Home Office Evidence
APIG Communications Data Inquiry Oral Evidence
The Home Office
Wed, 18 December 2002
MR. WHITE: We appreciate you taking the time out to come here to
help us. I do not know whether you have heard any other evidence, but
do you want to make an opening statement by way of introduction?
MR. WATKIN: We welcome what the Inquiry is doing and we wish to
help as much as we can. We have submitted our evidence and, hopefully,
that will give you some line as to where we are coming from and where
you might wish to take us.
MR. WHITE: One of the things which have become clear is that there
is a myriad of powers which exist in different pieces of legislation.
Is that a problem which you have looked at and, if so, are there any
suggestions that they ought to be rationalised?
MR. WATKIN: Our objective is that RIPA should establish a single
regulatory regime for access to communications data for those
authorities which are tasked with the investigation of crime, whether
it be serious and organised crime, which Mr. Gamble was talking about,
or whether it is very minor crime which is impacting on people at the
very local level, which is dealt with not by the police but by local
environmental health officers and/or trading standard officers. They
are still crimes which impact upon people, and communications data can
be relevant to the investigation of such matters.
MR. ALLAN: What we are trying to do, and which is as I understand
it what the Home Office is trying to do, is to get a sense of what the
public feels is reasonable, given particularly the fuss we had in the
summer. As often has been said, when we had the Daily Telegraph and
Guardian editorials on the same side, we then know that something is
cooking. In terms of trying to reach that understanding, one of the key
questions which has come out in terms of the legal debate has been the
fact that retained data, which is retained under ATCS or anything else,
could be accessed by a whole variety of people and, therefore there are
concerns about the principle of data retention. Perhaps most people
would say "I would be more or less happy to have data retained if it
were about stopping September 11th. That is something I understand.
However, I am not happy about it being retained if it is going to be
dragged into civil cases that I might be involved in, or this, that and
the other". Will we be looking at that issue in the consultation of the
wider issues of the potential access to that data, or will we be
looking at it narrowly, purely in the light of RIPA and the ATCS?
MR. LACK: There will be two consultation papers, clearly. The
additional data that will be retained and the access to it is something
that we will be inviting comment on. Clearly, it is very difficult for
the Home Office to make comments on other people's legislation. It is
difficult for the Home Office to make statements which will mean
changes in other people's legislation. I think that Simon's comment is
the right comment to make. We would like to see RIPA as the
over-arching regime for everything. There is an issue about the
retention of data. There is an issue which concerns both the
Information Commissioner, the industry and ourselves. However, our
legal advice is that we note the problems which have been created but
we do not consider that that prevents access through RIPA once we have
RIPA Part I Chapter II in. So we think that is a perfectly reasonable
route to go through, to access any data which is retained for whatever
purpose. However, I cannot comment on Acts which do not concern the
Home Office.
MR. ALLAN: Let us be clear about this. You are responsible for
RIPA, the Data Protection Act, the Human Rights Act and the ATCS Acts,
and anything else, whether it is food standards, environmental health,
trading standards and that sort of stuff, is outside the remit of the
Home Office?
MR. LACK: Other Acts which allow access are outside of our remit.
MR. ALLAN: And anything to do with the civil law would be a matter for the Lord Chancellor and not yours?
MR. LACK: We find ourselves in a difficult position; yes.
MR. ALLAN: Is the consultation you are embarking upon a consultation with a view to getting Part I Chapter II implemented?
