Home Page | About Us | Press Enquiries| Reports | Policy Issues | News Items | Press Releases | Mailing Lists | Bookstore

[This version is provided by http://www.cyber-rights.org]

Anti-Terrorism, Crime, and Security Act 2001

An Act to amend the Terrorism Act 2000; to make further provision about terrorism and security; to provide for the freezing of assets; to make provision about immigration and asylum; to amend or extend the criminal law and powers for preventing crime and enforcing that law; to make provision about the control of pathogens and toxins; to provide for the retention of communications data; to provide for implementation of Title VI of the Treaty on European Union; and for connected purposes. [14th December 2001]

See below for the Explanatory Notes to Anti-Terrorism, Crime And Security Act 2001 - published 20 February, 2002

PART 11
  RETENTION OF COMMUNICATIONS DATA
102     Codes and agreements about the retention of communications data
 
      (1) The Secretary of State shall issue, and may from time to time revise, a code of practice relating to the retention by communications providers of communications data obtained by or held by them.
 
      (2) The Secretary of State may enter into such agreements as he considers appropriate with any communications provider about the practice to be followed by that provider in relation to the retention of communications data obtained by or held by that provider.
 
      (3) A code of practice or agreement under this section may contain any such provision as appears to the Secretary of State to be necessary-
 
 
    (a) for the purpose of safeguarding national security; or
 
    (b) for the purposes of prevention or detection of crime or the prosecution of offenders which may relate directly or indirectly to national security.
      (4) A failure by any person to comply with a code of practice or agreement under this section which is for the time being in force shall not of itself render him liable to any criminal or civil proceedings.
 
      (5) A code of practice or agreement under this section which is for the time being in force shall be admissible in evidence in any legal proceedings in which the question arises whether or not the retention of any communications data is justified on the grounds that a failure to retain the data would be likely to prejudice national security, the prevention or detection of crime or the prosecution of offenders.
 
103     Procedure for codes of practice
 
      (1) Before issuing the code of practice under section 102 the Secretary of State shall-
 
 
    (a) prepare and publish a draft of the code; and
 
    (b) consider any representations made to him about the draft;
  and the Secretary of State may incorporate in the code finally issued any modifications made by him to the draft after its publication.
 
      (2) Before publishing a draft of the code the Secretary of State shall consult with-
 
 
    (a) the Information Commissioner; and
 
    (b) the communications providers to whom the code will apply.
      (3) The Secretary of State may discharge his duty under subsection (2) to consult with any communications providers by consulting with a person who appears to him to represent those providers.
 
      (4) The Secretary of State shall lay before Parliament the draft code of practice under section 102 that is prepared and published by him under this section.
 
      (5) The code of practice issued by the Secretary of State under section 102 shall not be brought into force except in accordance with an order made by the Secretary of State by statutory instrument.
 
      (6) An order under subsection (5) may contain such transitional provisions and savings as appear to the Secretary of State to be necessary or expedient in connection with the coming into force of the code to which the order relates.
 
      (7) The Secretary of State shall not make an order under this section unless a draft of the order has been laid before Parliament and approved by resolution of each House.
 
      (8) The Secretary of State may from time to time-
 
 
    (a) revise the whole or any part of the code issued under section 102; and
 
    (b) issue the revised code.
      (9) The preceding provisions of this section shall apply (with appropriate modifications) in relation to the issue of any revised code under section 102 as they apply in relation to the first issuing of the code.
 
      (10) Subsection (9) shall not, in the case of a draft of a revised code, require the Secretary of State to consult under subsection (2) with any communications providers who would not be affected by the proposed revisions.
 
104     Directions about retention of communications data
 
      (1) If, after reviewing the operation of any requirements contained in the code of practice and any agreements under section 102, it appears to the Secretary of State that it is necessary to do so, he may by order made by statutory instrument authorise the giving of directions under this section for purposes prescribed in section 102(3).
 
      (2) Where any order under this section is in force, the Secretary of State may give such directions as he considers appropriate about the retention of communications data-
 
 
    (a) to communications providers generally;
 
    (b) to communications providers of a description specified in the direction; or
 
    (c) to any particular communications providers or provider.
      (3) An order under this section must specify the maximum period for which a communications provider may be required to retain communications data by any direction given under this section while the order is in force.
 
      (4) Before giving a direction under this section the Secretary of State shall consult-
 
 
    (a) with the communications provider or providers to whom it will apply; or
 
    (b) except in the case of a direction confined to a particular provider, with the persons appearing to the Secretary of State to represent the providers to whom it will apply.
      (5) A direction under this section must be given or published in such manner as the Secretary of State considers appropriate for bringing it to the attention of the communications providers or provider to whom it applies.
 
      (6) It shall be the duty of a communications provider to comply with any direction under this section that applies to him.
 
      (7) The duty imposed by subsection (6) shall be enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988 (c. 36), or for any other appropriate relief.
 
      (8) The Secretary of State shall not make an order under this section unless a draft of it has been laid before Parliament and approved by a resolution of each House.
 
105     Lapsing of powers in section 104
 
      (1) Section 104 shall cease to have effect at the end of the initial period unless an order authorising the giving of directions is made under that section before the end of that period.
 
      (2) Subject to subsection (3), the initial period is the period of two years beginning with the day on which this Act is passed.
 
      (3) The Secretary of State may by order made by statutory instrument extend, or (on one or more occasions) further extend the initial period.
 
      (4) An order under subsection (3)-
 
 
    (a) must be made before the time when the initial period would end but for the making of the order; and
 
    (b) shall have the effect of extending, or further extending, that period for the period of two years beginning with that time.
      (5) The Secretary of State shall not make an order under subsection (3) unless a draft of it has been laid before Parliament and approved by a resolution of each House.
 
106     Arrangements for payments
 
      (1) It shall be the duty of the Secretary of State to ensure that such arrangements are in force as he thinks appropriate for authorising or requiring, in such cases as he thinks fit, the making to communications providers of appropriate contributions towards the costs incurred by them-
 
 
    (a) in complying with the provisions of any code of practice, agreement or direction under this Part, or
 
    (b) as a consequence of the retention of any communications data in accordance with any such provisions.
      (2) For the purpose of complying with his duty under this section, the Secretary of State may make arrangements for the payments to be made out of money provided by Parliament.
 
107     Interpretation of Part 11
 
      (1) In this Part-
 
 
    "communications data" has the same meaning as in Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act 2000 (c. 23);
 
    "communications provider" means a person who provides a postal service or a telecommunications service;
 
    "legal proceedings", "postal service" and "telecommunications service" each has the same meaning as in that Act;
  and any reference in this Part to the prevention or detection of crime shall be construed as if contained in Chapter 2 of Part 1 of that Act.
 
      (2) References in this Part, in relation to any code of practice, agreement or direction, to the retention by a communications provider of any communications data include references to the retention of any data obtained by that provider before the time when the code was issued, the agreement made or the direction given, and to data already held by that provider at that time.
 

