how the Government will support smaller providers served with data retention notices.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

The Bill provides a definition of ‘relevant communications data’ in Clause 78. If this term were removed, it would reduce the clarity regarding what data a CSP could be required to retain. Chapter 2 of the draft Communications Data Code of Practice also includes a clear restriction on third party data retention by CSPs.

We recommend that the Government should produce more specific definitions of key terms in relation to EI to ensure greater confidence in the proportionality of such activities and that a revised Code of Practice is made available alongside the Bill.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

Further guidance on costs is included in Chapter 19 of the draft Communications Data Code of Practice. This notes where the arrangements are of particular importance to smaller providers. The draft Codes of Practice relating to other powers in the Bill also provide detail on costs.

It would not be appropriate to commit future Governments to pay the full cost of compliance, as it would limit their discretion on this issue. The Government welcomes the Committee’s conclusion on this point. In practice, the Government has a long- standing position of reimbursing 100% of the costs associated with data retention. There are no current plans to change that policy, which was confirmed by the Home Secretary on the floor of the House of Commons on 21 February 2016.

Any retention notice must specify the level, or levels of contribution which the Secretary of State determines should apply in relation to that notice. Clause 80 of the Bill provides a clear route for CSPs to appeal to the Secretary of State should a company consider that the obligation placed on them would incur unreasonable costs. In considering their appeal, the Secretary of State must take advice from the Technical Advisory Board (TAB) on costs and technical feasibility and from the Investigatory Powers Commissioner (IPC) on proportionality.

We recommend that the Government should produce a Code of Practice on Equipment Interference to cover the activities both of the security and intelligence agencies and of law enforcement.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We acknowledge the importance of data protection in relation to EI activities. We recommend that the assessments undertaken by Judicial Commissioners when authorising warrants should give consideration to data protection issues.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

Clauses 217 and 218 of the Bill have been amended to make clear the obligations that can be imposed on CSPs with regard to encryption. This explains what is meant by ‘removing electronic protection’ and makes clear that CSPs can only be required to remove protection that they themselves have applied, or that has been applied on their behalf. Other provisions in the Bill at Clause 218 set out the considerations that must be taken into account when considering whether it is necessary and proportionate to issue a technical capability notice.

The relevant draft Codes of Practice provide detailed information on technical capability notices and the obligations that can be imposed on CSPs.

Further clarity on generation of data has been provided in Chapter 14 of the draft Communications Data Code of Practice

We recommend that applications for targeted and bulk EI warrants should include a detailed risk analysis of the possibilities of system damage and collateral intrusion and how such risks will be minimised. We also recommend that such warrants should detail how any damaged equipment will be returned to its previous state at the point that the authorisation or operational need ceases.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recognise that, given the global nature of the internet, the limitation of the bulk powers to “overseas-related” communications may make little difference in practice to the data that could be gathered under these powers. We recommend that the Government should explain the value of including this language in the Bill.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recommend that the Government should publish a fuller justification for each of the bulk powers alongside the Bill. We further recommend that the examples of the value of the bulk powers provided should be assessed by an independent body, such as the Intelligence and Security Committee or the Interception of Communications Commissioner.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We agree that material acquired through targeted equipment interference warrants should be admissible in court, though we share the concerns of witnesses about the risks involved. We believe that law enforcement and the security and intelligence agencies will need detailed codes of practice and appropriate procedures to ensure that evidence is not inadvertently compromised. We urge the Government to consider how it will reconcile the understandable desire of law enforcement and the security and intelligence agencies to keep their techniques secret with the need for evidential use and disclosure regimes in legal proceedings

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We further recommend that the Home Office should make clear in the explanatory notes to the Bill or in a Code of Practice how EI activities can be conducted within the constraints of data protection legislation.

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

We recommend that the Code of Practice on equipment interference should set out how individuals and companies should be engaged with when conducting authorised EI activities to make the process more transparent and foreseeable

CLICK ON THE BOX FOR GOVERNMENT RESPONSE

Clause 201 of the revised Bill provides for the IPC to make both annual and ad hoc reports. The Government would expect the IPC to report in detail as to whether the bulk safeguards were operating effectively and to make any recommendations as appropriate

Chapter 6 of the draft Equipment Interference Code of Practice provides guidance on this issue. This explains the process that any agency should adhere to when requiring assistance from a CSP in effecting an EI warrant, including the consultation that should take place before any such interference begins. An operational case for bulk powers, including bulk personal datasets, has been published alongside introduction of the revised Bill. Further classified information has also been provided to the ISC.

Each box contains a different recommendation about technological capabilities in the Bill.

Click on the boxes to see how the government responded.

BACK