MR. WATKIN: We are looking to publish very early in the new year a
consultation document on the implementation of Part I Chapter II of
RIPA whereby we will seek to place in the public domain more openly
than has been the case, the totality to which communications data is
being used by a great variety of public authorities, not all of whom
are automatically associated with the investigation of crime but they
are all involved with the investigation of crime at some point, and
seeking to engage the public in a more informed way than was possible
in the summer to validate what it is that the public would wish to see
being done in terms of providing access to communications data by those
who are tasked with the investigation of crimes, which are obviously of
concern to the public. What happened in the summer was a presumption as
to what the public would want done for them. Obviously, the message
came back, "Hang on. We need to be a bit clear as to what is being done
and by whom so that we can take a view". Obviously, the point of the
consultation is to take a clear view of what the public is prepared to
countenance in terms of public authorities having access to data, but
within the ring fence of the purposes provided by RIPA. Essentially, we
are talking about everything from the detection of serious crime to the
issue of public safety. What we are not discussing here is how
communications data has a role to play in civil case law, which clearly
it does, but that is beyond our scope.
MR. WHITE: In the consultation paper which is coming out in the new year, are other departments involved in it?
MR. WATKIN: All the departments which are responsible for
authorities which are using communications data or seeking to use
communications data, like the Food Standards Agency, the Medical
Devices Agency and the Financial Services Authority -- there are a
number of government departments and public authorities which are all
involved -- clearly are part of our objective in preparing a paper
because it properly reflects the work which they do.
MR. WHITE: One of the things which has been suggested to us is that
there is a myriad of security overseers which look at different parts.
Richard reminds me of the list that RIPA has. Do you think that there
are too many people looking at the oversight of RIPA and looking at the
oversight of this function. Should there not be just one body which
looks at it for everybody?
MR. WATKIN: We have the Office of the Interception Commissioner,
who is responsible for the oversight of Part I of RIPA, of the
provisions of interception of communications and the acquisition of
communications data, and the Office of the Surveillance Commissioner,
who oversees the covert and intrusive surveillance provisions in Part
II. They are quite separate.
MR. WHITE: As well as the Interception Commissioner and the Surveillance Commissioner, you also have other bodies as well.
MR. WATKIN: I am talking about the ones which have responsibility for overseeing how RIPA works and how RIPA is being used.
MR. WHITE: But I, as a citizen, have this myriad of people who exist, but I do not know who to go to.
MR. ALLAN: Or the Police Complaints Authority about a police
officer who has behaved wrongly. It has been put to us in evidence from
a citizen's point of view that it is not clear who to turn to. Given
that you do not probably know what has been done with your data --
almost by definition you should not know what has been done -- but you
think that something has been done with your data (you have probably
seen the effect of it in that some information about you is out there.
You think somebody must have done something wrong but you do not know
whether it is communications data, interception or whatever) if you,
the citizen, wants to go somewhere and say, "Oi, I want to know what
has gone on here", it has been put to us that from a citizen's point of
view the path is not clear.
MR. WATKIN: In the consultations which we have gone through and the
comments which have been put to us in preparing where we are, that is
not a concern which has been aired. The concerns which have been aired
are about the effectiveness of the Commissioners which we have in
place. The Government is already committed to ensuring that the
Interception Commissioner has the resources to enable him, effectively,
to oversee the provisions of Part I Chapter II of RIPA.
MR. WHITE: When do you expect Part I Chapter II to come into effect
if the consultation is favourable in the new year? Are we talking about
two years down the line?
MR. WATKIN: What we are looking to do in the consultation is to
explain clearly what the options are in terms of enacting RIPA Chapter
I Part II and variations on a theme of which public authority should
have access to what. If we get a broad consensus from Parliament and
from the public that the approach which is being set out is appropriate
or an option becomes clear that that is what Parliament and the public
prefer, we would be looking to implement the provisions some time after
Easter but certainly during 2003.
MR. ALLAN: In terms of selling it to the public or to get public
acceptance about what might take place, every intrusion into privacy
must be proportionate and necessary. That is the human rights
background to it. What happened in the summer was that all the Home
Office could say was that it will be proportionate and necessary but
nobody understood that. You can understand why a trading standards
investigation into fireworks which will blow up and kill people will be
more acceptable to the public than investigating something which is
harmless but a bit dodgy. I am wondering how you are able to do that?