Explanatory Notes to Anti-Terrorism, Crime And Security Act 2001 - published 20 February, 2002

Retention of communications data

28.     Part 11 contains provisions facilitating the retention by communications providers of data about their customers' communications for national security purposes so that they can be accessed by the security, intelligence and law enforcement agencies by means of a statutory code of practice to be drawn up in consultation with industry and the Information Commissioner and approved by Parliament by affirmative resolution procedure.

29.     The Act ensures that data which communications service providers would otherwise be obliged to erase when it is no longer needed for billing purposes may be retained if it is necessary to safeguard national security or to prevent, detect or prosecute crimes related to national security.

30.     The Regulation of Investigatory Powers Act 2000 (Part 1, Chapter 2) sets out limits on the purposes for which the security, intelligence and law enforcement agencies may request access to data relating to specific communications. These provisions complement the 2000 Act by clarifying the lawful basis for the retention of data by communications service providers. They do not affect the access framework and safeguards set out in RIPA.

31.     There is also a reserve power to review the voluntary arrangements under the code of practice and issue directions if necessary. If still needed, it must be renewed by an affirmative order every two years, unless the power is exercised.

PART 11: RETENTION OF COMMUNICATIONS DATA

Overview

257.     Part 11 sets up a structure within which the Secretary of State can issue a code of practice relating to the retention of communications data by communications service providers, such as telephone and internet companies. Communications data is data relating to telephone, Internet and postal communications which does not include the substance of the communications itself.

258.     The Telecommunications (Data Protection and Privacy) Regulations 1999 regulate the retention of such data by communication service providers providing that such data can only be retained for certain specific purposes. Otherwise it must be erased or made anonymous. Communications data can be a useful tool for law enforcement agencies and if held by a communications service provider is accessible by a public authority under Chapter II of Part I of the Regulation of Investigatory Powers Act 2000. However, whilst the Regulations permit the retention of communications data on national security and crime prevention grounds, they do not give any general guidance as to when these might apply. Accordingly, before these provisions were introduced communications service providers did not have a clear lawful basis for retaining communications data beyond the period for which it was required for their own business purposes.

259.     Part 11 establishes a structure to regulate the continued retention of such data on national security and crime related to national security grounds so that it may then be accessed by public authorities under the Regulation of Investigatory Powers Act 2000. Under section 102 the Secretary of State can issue a voluntary code of practice which will provide a basis for retention of communications data. Section 104 provides that if the voluntary scheme proves ineffective the Secretary of State may by affirmative order be authorised to impose mandatory retention directions on communications service providers. Section 105 provides that the power to invoke the mandatory scheme in section 104 will itself lapse unless renewed by affirmative order.

Section 102 Codes and agreements about the retention of communications data

260.     Subsection (1) sets out that a voluntary code of practice will be drawn up and issued by the Secretary of State. The code will be applicable to communications providers and will apply to communications data that they have generated or is otherwise in their possession.

261.     Subsection (2) explains that the Secretary of State may enter into further agreements with specific communications providers, with the consent of both parties. These will specify in greater detail than the generic code the type of data that is retained, and the conditions of retention and retrieval. The aim of these individual agreements is to provide greater clarity as to each provider's retention practices for public authorities who are eligible under the Regulation of Investigatory Powers Act 2000 to access communications data.

262.     Subsection (3) sets out that the code and any agreements may contain provisions necessary to safeguard national security, or to prevent or detect crime and to prosecute offenders where this is directly or indirectly related to national security.. Data retained in accordance with the code will therefore be held for national security and law enforcement purposes, without prejudice to the communication provider's own business purposes.

263.     Subsection (4) makes it clear that the code is voluntary: there are no penalties for non-compliance.

264.     Subsection (5) allows the code or any agreement drawn up under this section to be used in legal proceedings brought against a communications provider by a person whose communications data they hold. Adherence to the terms of the code or agreement may be used as evidence that the retention of data is justified for national security or law enforcement purposes. This provision is intended to prevent a communications provider facing civil liability for retaining data in accordance with the code when they have no further need of it for business purposes.

Section 103 Procedure for codes of practice

265.     Subsections (1), (2), (3) and (4) explain that the code of practice will be drawn up in two stages: firstly consultation with the Information Commissioner and communications providers to whom the code applies, leading to the publication of a draft, and secondly public consultation during which comments may be taken from any quarter.

266.     Subsections (5), (6) and (7) require the Secretary of State to use an affirmative statutory instrument to bring the code into force, so ensuring that Parliament have the chance to consider and approve the code. The code may contain transitional provisions, covering for example data collected before the code is finalised or no longer judged necessary for the purposes of this Act under subsequent revisions of the code.

267.     Subsections (8), (9) and (10) provide for the code to be revised and re-issued following consultation with the Information Commissioner and those communications providers who would be affected by the revisions. The order bringing a revised code into force would also need to be approved by both Houses of Parliament.

Section 104 Directions about retention of communications data

268.     This section permits the Secretary of State to issue compulsory directions if he is not satisfied that the operation of the voluntary code of practice is effective. Directions may only be given if the Secretary of State is authorised to do so by affirmative order and for the purposes of safeguarding national security and the prevention and detection of crime or the prosecution of defenders which may relate directly or indirectly to national security.

269.     Subsection (1) provides that the Secretary of State may by order authorise the giving of directions under this section.

270.     Subsection (2) explains that the mandatory directions may apply to any of three categories: either all communications providers, a particular type of communications providers, or one or several specific communications providers.

271.     Subsection (3) explains that the statutory order authorising the giving of directions must specify the maximum period for which any communications provider can be directed to retain any particular type of data.

272.     Subsection (4) obliges the Secretary of State to consult with those who may be affected by the mandatory directions, or their representatives, before giving them. If the requirement is only being placed on particular communications providers (as in subsection 2(c) above), the Secretary of State must consult with them directly.

273.     Subsection (5) explains that any direction must be explicitly brought to the attention of those to whom it applies.

274.     Subsection (6) puts a duty on the communications provider to comply with any direction given under this section that applies to him.

275.     Subsection (7) sets out the consequences of non-compliance with any direction. The Secretary of State may bring civil proceedings against the communications provider, seeking an injunction, or other appropriate relief.

276.     Subsection (8) requires that the Secretary of State lay a draft of any order made under subsection (1) before Parliament and seek the approval of both the House of Commons and the House of Lords for that order.

Section 105 Lapsing of powers in section 104

277.     This section provides for the renewal every two years of the Secretary of State's power under section 104(1) to authorise the issue of compulsory directions. The power will lapse unless it is either exercised or renewed.

278.     Subsection (1) provides that the power to authorise the issue of compulsory directions ceases to have effect unless an order is made under section 104 before the end of the initial period.

279.     Subsections (2), (3) and (4) define the initial period as two years beginning from the day on which the Act is passed and provide for it to be extended by order more than once, so long as the order extending the period is made within the two years. The extension may only be for two years at a time.

280.     Subsection (5) requires that an order extending the initial period must be approved by affirmative resolution.

Section 106 Arrangements for payments

281.     This section allows for payment arrangements to be made in order to compensate communications providers for the costs of adhering to the provisions of the code of practice or any agreements. It is consistent with similar provisions in the Regulation of Investigatory Powers Act 2000 (sections 24 and 52 of that Act).

