Home Office

27 Sept 2002

Dear Bob,

Re ATCS Act Code of Practice on data retention revised version

Thank you for inviting us to comment on the latest version of the draft Code of Practice on data retention and the recently supplied Agency Business Case. The Internet Services Providers Association (ISPA) welcomes the opportunity to respond to these documents on behalf of its Members.

We understand that this revised version attempts to address issues of concern identified by the independent legal advice obtained by the Office of the Information Commissioner. However, ISPA has continuing concerns with the Code of Practice and, in particular, its relationship with the Regulation of Investigatory Powers Act.

RIPA Part 1 Chapter 2

We are concerned that the Home Office maintains there is no need to amend RIPA to resolve the conflict between the purposes of retaining data (i.e. for national security considerations) and the agencies and purposes able to access such data under s. 22 RIPA.

In the summary of the OIC's legal advice we were provided with, Counsel concludes that even if it was arguable that retention was not unlawful, the disclosure of retained data for purposes other than national security, under Part 1 Chapter 2 RIPA, could be disproportionate and infringe a data subject's rights under Article 8 of the ECHR. We are concerned at the increased liability this may place on CSPs given the voluntary status of compliance with the Code, and subsequent retention of data.

Agency Business Case

CSPs are rightly concerned that voluntarily retaining communications data beyond normal business practices may be unlawful, and in conflict with the Data Protection Act 1998. To answer these concerns, ISPA has repeatedly asked for LEAs to justify their requests through the publication of a "business case" proving the necessity of the extension in retention periods for the purposes of national security.

The business case was finally provided to us earlier this month. While we welcome its eventual publication, we do not believe it answers CSPs' concerns, nor presents a compelling case to support the Home Office's view that it is necessary to extend data retention beyond normal business practice. The document fails to provide details of the number of investigations that are currently compromised through lack of available data and assess whether this is detrimental to the public interest and national security. The investigations cited in the case refer to cases in which officers sought data older than 15 months and where there was no national security consideration involved.

These concerns are echoed in the statement recently published by the European Data Protection Commissioners at the International Conference in Cardiff, 9th to 11th September 2002. The European Data Protection Commissioners state that they have "grave doubts as to the legitimacy and legality of the mandatory systematic retention" of such data. While they accept there is a case for traffic data to be retained in specific cases with "demonstrable need", they insist the "period of retention must be as short as possible" with a "period of one year or more..[being] clearly disproportionate and therefore unacceptable in any case".

Reserve powers of Section 104

We understand that, should the current Code prove unsuccessful in securing compliance from CSPs, it is the Home Secretary's intention to invoke the reserve power in section 104 and make the Code mandatory. We understand that this move is intended to address legal concerns raised by CSPs, however we are concerned that such a dramatic change in policy should not, or could not, occur too rapidly. We believe that, to allow for full implementation of the Code, a certain period of time should have to lapse before the Code can be deemed to be "in operation" and the reserve power deemed necessary.

Costs to CSPs

In addition to the legal concerns detailed above, CSPs have ongoing concerns with the cost and technical implications of the current retention proposals. We believe CSPs should have greater assurance that they would not be subject to any commercial disadvantage in complying with the Code. The current position that "the Secretary of State will contribute a reasonable proportion of marginal costs as appropriate" does not provide sufficient comfort or reassurance to CSPs that an industry already facing severe financial difficulties will not be subject to additional financial burden that may prove too costly for their business model.

While ISPA remains committed to assisting law enforcement and intelligence agencies in the fight against terrorism, we are concerned that there has not been significant progress in developing the Code since its initial publication in late 2001. We do not believe the concerns detailed above can be reconciled against the proposed voluntary retention of data and do not feel we could recommend to our members that they voluntarily comply with the proposed Code of Practice.

While the issue of concern remains the availability of data for law enforcement and intelligence agencies in protecting national security, the Secretary of State may wish to consider alternative means to achieving this end. In particular, ISPA would recommend a system of data preservation requests, used immediately after the terrorist attacks of September 11th 2001, be given serious consideration.

Yours sincerely,

ISPA Secretary General