Will there be a collection of codes of practice which spell out for
people in terms of what they can understand "necessary and
proportionate" means or are we still to fall back and say, "If you have
a problem, you can take a case under the Human Rights Act"?
MR. WATKIN: Again, I fall back on the consultations and discussions
that we have had. My consultations tends to be with the technical and
computer literate lobby. The concerns are not necessarily about
proportionality. There is a broad understanding of what that means, but
it is to whom that applies. You cannot possibly say, "In this sort of
circumstance, this will happen", because the number of possible
circumstances you can have is so enormous. You could have a great
compendium saying, "If this event happens, this is what will be
necessary and proportionate in that instance".
What you can say is that whatever happens must be necessary and
proportionate as required by the legislation, but that we should have a
common collective view of the sorts of things that people will be doing
and are looking to use the legislation for. Clearly, the Food Standards
Agency, which has a particular function in protecting the public health
from eating contaminated foodstuffs, has a necessary and proportionate
role to, occasionally, have access to communications data which will
help trace the sources of unfit food, which would otherwise be going
into the food chain or may have already gone into the food chain. The
necessity and proportionality of what they need to do will be quite
different from the National Crime Squad's investigation into an
organised gang which is seeking to move class A drugs from one side of
the world to the UK. The proportionality and the needs which they have
will be different.
I am very conscious that this is not about "making" the public
understand. It is about having information in the public domain and
letting the public and Parliament decide what it thinks is appropriate.
We do not want to suggest that the Home Office knows what is best for
you. If anything, that is an argument which could have been laid at our
door in June. What we are seeking to say is, "This is the range of
activity which is going on. There are needs for communications data.
They vary. The necessity and proportionality vary. So long as what is
being sought is necessary and proportional, then the law should allow
that". It will all be overseen by a Commissioner, and there is an
avenue of complaint through the Investigatory Powers Tribunal.
MR. ALLAN: The other side of the coin, and this is what people will
want to know, is this. Can you describe the sort of penalty regime that
is in place in RIPA. It may help people to understand if their
communications data were taken off. We have had examples of the Police
National Computer. There have been public cases where officers have
been reprimanded. That means it only becomes more and more powerful in
having a greater impact on our lives. We would expect those who have
used it to be severely dealt with, I think.
MR. WATKIN: There is no express provision within Part I Chapter II
for abuse of those specific powers. What the issue would be is why are
they being abused? Are they being abused because someone is being
blackmailed? In that case, there would be an offence of blackmail. Are
they being abused because somebody is trying to defraud somebody? There
would be an offence there. So the purpose for which that abuse is
taking place is an issue. Whatever the abuse is, it would be covered
under the Data Protection Act. The personal data would be required for
a purpose that it was not expressly being asked for. Personal data
could be asked for disguised as having a legitimate reason for a
certain disclosure -- using it for other purposes would be an offence
under the Data Protection Act. We would want the consultation paper and
the discussion which follows it to explore that more widely.
MR. ALLAN: So the serious penalties for abuse of data are only for
the abuse of intercepted data, the IOCA-type data, the actual record of
the communication or the transcript, the tape of your telephone call or
the content of your e-mail. Within RIPA itself there are penalties for
people who have disclosed that data in ways that they should not have
done, but there are no parallel provisions for communications data?
MR. WATKIN: No. It would have to be under something like the Data
Protection Act or in relation to an offence for which the acquisition
of the data was the precursor.
MR. ALLAN: As we heard in the tipping-off offences in terms of the
whole communications data, Chapter II is weaker in a sense than the
Part I Chapter I regime, because it is regarded as less sensitive.
MR. WATKIN: Yes. It is considered less intrusive data.
MR. WHITE: One of the things mentioned throughout this inquiry is
the differential between communications data and subscriber data, like
"Whose is this mobile phone? Whose is this e-mail address?". RIPA does
go some way to looking at that. Do you think that there are amendments
which could be made to RIPA to make that definition much clearer?