282.     Subsection (1) puts a duty on the Secretary of State to set up arrangements for paying an appropriate contribution of the costs incurred by communications providers acting in accordance with the code of practice or any agreements.

283.     Subsection (2) clarifies that the Secretary of State may make arrangements for payments to be made out of money provided by Parliament.

Section 107 Interpretation of Part 11

284.     This section provides a definition of the terms used in the Part.

285.     Subsection (1) lists definitions of a number of terms. The terminology is consistent with that used in the Regulation of Investigatory Powers Act 2000.

286.     Subsection (2) specifies that the provisions of any code of practice, agreements or directions under this Part are applicable to all data obtained or held by the communications provider, including that which came into their possession before the code, agreements or directions took effect.


Information on the Anti-Terrorism, Crime, and Security Bill

A B I L L TO 
Amend the Terrorism Act 2000; to make further provision about terrorism and security; to provide for the freezing of assets; to make provision about immigration and asylum; to amend or extend the criminal law and powers for preventing crime and enforcing that law; to make provision about the control of pathogens and toxins; to provide for the retention of communications data; to provide for implementation of Title VI of the Treaty on European Union; and for connected purposes.

The Full text of the Anti-Terrorism, Crime, and Security Bill is available as a PDF file 
An html version of the Bill is provided by Cryptome.Org
See also the Explanatory Notes for the Bill
Check also Internet related Policy Issues and developments following the Attacks on America on 11 Sept. 2001

Note also the House of Lords and House of Commons Joint Committee On Human Rights 
13/11/01 - Information Commissioner Contributes to Scrutiny of Anti-Terrorism Bill - added below
- Second Report on the Anti-Terrorism, Crime and Security Bill, HL 37, HC 372, 16 November 2001 
New - Home Office, Retention of Communications Data: Supplemental Regulatory Impact Assessment. 
An html version of this document is also available through Cryptome.Org
Home Office Anti-Terrorism, Crime and Security Bill pages

New - House of Lords (Hansard), Anti-terrorism, Crime and Security Bill, 04 December, 2001
This involves the House of Lords discussions on Part 11 of the Bill: Retention of Communications Data
See also the 13 December, 2001 discussion.

New - House of Commons Library Research Paper, 
The Anti-terrorism, Crime and Security Bill, Parts III & XI: Disclosure and retention of information 
[Bill 49 of 2001-02], No: 01/98 of 2001, 19 November, 2001

House of Lords and House of Commons Joint Committee On Human Rights - 
Second Report on the Anti-Terrorism, Crime and Security Bill
, HL 37, HC 372, 16 November 2001

"We note that as the Bill is presently drafted, the Code of Practice relating to the retention of communications data will not be subject to any parliamentary procedure. We also have in mind that a Code of Practice may be used as evidence in courts and tribunals, and that a direction given by a Secretary of State may give rise to legal obligations. In the light of these factors, we consider that measures should be put in place to ensure that the Code of Practice and any directions are compatible with the right to respect for private and family life, home and correspondence under Article 8 of the ECHR, and that those measures should be specified, so far as practicable, on the face of the legislation. We accordingly draw these provisions to the attention of each House."

"It remains to be seen whether the government will take into account what the Joint Committee said about the data retention proposals which have been included within the Anti-Terrorism, Crime, and Security Bill. However, there needs to be measures of legal protection in law against arbitrary interferences by public authorities especially where a power of the executive is exercised in secret without the knowledge of the citizens." Yaman Akdeniz, Director of Cyber-Rights & Cyber-Liberties (UK)

This page includes Part 11 of the Bill which deals with the Retention of Communications Data

PART 11

RETENTION OF COMMUNICATIONS DATA

101 Codes and agreements about the retention of communications data

102 Directions about retention of communications data

103 Lapsing of powers in section 102

104 Arrangements for payments

105 Interpretation of Part 11

Intelligence Services Act 1994

114 Amendments of Intelligence Services Act 1994


PART 11 RETENTION OF COMMUNICATIONS DATA

101 Codes and agreements about the retention of communications data

(1) The Secretary of State shall issue, and may from time to time revise, a code of practice relating to the retention by communications providers of communications data obtained by or held by them.

(2) The Secretary of State may enter into such agreements as he considers appropriate with any communications provider about the practice to be followed by that provider in relation to the retention of communications data obtained by or held by that provider.

(3) Before issuing or revising a code of practice under this section the Secretary of State shall consult with the communications providers to whom the code will apply or, as the case may be, who will be affected by the revisions, or with the persons appearing to him to represent those providers.

(4) Where the Secretary of State issues or revises a code of practice under this section, he shall publish the code or, as the case may be, the revised code in such manner as he considers appropriate for bringing it to the attention of the communications providers to whom it applies.

(5) A code of practice or agreement under this section may contain any such provision as appears to the Secretary of State to be necessary—

(a) for the purpose of safeguarding national security; or

(b) for the purposes of the prevention or detection of crime or the prosecution of offenders.

(6) A failure by any person to comply with a code of practice or agreement under this section shall not of itself render him liable to any criminal or civil proceedings.

(7) A code of practice or agreement under this section shall be admissible in evidence in any legal proceedings in which the question arises whether or not the retention of any communications data is justified on the grounds that a failure to retain the data would be likely to prejudice national security, the prevention or detection of crime or the prosecution of offenders.

102 Directions about retention of communications data

(1) If, after reviewing the operation of any requirements contained in the code of practice and any agreements under section 101, it appears to the Secretary of State that it is necessary to do so, he may by order made by statutory instrument authorise the giving of directions under this section. 

(2) Where any order under this section is in force, the Secretary of State may give such directions as he considers appropriate about the retention of communications data—

(a) to communications providers generally;

(b) to communications providers of a description specified in the direction;

or

(c) to any particular communications providers or provider.

(3) An order under this section must specify the maximum period for which a communications provider may be required to retain communications data by any direction given under this section while the order is in force.

(4) Before giving a direction under this section the Secretary of State shall consult—

(a) with the communications provider or providers to whom it will apply;

or

(b) except in the case of a direction confined to a particular provider, with the persons appearing to the Secretary of State to represent the providers to whom it will apply.

(5) A direction under this section must be given or published in such manner as the Secretary of State considers appropriate for bringing it to the attention of the communications providers or provider to whom it applies.

(6) It shall be the duty of a communications provider to comply with any direction under this section that applies to him.

(7) The duty imposed by subsection (6) shall be enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988 (c. 36), or for any other appropriate relief.

(8) The Secretary of State shall not make an order under this section unless a draft of it has been laid before Parliament and approved by a resolution of each House.

103 Lapsing of powers in section 102

(1) Section 102 shall cease to have effect at the end of the initial period unless an order authorising the giving of directions is made under that section before the end of that period.

(2) Subject to subsection (3), the initial period is the period of two years beginning with the day on which this Act is passed.

(3) The Secretary of State may by order made by statutory instrument extend, or (on one or more occasions) further extend the initial period.

