Thursday 13 December 2012

Draft Communications Data Bill: surveillance safeguards, supervision, security & sentences

Today, I’m setting out some of the recommendations in the Joint Committee’s report that have not received any significant media attention. 

While this week’s media reports have concentrated on the Bill’s defects, it is accepted that some form of official access to some types of communications data is necessary. 

Accordingly, what measures ought to be in place to maintain an appropriate level of official accountability and public reassurance, once it has been determined what types of data should investigators be able to access?

The authorisation process

The Single Point of Contact process should be enshrined in primary legislation. A specialist centralised SPoC service should be established modelled on the National Anti-Fraud Network service which currently offers SPoC expertise to local authorities. The Home Office should consider allowing police forces to bid to run this service. This new service should be established by statute, and all local authorities and other infrequent users of communications data should be required to obtain advice from this service.

Although approval by magistrates of local authority authorisations is a very recent change in the law, we think that if our recommendations are implemented it will be unnecessary to continue with different arrangements applying only to local authorities.

The Interception of Communications Commissioner

The IoCC should carry out a full review of each of the large users of communications data every year. While sampling is acceptable as a way of dealing with large users, the requests of users making fewer than 100 applications in a year should be checked individually. The annual report of the IoCC should include more detail, including statistics, about the performance of each public authority and the criteria against which judgements are made about performance. It should analyse how many communications data requests are made for each permitted purpose. For this the IoCC will need substantial additional resources, both as to numbers and as to technical expertise. There should be full consultation with him on this. His role should be given more publicity.

The IoCC's brief should explicitly cover the need to provide advice and guidance on proportionality and necessity, and there should be rigorous testing of, and reporting on, the proportionality and necessity of requests made.

The IoCC will be key to public confidence in the Request Filter. The IoCC will need the necessary expertise properly to examine the operation of the Request Filter. He will have to report on the scale of searches via the Request Filter and rigorously test the necessity and proportionality of requests put to the Filter. All this information should be included in the public section of his annual report so that if there are any signs that the Filter is resulting in more intrusive requests Parliament can review the legislation.

The Information Commissioner

If the Government believe that additional safeguards can be provided by the Information Commissioner, they should undertake detailed discussions with him as to what such safeguards might be, how they might be undertaken, and what additional powers and resources he might need. The Bill should make clear that the Information Commissioner will need to be shown all notices issued under clause 1.

Other Surveillance Commissioners

Work should be done to rationalise the number of commissioners with responsibility for different areas of surveillance. This work should aim to simplify the situation and make it easier for the public to understand, while ensuring that all surveillance powers are subject to rigorous oversight. Consideration should be given to a new unified Surveillance Commission reporting to parliament with multi-skilled investigators and human rights and computer experts.

Security and destruction of data

We consider the Home Office's cost estimates may underestimate the cost of security and destruction of data. Since the cost of security and destruction will ultimately be borne by the taxpayer, the Home Office will have to carry out a careful cost/benefit analysis and obtain advice and assurances from a wider body of experts that the companies that stand to earn money from devising secure storage solutions.

Offence of misuse of communications data by a public authority

The House of Commons Justice Committee recommended that the power under section 77 of the Criminal Justice and Immigration Act 2008 should be exercised "without further delay". Nearly a year later the Home Affairs Committee reached the same conclusion. We agree with the Information Commissioner and with both these Committees that this power to allow custodial sentences to be imposed in appropriate cases should be exercised without delay.

The Bill should provide for wilful or reckless misuse of communications data to be a specific offence punishable in appropriate cases by imprisonment.

In the final blog of this short series, I’ll be reviewing some of the immediate reaction to the report’s recommendations.