MR. WATKIN: We have within RIPA explanations of communications
data, which basically breaks it into three categories, which are
traffic data, use of a service and information about the user of the
service. Those are, by necessity, broadly defined categories. They are
technology neutral categories. What would be helpful, and what we are
already seeing, are discussions that help establish common degrees of
understanding within law enforcement and industry about what sort of
data is what, and that will need to be constantly reviewed as
technology changes and different sorts of data emerge and different
services. That is one of the reasons why it is better that the primary
legislation does not spell it out in detail. I think we have workable
definitions which recognise the different levels of intrusion relating
to the different categories of data. Obviously, in terms of
implementing those, having codes of practice and building up common
understandings as to what sort of data sits where within that framework
is obviously the way to go.
MR. WHITE: It has been suggested that judicial authorisation ought
to be required for everything except basic subscriber data. Is that a
view which the Home Office has looked at?
MR. WATKIN: Can you repeat the question?
MR. WHITE: Some of our witnesses have suggested that subscriber
data is at superintendent authority level, but that much more sensitive
data ought to require a judicial authority.
MR. WATKIN: That was a matter which Parliament considered at the
time when the legislation went through, and Parliament decided that the
regime which we have is the regime which should be followed.
MR. WHITE: From a practical point of view, has the Home Office looked at the impact of that?
MR. WATKIN: We still believe that the regime that Parliament has adopted is practicable.
MR. ALLAN: I remember moving that amendment in Committee. There was
a very good brief against it, so I think they have considered it in
detail. Let me ask you about the relationship with ATCS, which is the
other thing that has come up. Where are we now from the Home Office
point of view in terms of a voluntary/mandatory scheme for the
retention of data?
MR. LACK: The legislation makes it quite clear. I describe it to
the industry and law enforcement agencies as "hoops and hurdles" which
we are required to go through. We can only provide a code of practice
to a voluntary scheme for initial discussions. The legislation does not
allow us to go to a mandatory scheme immediately. What we have been
doing with the industry, with law enforcement agencies and with the
Information Commissioner is discussing the basis of a voluntary code of
practice which will be the subject of a consultation paper and, we
hope, will subsequently be discussed in both Houses of Parliament.
MR. ALLAN: So if you came forward with a voluntary code of practice
and the Government said, "You, the industry, should retain the data for
X amount of time", and the industry said, or some voices in the
industry were saying, "We think we will be hung under the Human Rights
Act if we do that. Therefore, we are not prepared to implement your
voluntary code of practice", what kicks in then?
MR. LACK: We need to give the industry time to consider its
position once the voluntary code of practice has passed through
Parliament with whatever amendments are made to it. Industry must be
given sufficient time to consider its position. Then we will need to go
back to the Secretary of State with the consideration of making
directions which will lead to mandatory provisions.
MR. ALLAN: And the voluntary code of practice has to come here as a statutory instrument for an affirmative resolution?
MR. LACK: Yes.
MR. ALLAN: So it is quite a long process?
MR. LACK: It is a process which takes somewhere around 10 months,
which is why we would be looking for consultation shortly after the
consultation started on the access provisions.
MR. ALLAN: How would that mandatory scheme be brought in?
MR. LACK: That would be brought in, in the same way, by an affirmative resolution.
MR. ALLAN: So, if we went to that point, we would certainly be running into 2004 before any actual data was retained?
MR. LACK: It depends on the decisions of Parliament as to what is a
reasonable time between publishing a voluntary code of practice and
being able to review that voluntary code of practice. If we took a
reasonable time as being -- this is a figure from the top of my head --
four months, we could finish before the sunset clause comes in,
basically.
MR. ALLAN: And the sunset clause comes in when?
MR. LACK: On 13th December next year, 2003.
MR. ALLAN: 2003. So it is a race against time?
MR. LACK: It is not really a race against time. The issue, really,
is to follow the process that we have. It will be for you, gentlemen,
to decide what that process will be and the timescales of that process.