(4) An order under subsection (3)—

(a) must be made before the time when the initial period would end but for the making of the order; and

(b) shall have the effect of extending, or further extending, that period for the period of two years beginning with that time.

(5) The Secretary of State shall not make an order under subsection (3) unless a draft of it has been laid before Parliament and approved by a resolution of each House.

104 Arrangements for payments

(1) It shall be the duty of the Secretary of State to ensure that such arrangements are in force as he thinks appropriate for authorising or requiring, in such cases as he thinks fit, the making to communications providers of appropriate contributions towards the costs incurred by them—

(a) in complying with the provisions of any code of practice, agreement or direction under this Part, or

(b) as a consequence of the retention of any communications data in accordance with any such provisions.

(2) For the purpose of complying with his duty under this section, the Secretary of State may make arrangements for the payments to be made out of money provided by Parliament.

105 Interpretation of Part 11

(1) In this Part—

"communications data" has the same meaning as in Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act 2000 (c. 23);

"communications provider" means a person who provides a postal service or a telecommunications service;

"legal proceedings", "postal service" and "telecommunications service" each has the same meaning as in that Act;

and any reference in this Part to the prevention or detection of crime shall be construed as if contained in Chapter 2 of Part 1 of that Act.

(2) References in this Part, in relation to any code of practice, agreement or direction, to the retention by a communications provider of any communications data include references to the retention of any data obtained by that provider before the time when the code was issued, the agreement made or the direction given, and to data already held by that provider at that time.

Intelligence Services Act 1994

114 Amendments of Intelligence Services Act 1994

(1) In section 7 of the Intelligence Services Act 1994 (c. 13) (authorisation of acts outside the British Islands), in subsection (3) —

(a) in paragraphs (a) and (b)(i), after "the Intelligence Service" insert, in each case, "or GCHQ"; and

(b) in paragraph (c), after "2(2)(a)" insert "or 4(2)(a)".

(2) After subsection (8) of that section insert—

"(9) For the purposes of this section the reference in subsection (1) to an act done outside the British Islands includes a reference to any act which—

(a) is done in the British Islands; but

(b) is or is intended to be done in relation to apparatus that is believed to be outside the British Islands, or in relation to anything appearing to originate from such apparatus;

and in this subsection ‘apparatus’ has the same meaning as in the Regulation of Investigatory Powers Act 2000 (c. 23)."

(3) In section 11(1A) of that Act (prevention and detection of crime to have the same meaning as in Chapter 1 of Part 1 of the Regulation of Investigatory Powers Act 2000), for the words from "for the purposes of this Act" to the end of the subsection substitute—

"(a) for the purposes of section 3 above, as it applies for the purposes of Chapter 1 of Part 1 of that Act; and

(b) for the other purposes of this Act, as it applies for the purposes of the provisions of that Act not contained in that Chapter."


From the Explanatory Notes of the Bill

Retention of communications data

28. Part 11 contains provisions to allow communications service providers to retain data about their customers' communications for access by law enforcement agencies and for national security purposes and to enable a code of practice to be drawn up in consultation with industry.

29. The code of practice will allow communications service providers to retain data about their customers' communications for access by law enforcement agencies. Currently communications service providers are obliged to erase this data when they no longer need it for billing purposes.

30. These provisions fall within the Regulation of Investigatory Powers Act 2000 which sets out the limits on the purposes for which the law enforcement, security and intelligence agencies may request access to data relating to specific communications.

31. There is also a reserve power to review the arrangements and issue directions if necessary. If still needed, it must be reviewed by an affirmative order every two years. As soon as the power is exercised, there is no need for further review.

PART 11: RETENTION OF COMMUNICATIONS DATA

Overview

259. Part 11 sets up a structure within which the Secretary of State can issue a code of practice relating to the retention of communications data by communications service providers, such as telephone and internet companies. Communications data is data relating to telephone, Internet and postal communications which does not include the substance of the communications itself. The Telecommunications (Data Protection and Privacy) Regulations 1999 regulate the retention of such data by communication service providers providing that such data can only be retained for certain specific commercial purposes. Otherwise it must be erased or made anonymous. Communications data can be a useful tool for law enforcement agencies and if held by a communications service provider will be accessible by a public authority under Chapter II of Part I of the Regulation of Investigatory Powers Act 2000 which is shortly to come into force. However, whilst the Regulations permit the retention of communications data on national security and crime prevention grounds there is currently no general guidance given as to when these might apply. Accordingly, communications service providers do not currently have a clear lawful basis for retaining communications data beyond the period that they require it for their own business purposes. Part 11 establishes a structure to regulate the continued retention of such data on national security and crime prevention grounds so that it may then be accessed by public authorities under the Regulation of Investigatory Powers Act 2000. Under clause 101 the Secretary of State can issue a voluntary code of practice which will provide a basis for retention of communications data. Clause 102 provides that if the voluntary scheme proves ineffective the Secretary of State may by affirmative order be authorised to impose mandatory retention directions on communications service providers. Clause 103 provides that the power to invoke the mandatory scheme in clause 102 will itself lapse unless renewed by affirmative order.

Clause 101 Codes and agreements about the retention of communications data

260. Subsection (1) sets out that a voluntary code of practice will be drawn up and issued by the Secretary of State. The code will be applicable to communications providers and will apply to communications data that they have generated or is otherwise in their possession.

261. Subsection (2) explains that the Secretary of State may enter into further agreements with specific communications providers, with the consent of both parties. These will specify in greater detail than the generic code the type of data that is retained, and the conditions of retention and retrieval. The aim of these individual agreements is to provide greater clarity as to each provider's retention practices for public authorities who are eligible under the Regulation of Investigatory Powers Act 2000 to access communications data.

262. Subsection (3) puts a requirement on the Secretary of State to consult with those who may be affected by the code, or their
representatives, before issuing or revising it.

263. Subsection (4) requires the Secretary of State to publish the code of practice and any revised code in a way which brings it to the
attention of the communications service providers to whom it applies.

264. Subsection (5) sets out that the code and any agreements may contain provisions necessary to safeguard national security, to prevent or
detect crime and to prosecute offenders. The code and agreements may therefore contain any provision relative to those ends. Data retained in
accordance with the code will therefore be retained for national security and law enforcement purposes, without prejudice to the communication
provider's own business purposes.

265. Subsection (6) makes it clear that the code is voluntary: there are no penalties for non-compliance.

266. Subsection (7) allows the code or any agreement drawn up under this section to be used in legal proceedings brought against a
communications provider by a person whose communications data they hold. Adherence to the terms of the code or agreement may be used as
evidence that the retention of data is justified for national security or law enforcement purposes. This provision is intended to prevent a
communications provider facing civil liability for retaining data in accordance with the code when they have no further need of it for business
purposes.

Clause 102 Directions about retention of communications data

267. This clause permits the Secretary of State to issue compulsory directions if he is not satisfied that the operation of the voluntary code of
practice is effective. Directions may only be given if the Secretary of State is authorised to do so by order. 

268. Subsection (1) provides that the Secretary of State may by order authorise the giving of directions under this section. 