LORD NORTHESK: In effect, you are saying that even with a voluntary
code of practice, with the best will in the world, Parliament will not
be in a position effectively to legislate on this issue for two years?
MR. LACK: That is correct; just under two years if we are to be in front of the sunset clause.
MR. ALLAN: Picking up the cost point again, which we have heard
evidence about, my understanding of the figures that we have been
given, an example of which is from large service providers like AOL, is
$40 million to set up data retention, whether it is a voluntary or
mandatory system, to retain all their data and something like $14
million a year to run. Thus quoted us 5 million or 6 million in
Sterling for their business. We understand that you have a budget head
of 20 million for the industry. Is that correct? Do you think that
means that the industry can agree to something for which, as it looks,
they will not be refunded for anything like the larger part of their
expenditure?
MR. LACK: The initial budget head under the anti-terrorism budget
from the Treasury allocated just over 20 million pounds for that
purpose. However, when you read the Act, the Act is not just about what
you do now, what capital provision you have to deliver now, but you
have to look at the revenue implication thereof. We are working with
the industry and law enforcement agencies through a working group to
discuss these issues. I, myself, have had discussions with AOL back in
May and June. In fact, I spent time in discussing it with most of the
major US suppliers, at which time they made it quite clear that they
had a global concept but to break that global concept down would be
impossible. To deliver data retention in the way that the UK wants it
would not comply with the situation in the US, which is data
preservation. They are happy working with their data preservation
rules. It seems that they may still want to change their stance, but we
still have to consider that that would be a global stance, and it will
be for the UK to pay for a global provision for AOL. At the moment data
preservation, as I was given to understand, works in the States. I do
not know how much data they have got preserved, though.
MR. WHITE: One of the things which is concerning me about ATCS and
RIPA are the implications to the way the UK does business versus other
countries. One of the original concerns I had with RIPA was to the
effect of driving ISPs out of the country so you would not get the
data, anyway, as they would be operating in another country. What are
you doing about addressing those concerns about how you get data from
other countries and how you work with industry to make sure that they
stay in the UK?
MR. LACK: There are two sides to that question. I think I will
refer the question of data from other countries back to Simon. The
other issue is how we are trying to make things work in the UK. We have
to ensure that the Government realise that this is not a commitment for
this year, next year or the year after but it is a permanent commitment
to support UK Plc. If you are asking for data to be retained then
subsequent access and additional access to that data needs supporting.
MR. ALLAN: There needs to be an on-going budget head in the Home Office to say, "We will pay you year-on-year"?
MR. LACK: That would be my recommendation. If we improve what goes
on in UK Plc and we make the Internet in the UK a very safe place and a
very honest place to do business, we will attract customers.
MR. ALLAN: Broadband has ten times as much data and ten times as much data to retain.
MR. LACK: I am aware of the enormous implications.
MR. WATKIN: Let me make the point that the UK is not alone in
pondering on these issues. Other countries are pondering the same
issues at the same time as we are. There are, clearly, issues about the
cultural approaches they have to it and the legal traditions which they
have, which means they all come at it in slightly different ways with
slightly different approaches in the way they work on them which means
they come at it in slightly different timescales. Those are all
difficulties for the Government and for law enforcement in trying to
deal with criminality, especially when it is international criminality.
We have mechanisms and regimes which seek to address that through
Interpol, etc. It is important to say that, anecdotally, I sometimes
hear members from industry saying that they have foreign law
enforcement officers turning up at their doors demanding data. My
advice to them when that happens is to shut the door on them and to
explain that they have no authority to turn up their doorsteps seeking
information, in the same way that a British police officer should not
expect to turn up on one's door overseas demanding data. There are
special provisions for that. That is an area of concern which flies
around. It is important to try and make sure that it is dealt with very
early on.