269. Subsection (2) explains that the mandatory directions may apply to any of three categories: either all communications providers, a
particular type of communications providers, or one or several specific communications providers.

270. Subsection (3) explains that the statutory order authorising the giving of directions must specify the maximum period for which any
communications provider can be directed to retain any particular type of data.

271. Subsection (4) obliges the Secretary of State to consult with those who may be affected by the mandatory directions, or their
representatives, before giving them. If the requirement is only being placed on particular communications providers (as in subsection 2(c) above),
the Secretary of State must consult with them directly.

272. Subsection (5) explains that any direction must be explicitly brought to the attention of those to whom it applies.

273. Subsection (6) puts a duty on the communications provider to comply with any direction given under this section that applies to him. 

274. Subsection (7) sets out the consequences of non-compliance with any direction. The Secretary of State may bring civil proceedings
against the communications provider, seeking an injunction, or other appropriate relief.

275. Subsection (8) requires that the Secretary of State lay a draft of any order made under subsection (1) before Parliament and seek the
approval of both the House of Commons and the House of Lords for that order.

Clause 103 Lapsing of powers in section 102

276. This section provides for the renewal every two years of the Secretary of State's power under clause 103(1) to authorise the issue of
compulsory directions. The power will lapse unless it is renewed.

277. Subsection (1) provides that the power to authorise the issue of compulsory directions ceases to have effect unless an order is made
under clause 103 before the end of the initial period.

278. Subsection (2) defines the initial period as two years beginning from the day on which the Act is passed.

279. Subsection (3) provides that this period may be extended by order more than once.

280. Subsection (4) requires the order extending the period to be made before the end of that period. The extension may only be for two years
at a time.

281. Subsection (5) requires that an order extending the initial period must be approved by affirmative resolution.

Clause 104 Arrangements for payments

282. This clause allows for payment arrangements to be made in order to compensate communications providers for the costs of adhering to
the provisions of the code of practice or any agreements. It is consistent with similar provisions in the Regulation of Investigatory Powers Act
2000 (sections 24 and 52 of that Act). 

283. Subsection (1) puts a duty on the Secretary of State to set up arrangements for paying an appropriate contribution of the costs incurred
by communications providers acting in accordance with the code of practice or any agreements.

284. Subsection (2) clarifies that the Secretary of State may make arrangements for payments to be made out of money provided by
Parliament.

Clause 105 Interpretation of Part 11

285. This clause provides a definition of the terms used in the Part.

286. Subsection (1) lists definitions of a number of terms. The terminology is consistent with that used in the Regulation of Investigatory Powers
Act 2000.

287. Subsection (2) specifies that the provisions of any code of practice, agreements or directions under this Part are applicable to all data
obtained or held by the communications provider, including that which came into their possession before the code, agreements or directions took
effect.

Anti-Terrorism, Crime and Security Bill -  Regulatory Impact Assessment (from the Home Office)

Data Retention

9.Costs to business will result from the voluntary agreement with communications service providers (CSPs) to retain data for law enforcement
purposes and will fall upon public telecommunications operators, international simple voice resale providers and internet service providers.
Although many of the larger CSPs do currently retain their data for the period envisaged in this legislation (up to 12 months), this is not
standard practice across the industry.

10.The costs to industry fall into three categories: technical investment, technical running costs and staff costs. Some of these costs are already
incurred by service providers retaining data for their own business purposes, for which substantial retention capabilities may already exist.

11.Estimates vary upwards from £9m per annum across the industry. The costs to internet service providers are anticipated to be greater than
those for public telephone operators, and have been estimated to be on average in the region of a few hundred thousands pounds per year
for each provider.

12.Government will discuss what arrangements might be appropriate to compensate communication service providers for any additional costs
under these provisions, particularly since those that will be most affected will be small/niche-market businesses. The Government has given
assurances that measures taken in the context of the emergency legislation should not commercially disadvantage UK business or impact on
the confidence of users and operators in the UK as the best place to do e-business. Details of the requirements will be covered in the code of
practice.

13.However, the situation varies greatly from one firm to another according to infrastructure and retention practices. Therefore, the provisions
and any compensation will be dealt with on a case by case basis: there would not be a "one size fits all" arrangement.


House of Lords and House of Commons Joint Committee On Human Rights - Second Report on the Anti-Terrorism, Crime and Security Bill, HL 37, HC 372, 16 November 2001

Part 11 of the Bill: Retention of Communications Data

69. Part 11 of the Bill deals with the retention of communications data. These are data held by communications providers about the use made of their facilities by customers, such as the telephone numbers dialled from a particular line, the times and duration of calls, and equivalent data in respect of Email communications. They currently fall outside the regime for authorizing surveillance under Chapter 2 of Part I of the Regulation of Investigatory Powers Act 2000.

70. Clause 101 proposes that the Secretary of State should issue a Code of Practice and enter into agreements with providers about the retention of such data. Under clause 102, the Secretary of State would then be empowered to issue directions, by statutory instrument, requiring the providers to make specified provision for the retention of communications data. It would be possible to enforce the directions by civil proceedings. These powers are linked to the maintenance of national security, but also detection or prevention of crime more generally.

71. There is no express limit to the scope of the powers. They could be used to secure highly sensitive data for the purpose of investigating very minor offences, or even for monitoring people's communications without any ground for suspecting them of any offence or of threatening national security. We note that as the Bill is presently drafted, the Code of Practice relating to the retention of communications data will not be subject to any parliamentary procedure. We also have in mind that a Code of Practice may be used as evidence in courts and tribunals, and that a direction given by a Secretary of State may give rise to legal obligations. In the light of these factors, we consider that measures should be put in place to ensure that the Code of Practice and any directions are compatible with the right to respect for private and family life, home and correspondence under Article 8 of the ECHR, and that those measures should be specified, so far as practicable, on the face of the legislation. We accordingly draw these provisions to the attention of each House.

Conclusion
76. We have had to consider the Anti-terrorism, Crime and Security Bill at great speed. We are very conscious of the circumstances which gave birth to it, and the threat that many citizens of this country still feel to their safety after the terrible events of 11 September. However, Parliament should take a long view, and resist the temptation to grant powers to governments which compromise the rights and liberties of individuals. The situations which may appear to justify the granting of such powers are temporary—the loss of freedom is often permanent.

77. The Government has made sincere efforts to safeguard rights while addressing the threat that it assesses exists to national security. Indeed, the Home Secretary has been keen to stress that he has sought the derogation from the ECHR because he wishes to override a lesser right (to a fair trial) in order to preserve a greater one (to be free from torture or capital punishment or inhuman and degrading treatment). All such decisions involve balancing freedom and security—a balancing act of which it is difficult to judge the success because Parliament is not privy to all the information to which Ministers have access.

78. We have concluded that, on the evidence available to us, the balance between freedom and security in the Bill before us has not always been struck in the right place. In particular, although we recognise the dilemma from which the Home Secretary sought to free himself by recourse to the derogation from Article 5, we are not persuaded that the circumstances of the present emergency or the exigencies of the current situation meet the tests set out in Article 15 of the ECHR. It is now for Parliament to draw its own conclusions, and for Members of both Houses to satisfy themselves that there are adequate safeguards to protect the rights of the individual citizen against abuse of these powers .

79. On the other matters of concern which we have outlined above, we will be seeking further evidence and giving them further consideration. We may report to each House again before the Bill reaches the statute book—in whatever form it gets there. Careful consideration is not, however, aided by the decision to push a Bill of this size and complexity through Parliament at such breakneck speed. Too many ill-conceived measures litter the statute book as a result of such rushed legislation in the past.


13/11/01 - Information Commissioner Contributes to Scrutiny of Anti-Terrorism Bill

The Information Commissioner, Elizabeth France, today offered comments on the proposed provisions of the Anti-Terrorism, Crime and Security Bill. The Bill contains provisions relating to the retention of communication data by communications providers for possible later access by law enforcement agencies.

The Commissioner, who has set out her concerns in a memorandum to inform the public scrutiny, said:

"The proposed provisions could have a significant impact on the privacy of individuals whose data are retained. If there is a demonstrable and pressing need for these provisions, an appropriate balance must be struck between personal privacy and the legitimate needs of the law enforcement community.

"I am particularly concerned that leaving matters to a voluntary code of practice, or to agreements, may pose difficulties for data protection and human rights compliance.

"Although recent events have prompted these measures to be brought forward, law enforcement agencies will make use of them on a day to day basis for a variety of matters. Careful consideration must be given to ensure that the provisions are appropriate to addressing these more routine needs."

---ends-


Notes to Editors

The Commissioner has a statutory duty to promote observance of the Data Protection Act 1998. Her memorandum is available on her website at www.dataprotection.gov.uk 

For further information please contact Angela Nonis or Helen Corkery on 01625 545700


1 General


The Information Commissioner (the Commissioner) has statutory responsibility for promoting and enforcing the Data Protection Act 1998 (the 1998 Act). The Act sets legally enforceable standards in relation to the processing of personal data, it also gives the Commissioner a statutory duty to raise awareness and promote good practice in relation to the processing of personal data. The Act provides a number of safeguards to protect individuals where others are handling their personal information, but it also contains provisions modifying these where they would be likely to prejudice the prevention or detection of crime, the apprehension and prosecution of offenders or where national security would be affected. In short, the Act and the European Union Directive upon which it is based, seek to balance respect for the privacy of individual citizens and the need of society to protect itself against criminal and other subversive activity.

2 The Need to Retain Communications Data

The Commissioner has been aware for some time of pressure from the law enforcement community to require communications providers to retain details of communications data. This, it is claimed, would assist the detection of particular crimes and help with criminal intelligence gathering. Although such calls have been made it has not always been clear to what extent such retention is required beyond the period for which the communications providers would retain this for their own business reasons. Neither is it clear what additional retention is realistically required to meet the law enforcement community's investigatory needs. Questions relating to the extent of the information required have also remained largely unanswered. For example, are all aspects of communications data important or just those elements that may be described as 'the connection data' (limited to matters such as IP address, connection times and calling line identity)?

Important issues are the relevance of the personal data, the length of the data retention period for the needs of the law enforcement community and how far this goes beyond existing industry practice. Attaching the appropriate weight to these factors is necessary to avoid affecting the privacy of individual citizens disproportionately and also placing additional cost burdens upon communications providers in having to retain large collections of personal data and continue to manage these to the standards set down in the 1998 Act.

3 The effects of the Data Protection Act 1998, the Telecommunications (Data Protection and Privacy) Regulations 1999 and the Human Rights Act 1998

Other compliance issues can arise in connection with the need to process personal data fairly and lawfully, including having a legitimate basis for processing (1st Principle) and to ensure that data are relevant and not excessive in relation to the purpose for processing (3rd Principle). Communications data may contain, for example, in e-mail headers, information of a specially sensitive nature (such as health information). Directive 95/46/EC and the 1998 Act impose strict rules regulating the circumstances in which such data can be processed. Failure to comply with these Principles can lead to enforcement action by the Commissioner or legal action by an individual who suffers damage or distress as a result of the contravention.

Continued retention of communications data by a communications provider beyond the completion of its own processing need, in order to satisfy the needs of others, is likely to contravene the 1998 Act's requirements. The clauses providing for retention based on the provision of a code of practice or agreement would not necessarily remedy the situation.

The Bill raises a number of concerns about its compatibility with Convention rights. While the Bill might engage a number of Convention rights, the Commissioner's comments focus on the Article 8 right to respect for private and family life. The starting point must be that the proposed legislation will involve an interference with the Article 8 rights of individuals. The question is whether that interference can be justified under Article 8(2).

The first requirement of Article 8(2) is that the measures proposed are "in accordance with the law". This requires that interference must have some basis in national law. The proposed legislation would satisfy this bare requirement. However, the phrase "in accordance with the law" in terms of the Convention further requires that the law concerned must be accessible and precise (i.e. foreseeable in its consequences). Where the state has power to carry out investigations involving an interference with the right to privacy, Article 8 requires a positive framework of legal rules circumscribing the exercise of any such power, and incorporating legally binding safeguards against abuse. The law must indicate the circumstances in which such interference can occur, its duration, and the limits of the authorities' powers. Without sight of the proposed statutory code of practice (clause 101(1)), any agreement with a communications provider (clause 101(2)) and/or secondary legislation (clause 102) envisaged under the proposed legislation it is not possible to assess what the legal framework will be in this area. There must therefore be a concern that the proposed legislation would be incompatible with Convention rights as it fails to satisfy this basic requirement for precision and foreseeability in the delineation of the Secretary of State's powers.


4 Codes and Agreements about the Retention of Communications Data (clause 101)

This clause in the Bill provides for the Secretary of State to issue a code of practice relating to the retention by communications providers of data obtained or held by them. The Commissioner understands the attraction of the flexibility in such an approach, particularly where the precise needs have yet to be determined. The clause provides for the Secretary of State to include such provisions as he deems necessary for crime prevention and detection purposes. The clause provides no further guidance on the matters to be included in such a code or its relationship with the code produced under section 71 of the Regulation of Investigatory Powers Act 2000 dealing with the accessing of communications data. The lack of specific provision gives the Commissioner cause for concern that any code produced on the basis of the clauses contained in existing draft provisions would have a number of significant defects particularly in terms of compliance with the requirements of the Human Rights Act. The continued absence of clarity as to what information is necessary for law enforcement purposes, what the realistic retention needs of these agencies amount to and the effect on those who seek to comply with the code's provisions present real difficulties.

The Bill pursues the legitimate aims of national security, public safety and the prevention of disorder of crime. Article 8(2) imposes a further requirement that any interference be "necessary in a democratic society", i.e. that it fulfils a "pressing social need" and is "proportionate" to the legitimate aim pursued. The scope of the powers proposed to be given to the Secretary of State is immensely broad. The lack of any overt safeguards against abuse of such powers indicate a lack of proportionality such as to render the prospective legislation incompatible with Convention rights.