MR. WHITE: There are some companies which are designing systems,
for example in the UK, the US and in the Far East, and the designs
which they are working on are virtually there and they all have access
to it but nobody knows which country has jurisdiction over the data. In
applying that to a criminal scenario, how do you go about finding where
the data actually is in those circumstances, and how do you actually
then apply the RIPA?
MR. WATKIN: It depends from whom you are seeking data. If it is an
organisation which you are looking to assist you, then that body,
within its corporate being, will see that information within its
company jurisdiction is within the jurisdiction of, say, UK law
enforcement. That is very helpful. Equally, a company in that position
may equally well say, "That data is not in this jurisdiction but it is
in the jurisdiction of Spain", for example. If it is in the
jurisdiction of Spain, then, obviously, there are mechanisms and
procedures whereby that material may be formally requested through the
Spanish Government.
MR. WHITE: So if I am this mythical West Dorset ISP and I move my data offshore, how do we deal with that kind of scenario?
MR. WATKIN: In very much the same way as the international
community has dealt with financial services. That is the point I was
going to make at the end, but as you have led me to it I will make it
now. What do criminals do? Criminals need to communicate. I heard
points made about the Internet. Criminals communicate and they use
communication services, disproportionately, perhaps, to other services
in the conduct of their criminal activities. The other sorts of
services which criminals tend to use a lot are financial services,
because they are largely in it for the money. Other sorts of services
they do not tend to use significantly or disproportionately, whether it
is buying cars or groceries. The communications and financial services
are services which criminals, particularly organised international
criminals, use disproportionately compared with other services. As we
have seen what the international community does with financial
services, through organisations such as the Financial Action Task
Force, it recognises concerns about financial data havens where you had
unregulated financial services and, occasionally, you had countries
advertising their financial sector as a haven for dirty money. It is
important for the international community to work together to ensure
that worldwide there are standards which apply to the provision of
financial services and to ensure that money laundering is not able to
flourish. One can see something similar in relation to the provision of
communication services. I am quite sure that the British Government and
other national governments would not wish to see certain jurisdictions
thriving as data havens for dirty data, let us say, or data within
which there is some dirt, in the same way as money within which there
is some dirty money. It is a similar sort of analogy.
MR. ALLAN: I understand the point being made about the difficulty
in defining which communications services criminals use. All the
evidence we have had so far suggests that in the vast majority of cases
where communications data has been useful and where criminals have been
caught because they have used communication services, has been through
telephone services, not Internet services. Have you done work to
indicate that these are the cases which are occurring now where the
Internet is an integral part of the crime and we will catch them if we
bring this regime in?
MR. WATKIN: One of the great difficulties for us and the Government
is in trying to predict where commercial business is going in terms of
what services are being delivered and trying to force how they may be
exploited by criminals.
MR. ALLAN: I am thinking more of criminologists predicting the way criminals are going rather than the mass of industry.
MR. WATKIN: If the service is not there, it cannot be misused. As
services come on line, we will always find that they will seek to
exploit and misuse them. The task of Government is trying to predict
what those might be. We already are seeing the use of the Internet,
whether it is sending hate mail, posting websites, soliciting dubious
financial investments or offering for sale unlawful images. I expect
someone in the room will say that telephony will become Internet based
sooner than later. The distinction between telephony and Internet will
disappear and the distinction between television and Internet will
disappear. Again, it is difficult for me as a civil servant to quite
predict how that technology market will change. However, I can see from
my experience during the past few years that it is changing very
quickly and it may not always change in ways that we understand.
You made the point earlier about going into every building and
capturing an image of who did it and was it fair to apply that regime
to the Internet? Going back to what I said that bad people do in
relation to financial services, I think we have all accepted long ago
that when we went into a bank there would be a camera which will
capture our picture in the event that there was a bank robbery. I have
never been in a bank when a bank robbery has been in progress, but I
have been in a lot of banks where my picture is on a screen which shows
me that I am being recorded. There is public acceptance that bank
robberies happen and, therefore, it is important that banks should have
the facilities to record the image of people who come into their
premises. If the public accepts that for banks and building societies
with information being placed in the public domain and letting the
public take a view and decide, maybe the concerns about the extent to
which that regime applied in some similarly analogous way to the
Internet can be allowed to be debated. I think what is important is
that there is that debate and understanding.