The extent to which communications data expose private life varies. Some data reveal either directly or by implication the content of messages. It appears that those that are least revealing may be those that are of most value to law enforcement agencies. Application of the principle of "proportionality" requires that any proposals for retention address communications data item by item. A proportionate and human rights compliant approach would restrict retention to these less revealing and more valuable data.

The Commissioner is also concerned that a communications provider would not be in a position to have confidence that adherence to the code's provisions would ensure compliance with the 1998 Act. As set out above, a number of the Act's requirements would be relevant particularly regarding processing data for no longer than necessary for the business purpose, but also in relation to having a proper basis for processing and the need to ensure data are not excessive. The clause provides for the admissibility of the code in legal proceedings. This would have the effect that the code could be taken into account by the Commissioner when assessing the processing for compliance or deciding upon enforcement action. However the simple existence of a voluntary code containing provisions relating to retention would not necessarily mean that such periods were relevant to judging whether data are held longer than necessary for the communications providers own purposes. Once data were no longer needed for the purposes of the communications provider, they should be deleted. The proposed legislation imposes no duty to retain for the law enforcement purposes of public authorities; it is not clear how the simple power proposed can overcome the duty to delete imposed by the 1998 Act. Concerns over Human Rights Act compliance would further weaken the reliance to be placed on such a code in an enforcement context.

The clause also contains a provision relating to the Secretary of State entering into "agreements". Any such agreement would suffer from all the defects described above in relation to the code of practice. This provision has the additional problem of creating uncertainty about the relationship between an existing code and a specific agreement with a particular provider. It is not clear whether such an agreement could weaken or otherwise alter provisions set down in the proposed code benefiting from previous consultation with interested parties. This lack of precision as to effect and consequences underscores the concerns about the propriety of such an approach.

The clause provides for consultation with communications providers at the point of production or revision of a code. There are a number of other interested parties who should be involved in any consultation process. Given the Commissioner's role in enforcing legislation affecting the retention of data it is essential that she be included formally in the consultation process. Given that it is individuals whose data will be retained and possibly accessed by third parties then consideration should be given to consulting formally on a Code with appropriate representatives of the wider community. An appropriate model may be found at section 51(3) of the 1998 Act as this requires the Commissioner to consult with both trade associations and representatives of data subjects as appear appropriate prior to production of a data protection code of practice. The final code should also be drawn to the attention of affected parties not just to communications providers.

5 Directions about the Retention of Communications Data (clause 102)

If there is a need to retain data for longer than a communications provider would for their own purposes in order to prevent and detect crime then a statutory duty to retain would provide the necessary certainty for communications providers that such retention would not contravene the 1998 Act. If continued retention is necessary then this approach should be adopted rather than left as an alternative to be considered at a later date. A statutory duty would provide a proper basis for processing by a communications provider.

Although a statutory duty to retain is attractive, the mechanism envisaged by this clause is problematic. Although the Secretary of State requires an order before he can make directions, the order making power does not appear to result in the direction itself being subject to the same scrutiny. The inclusion of a requirement for an order to specify a maximum period for retention permitted in any direction is helpful. However, once the Secretary of State has the power then, subject to any necessary consultations, he will still enjoy a substantial amount of discretion over the content of any directions. This is of concern.

The clause provides for consultation with communications providers before the Secretary of State issues a direction. The earlier comments in relation to consultation on codes of practice and agreements are equally relevant here. The Commissioner would expect to be consulted formally about directions applying to communications providers.

The inclusions of a provision (clause 103) causing the order making power to lapse if unused for 2 years is a helpful mechanism to ensure scrutiny of the continued need for such a power. However, there is no linkage between the taking of the power and the issuing of directions. It is possible that the power could be taken to preserve the possibility of directions at a later date.

6 Arrangements for Payment (clause 104)

If communications providers are expected to retain data beyond their own needs this will inevitably incur an additional financial burden not only in terms of storage but also in relation to the cost of ensuring that they hold the data to the standards set by the 1998 Act. They must, for example, ensure appropriate security and facilitate individuals' access rights. It is not for the Commissioner to comment on the propriety of reimbursing costs, however, consideration should be given to establishing a regime that reinforces the need for those seeking retention to act in a proportionate manner.

7 Other Observations

The time available for consideration of this important issue may mean that other options that might have a lesser impact in terms of personal privacy are not explored. Consideration could be given to the possibility of establishing a trusted third party who would retain the communications data (perhaps in an encrypted form with restricted access to the keys) beyond the needs of the communications provider. Such a third party would need to be independent of the law enforcement community, communications industry and government: some form of judicial control might be appropriate.

Home Office, Retention of Communications Data: Supplemental Regulatory Impact Assessment

RETENTION OF COMMUNICATIONS DATA

TITLE

1. Voluntary retention of communications data by communications service providers for the purposes of national security or the prevention or detection of crime or the prosecution of offenders.

PURPOSE AND INTENDED EFFECT OF THE MEASURE

Issue and objective

2. Issue: Communications data is an important investigative tool: it allows investigators for example to establish links between suspected conspirators (itemised bill) or to  ascertain the whereabouts of a given person at a given time, thereby confirming or disproving an alibi (cell site analysis). Data is distinct from content: taking the example of a mobile telephone call, data includes the originating/destination telephone line, and the time and place of the call, whereas content is what was said during the conversation.

3. There are currently no provisions for communications service providers to retain communications data for the purposes of the law enforcement, security and intelligence agencies. Under the Telecommunications (Data Protection and Privacy) Regulations 1999, service providers are obliged to erase or anonymise data which is not needed for specific business purposes (e.g. management of billing and traffic, customer enquiries, prevention or detection of fraud and marketing of telecommunications services). The Regulation of Investigatory Powers Act 2000 regulates access to communications data by authorised public authorities, but makes no provisions to ensure that such data is available when public authorities request it.

4. Objective: This legislative proposal is intended to ensure that communications service providers have a clear legal basis for retaining communications data for law enforcement purposes, and that public authorities have a clear picture of what data is being retained and for how long.

5. This objective will be achieved by means of a voluntary code of practice which will be admissible in legal proceedings as evidence that the data has been retained for the purpose of preventing and detecting crime and prosecuting offenders. The Secretary of State will have reserve powers to impose a mandatory code of practice by order if the voluntary arrangements are considered not to be working satisfactorily.

Risk Assessment

6. Changes to the business model are leading to a reduction in the amount of data which is needed for billing purposes (e.g. pre-pay/ subscription/ "always on"). Combined with pressure from the privacy lobby, this is leading to a decrease in data retention overall. The risks associated with data retention fall in four main areas: security, civil liberties, domestic competition and international competition.

Security

7. Communications data have played a vital part in the terrorist investigations relative to the events of 11 September 2001. Future investigations would be seriously hampered by a lack of available data.

Civil Liberties

8. Data relating to specific individuals under investigation will only be available if data relating to the communications of the entire population is retained, since a criminal's data cannot be distinguished from anyone else s at the time of collection/retention. Mass retention has obvious civil liberties ramifications (even though this is data, not content, and retention, not access). A balance must therefore be drawn between security and privacy.

Domestic competition

9. Equally, there are risks to communications providers. Retaining and retrieving data is expensive and may require the development of new systems. Marginal costs will vary according to the retention specification: the longer the period and the broader the definition of data affected, the higher the costs. Smaller or niche-market firms might suffer disproportionately from a blanket requirement. However, there has already been considerable investment in retention capability across the industry: a report produced for the Home Office estimated that £20 million had already been spent in tailor-made systems, developed by the industry for law enforcement purposes.

International Competition

10. Concern has been expressed that the UK s competitiveness in the e-commerce market might suffer. However, we are not the only country to address this issue. In the EU, France, Germany, Belgium, the Netherlands, Denmark and Italy either have or are on the point of introducing retention policies. Consistency in approach under the Third Pillar has been proposed and further negotiations will follow.

11. For these reasons, the legislative proposal is for a voluntary code of practice which will specify a maximum recommended period for the retention of data. This period is expected to be twelve months (it will not be more); it has not been specified on the face of the bill since the start date of the retention period will vary for different types of data (e.g. point of collection/transfer/cancellation). This level of detail will be worked up in the code of practice.

OPTIONS

12. Three options have been identified:

Option 1: Self-regulation

Option 2: Voluntary code of practice, and individual agreements

Option 3: Mandatory code of practice

ISSUES OF EQUITY AND FAIRNESS

13. None of the identified options would seem likely to discriminate against any particular element of society.

BENEFITS

14. The proposed provisions for the Bill reflect Option 2. This option appears to offer the best compromise between the conflicting risks of security, privacy and competition.

15. Option 2 will provide a framework for negotiation between the two groups of parties affected by the issue of data retention: the security, intelligence and law enforcement agencies and the communications service providers. It will ensure that the needs of law enforcement are addressed, without corralling communications service providers into an arrangement which is disadvantageous for their business interests. It also has the advantage of a high level of flexibility: agreements between the Government and individual service providers can be tailored to the business practices of each service provider.

16. The other two options have clear disadvantages: Option 1 would be unlikely to preserve the necessary data and may result in unequal implementation of the proposals. It would not give a clear role to the law enforcement community in negotiating the code of practice.

17. Option 3 would risk imposing substantial costs on industry which would severely impact business. Its advantages for the law enforcement agencies would be total clarity about what data is retained across the industry; and for communications service providers, less vulnerability to civil liability if they retain data longer than is needed for their own business purposes.

QUANTIFYING AND VALUING THE BENEFITS

18. Security and liberty are notoriously difficult to quantify, although highly valued. Similarly with competition, it is hard to state what the quantitative impact of the proposals will be on companies competitiveness.

19. In terms of international competition, these provisions are in line with legislation being introduced in other EU countries. UK business should not suffer unduly in comparison to competitors operating abroad as a result of these provisions.

COMPLIANCE COSTS FOR BUSINESS, CHARITIES AND VOLUNTARY ORGANISATIONS

Business sectors affected

20. The legislative proposals affect three key business sectors: public telecommunications operators, international simple voice resale providers, internet service providers, and postal carriers. Given the rapid development of technology in the telecommunications sector, it is expected that other groups will be affected in the longer term as technological innovations are introduced into the communications marketplace.

21. Public telecommunications operators (PTOs) are licensed under Sections 7 and 8 of the Telecommunications Act 1984, and their systems designated as public telecommunication systems under Section 9. They include some cable companies and mobile operators. In total they number around 280, although most of the market share is held by less than a dozen operators.

22. International simple voice resale providers (ISVRs) are licensed under Section 7 of the Telecommunications Act, and buy bulk international line space from PTOs to resell the calls. 570 were licensed by the Department of Trade and Industry as of November 2001, of which around 60% are currently active in the market.

23. Internet service providers (ISPs) are also licensed under Section 7 of the Telecommunications Act. The Internet Service Providers Association lists around 100 members, although not all of these are ISPs; and the London Internet Exchange lists over 80. In total there are now over 300 operating in the UK.

Compliance costs

24. Technically there will be no compliance costs since the proposal is for a voluntary code of practice. However, the Government hopes that retention periods will increase both as a result of industry negotiations during the consultation process and due to the increased protection from civil liability afforded by a statutory code which is admissible in legal proceedings.

25. Retention costs fall into three categories: technical investment, technical running costs and staff costs. If service providers are asked to retain more data for longer periods, they may need to invest in new systems to hold and retrieve the data. These systems will then have associated running costs. Managing the process will also require the time of engineering staff and senior managers who will be diverted from their core business functions. There may be associated recruitment and training costs,
together with increased time spent assisting the agencies or in court verifying data produced as evidence.

26. Some of these costs are already incurred by service providers retaining data for their own business purposes, for which substantial retention capabilities may already exist.

27. Estimates vary upwards from £9m per annum across the industry. The costs to internet service providers are anticipated to be greater than those for public telephone operators, and have been estimated to be on average in the region of a few hundred thousands pounds per year for each provider.

28. However, the situation varies greatly from one firm to another according to infrastructure and retention practices. Therefore, the provisions and any compensation will be dealt with on a case by case basis: there would not be a "one size fits all" arrangement.

Total compliance costs

29. If the number of requests for access to communications data increases as a result of these provisions, this might lead to an increase in public authority spending on accessing communications data (a cost-recovery scheme is currently in operation). Alternatively, the number of requests could be capped by putting an upper spending limit on the budget for communications data requests.

30. The provisions placing a duty on the Secretary of State to put in place arrangements to compensate communications service providers for the costs of adhering to the code of practice or any agreements are consistent with similar provisions in the Regulation of Investigatory Powers Act 2000.

RESULTS OF CONSULTATIONS

31. Full consultation will take place in the context of drawing up the code of practice: the Secretary of State will have a statutory duty to consult with industry before issuing it.

32. Initial meetings with industry representatives about the Government s proposals have already taken place: they met with a cautious welcome. A report on current data retention practices in industry was commissioned before the events of 11 September and has just reported. It gives a good picture of the complexity of the issue. There is also on-going consultation in the form of the Government Industry Forum and the Association of Chief Police Officers Telecommunications Industry Liaison Group. Further presentations have been planned with law enforcement agencies and
communications service providers respectively.

SUMMARY AND RECOMMENDATIONS

33. Option 2 offers the best solution in terms of offering clarity to both service providers and law enforcement about the lawful basis for retaining communications data and its availability, without having the high cost implications of Option 3.

34. Its main benefit lies in its flexibility, and adaptability to the business practices of each communications service provider by means of individual agreements. It can only work with industry co-operation, which the Government anticipates to be forthcoming, based on experience to date.

ENFORCEMENT, SANCTIONS, MONITORING AND REVIEW

35. A reserve power to introduce a mandatory code of practice under secondary legislation, subject to affirmative resolution, will also be put forward. This power will be subject to a review every two years, and discarded if no longer felt to be necessary.

Contacts:

Michael Gillespie

Organised and International Crime Directorate
Queen Anne s Gate
50 Queen Anne s Gate
London
SW1H 9AT

Michael.Gillespie@homeoffice.gsi.gov.uk


Go back to Cyber-Rights & Cyber-Liberties (UK) pages