MR. ALLAN: It is a very interesting and philosophical point as to
whether the Internet has space -- effectively, there are CCTV cameras
everywhere -- or is there space where they do not exist?
MR. WATKIN: It is a question as to whether it is a space where there are some CCTV areas looking at various things.
MR. ALLAN: But 100% data retention means CCTV cameras everywhere.
MR. WATKIN: No. It means there is a recording of images. The
question is whether people look at them and the reason for which they
look at them.
MR. LACK: We come back to our criminal investigation. At the
pinnacle of the pyramid, you would not expect to have your data
recorded and you would not expect your information to be in the vault
of the bank where you have your safety deposit box. If we apply the
same expectation to the Internet, there are some places where you may
expect that people would be looking after you and in some places you
would expect to be on your own. I think that is part of the realities
that we are discussing. I think the consultation paper will open that
reality.
MR. WHITE: You said that one of the things you have to do is to
look at the way technology is changing. Although it is slightly outside
the terms of reference, we have heard suggestions that the Computer
Misuse Act needs up-dating. Are you looking at that and also at the
Cybercrime Convention and what is coming out of that, mainly to
legislative changes?
MR. LACK: We, personally, are not but the Home Office itself is. I
was at a meeting a week ago where those discussions were taking place
with the service providers, the law enforcement agencies and the Crown
Prosecution Service to decide what was the way forward.
MR. WATKIN: You do not hear people talking so much about "Internet
years", but the Computer Misuse Act is now 12 years old in real terms
and it was designed for an age when computers were designed to keep
people out. Now we are looking at a world where computers are designed
to let people in. We recognise that. What is at issue is whether what
we do have in place still works in today's era. We are keeping that
very much under review. We are working with the Crown Prosecution
Service to explore some test cases which actually challenge the extent
to which the Computer Misuse Act is robust in today's technological
era. To the extent that it is not, we are reviewing the extent that we
need to address it and to ratify the Council of Europe's Cybercrime
Convention.
MR. ALLAN: So we can expect 2003 to be a bumpy year for ISP public policy officers.
MR. WHITE: One of the concerns which led to SPOCs coming into
existence was how do CSPs and ISPs know if the person they are dealing
with is the real person. What procedures have you got in place, apart
from our SPOCs? There has been some suggestion that they are
under-resourced or have been in the past leading to delays. What
procedures have you got in place and what plans have you got in place
for dealing with this problem?
MR. WATKIN: I will leave the Police Service to decide and indicate
whether their SPOCs are resourced. What I would say, clearly, is that
the joint provision of training between law enforcement and industry of
SPOCs and the creation of points of contact play an effective role in
that they are known to industry. They know how the industry works and
they know the art of what is feasible and what is not feasible. They
play an effective role in cutting off requests for data which are
inappropriate, they provide a model that we would wish to see
replicated throughout those public authorities who fall within the RIPA
regime in terms of making sure that the people who, effectively, work
with the powers on a day-to-day basis are accredited in a way which
industry recognises, which we are told by industry they do recognise
and welcome, and look to have that as the model backed up by manuals
and standards, which we would want to make sure were clearly in the
public domain.
One of the concerns which arose in the summer was that, on the face
of it, we were giving these powers to local authorities and, therefore,
every bureaucrat in a town hall in an idle moment could ring up a
telephone company and get his next door neighbour's telephone bill
details. Clearly it was never the case. We need to explain what the
role of SPOCs are and what the importance of having an accredited
person is, and the manuals, standards and procedures which they should
abide by. There must be procedures which can vouchsafe that the
requests are proper and appropriate and from an appropriate person.
MR. ALLAN: One of the problems which came out in discussions with
lawyers was that the police SPOCs could not be used by local
authorities and that every local authority would have to have its own
SPOC. The point is that RIPA specifically excludes an agent acting for
a third party. It has to be the investigating officer asking for the
data themselves.
MR. WATKIN: That is right, and the reason why that is so is to
minimalise the intrusion to privacy and to provide an express
conformity to the human rights legislation. Clearly, if an agency is
seeking to ascertain some private information about someone, the
intrusion of privacy is much reduced if the agency asks for it and
receives that information back. If that agency has to go through a
central agency to get that information, clearly, the intrusion into
privacy is greater because not only does the first agency know but the
second agency is a party to that intrusion into privacy. That was
clearly what the formulation was in the mind of Parliament when RIPA
was adopted.
One of the questions which I think we will want to explore through
the period of consultation is whether the public, in seeking to be more
reassured and more trusting that these powers are being used
necessarily and proportionally is whether there is an acceptance that
that extra degree of intrusion afforded by a central agency is worth it
in terms of ensuring that individual agencies, in which the public does
not have so much trust, cannot "run amok". That is an issue which we
will want to explore. If the public said, "We would not mind that extra
degree of intrusion in cases where it was appropriate and necessary
because it would provide us with that extra bit of reassurance about
this authority, who we now understand is involved in the investigation
of criminal offences, which we are not as familiar with as we are with
the police, and we would quite prefer them to go through some other
body". If that is something which emerges out of the consultation, I
think that is something we would want to look at.
MR. WHITE: And you would be happy to propose amending the legislation?
MR. WATKIN: It is an area that, so long as there is an acceptance
that that extra degree of intrusion on each case is accepted because it
offsets mistrust of individual agencies going about doing what they do,
then that is something we would want to discuss and explore.
MR. ALLAN: Would it require a change in the primary legislation?
MR. WATKIN: Although RIPA is not explicit on that point, the way
RIPA is worded in terms of disclosures back to the authority which has
the notice, for the sake of clarity, if that was the public's consensus
and Parliament's consensus, we might want to amend that.
LORD NORTHESK: On the issue of public reassurance, it struck me
that the poor Information Commissioner with successive Acts of
Parliament is becoming somewhat overloaded. In policy terms, do you
think that the Office of the Information Commissioner is adequately
resourced? That is the first part of the question.
The second part of my question -- my colleagues may not be aware of
this but, of course, I am, because the Bill started in this House --
concerns the Crime (International Co-operation) Bill, which imposes a
further duty on the Information Commissioner to make sure that data
held by three databases in Europe is overseen by the Information
Commissioner. What flows out of this is if the Office of the
Information Commissioner is adequately resourced to ensure that data
held in those databases on UK nationals is held in terms that are
consistent with UK legislation?
MR. WATKIN: I think we would probably defer to our colleagues in
the Lord Chancellor's Department who are responsible for resourcing the
Information Commissioner. I can answer questions about the Interception
and Communications Commissioner.
MR. ALLAN: The Information Commissioner is the LCD.
MR. WATKIN: Yes; it is the Lord Chancellor's Department.
MR. WHITE: We have run out of time. Is there anything that you
would like to say or indicate to us that that we should be looking at?
MR. LACK: From the point of view of the ATCS, we have had enormous
support from the industry to try and get to where we are. Your comments
on the Information Commissioner are such that some of the delays have
been through delays there. Seeking counsel's advise has also caused
delay. I think you will see, shall we say, a much clearer position
being adopted by both the industry and the law enforcement agencies to
be able to deliver data retention by one of the means under the Act
within the timescales of the Act. I believe that is possible.
MR. WHITE: Thank you very much. What we are hoping to do is to get this report out early in the new year. Thank you very much.
MR. LACK: Thank you.
MR. WATKIN: Thank you.
(The witnesses withdrew)
Back to main Oral Evidence Page.
Back to 18th December Oral Evidence Session Page.
