Thursday, 11 February 2016

Scrutinizing the draft Investigatory Powers Bill

The point about pre-legislative scrutiny is that a parliamentary bill gets a good prod before it begins its usual passage through Parliament. The main issues are identified, and stakeholders can marshal their views in an attempt to influence the decision-makers in good time for changes to be made that ought to result in a statute that is far fitter for purpose.

Three Parliamentary Committees have recently reported on the Draft Investigatory Powers Bill. The measure, complete with a guide to its powers and safeguards, was published as a 296-page document on 4 November. It is not an easy read, even for the surveillance specialists.

Given that a number of stakeholders submitted the same comments to (at least two of) the Committees, it’s not surprising that they all independently reached (broadly) similar conclusions. What is surprising, however, is the tone of the reports. Each gave the Home Office a good kicking. And the Committee comprising the most experienced politicians gave the Home Office the hardest kicking.

First up was the Science and Technology Committee. The committee of 11 MPs had received 50 written submissions, held 2 public hearings during which witnesses gave evidence, and published a 38-page report making 14 recommendations on 30th January.

The STC noted that "Previous attempts to legislate in this area have met with criticisms over the lack of consultation with communications service providers (CSPs) on matters of technical feasibility and cost.” …. Following the failure of previous attempts to introduce data legislation, the Government has made efforts to consult and engage with communications service providers likely to be most affected by the draft Bill. However, there remain widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. This has given rise to uncertainties over the likely scope and costs associated with implementing the proposed measures.

The nature of ICRs and the true extent of the Bill’s ‘removal of electronic protection’ and ‘equipment interference’ powers are precisely the subject of uncertainty and concern from business due to lack of clarity in the Bill and in the consultation so far. It is clear that greater reassurance is needed—both on the face of the Bill and in forthcoming Codes of Practice—that businesses will not be subject to disproportionate additional burdens that will not be fully paid for.

If law enforcement agencies and the intelligence and security services are effectively to combat terrorism and serious crime, they must have the means to keep pace with developments in communications. They will doubtless need to continue to deploy a range of methods for intercepting and acquiring information about communications. The evidence we have received suggests there are still many unanswered questions about how this legislation will work in the fast moving world of technological innovation."

Next to report was the Intelligence & Security Committee, a group of very senior politicians. The committee comprising 2 peers and 7 MPs held no public hearings, but instead heard evidence in private from the Home Secretary, Home Office officials and the heads of the intelligence agencies. A 13-page report, making some 23 recommendations, was published on 9th February.

The ISC pulled few punches. "The Investigatory Powers Bill is the first major piece of legislation governing the Agencies’ powers in over 15 years. While the issues under consideration are undoubtedly complex, we are nevertheless concerned that thus far the Government has missed the opportunity to provide the clarity and assurance which is badly needed. That the confusion surrounding the existing legislation fuelled many of the allegations and suspicions concerning the Agencies’ investigatory powers over the past few years clearly demonstrates the importance of transparency in this area.
Overall, the privacy protections are inconsistent and in our view need strengthening. We recommend that an additional Part be included in the new legislation to provide universal privacy protections, not just those that apply to sensitive professions.
The provisions in relation to three of the key Agency capabilities – Equipment Interference, Bulk Personal Datasets and Communications Data – are too broad and lack sufficient clarity.
We fail to see how Parliament is expected to approve any legislation when a key component, on which much of it rests, has not been agreed, let alone scrutinised by an independent body. 

The approach towards the examination of Communications Data in the draft Bill is inconsistent and largely incomprehensible. The Committee recommends that the same process for authorising the examination of any Communications Data (including Related Communications Data) is applied, irrespective of how the Agencies have acquired the data in the first instance. This must be clearly set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.
The issues we have highlighted in this Report must be addressed before any subsequent Bill is laid before the House and we would urge the Government to ensure that it takes sufficient time and care in so doing. While we recognise the timing constraints imposed by the ‘sunset clause’ in the Data Retention and Investigatory Powers Act 2014, it appears that the draft Bill has perhaps suffered from a lack of sufficient time and preparation and it is important that this lesson is learned prior to introduction of the new legislation."
Finally, it was the turn of the Joint Committee on the draft Bill. This committee, comprising 7 peers and 7 MPs, had received 148 written submissions, running to over 1500 pages of evidence, heard from 59 people in 22 public panels during which witnesses gave evidence, and published a mighty 198-page report making 86 recommendations on 11th February. As a specialist adviser to this Committee, I was one of the lucky few who spent their Xmas holidays reading over half a million words of evidence.

Here, the criticism is more measured, although the message is the same:

"Resolving the tension between privacy and effective law enforcement in this area is no easy task. The Home Office has now come forward with a draft Bill which seeks to consolidate in a clear and transparent way the law enabling all intrusive capabilities. The Committee, together with the many witnesses who gave evidence to us, was unanimous on the desirability of having a new Bill.
The major change which would be brought about by the draft Bill is the creation of a new judicial oversight body and the much greater involvement of judges in the authorisation of warrants allowing for intrusive activities. As well as being important in in its own terms, making this change will reduce the risk that the UK’s surveillance regime is found not to comply with EU law or the European Convention on Human Rights.
A proposal which has attracted much attention from our witnesses is that of the creation of an obligation on communications service providers to collect and retain users’ internet connection records (ICRs). We heard a good case from law enforcement and others about the desirability of having such a scheme. We are satisfied that the potential value of ICRs could outweigh the intrusiveness involved in collecting and using them. But we also heard strong concerns, in particular from some of the providers themselves, about the lack of clarity over what form the ICRs would take and about the cost and feasibility of creating and storing them. The Home Office has further work to do before Parliament can be confident that the scheme has been adequately thought through.
Other concerns were over the provisions in the Bill for bulk powers to intercept, to acquire communications data and to interfere with equipment. These powers are not new, but have been avowed for the first time in legislation. The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.
Much of the important detail about the way the new legislation will work is to be contained in a set of Codes of Practice. We call on the Government to ensure that these Codes are published alongside the Bill to inform the further scrutiny which the Bill will receive from the two Houses. In our view, the Bill would also benefit from a post- legislative review by Parliament five years after its enactment. We call for provisions for such a review to be included in the Bill."
The Joint Committee’s recommendations for improving the draft Bill were all designed to ensure that the powers are workable, can be clearly understood by those affected by them and have proper safeguards. Most significantly:
On encryption: "The Home Secretary assured the Committee that its approach to encryption is not designed to compromise security or require the creation of ‘backdoors’. The Committee welcomed this clarification, but was concerned that this needs to be made clear the drafting of the legislation."
On bulk powers: The Committee recommends that if bulk powers are to be included in the Bill, a fuller justification for each should also be published alongside the Bill. It recognises that the Intelligence and Security Committee has recently published its report, which the Committee believes will be of significant value to the two Houses when the Bill is introduced and scrutinised.”
And, on Internet Connection Records (ICRs): "The Committee can see the desirability of ICRs, but has not been persuaded that enough work has been done to conclusively prove the case for them. The Committee would like to see the Government work harder with industry in order to provide more robust information."
So, where do we go from here?

Pre-legislative scrutiny is, after all, just the end of the beginning.

In parliamentary terms, the Government’s business managers have already decided how much parliamentary time can be made available for Home Office-sponsored legislation before the end of the year – when the sunset clause for the records retention provisions in the Data Retention and Investigatory Powers Act 2014 takes effect.

Should Parliament concentrate on passing a Bill that is narrower in scope this year, say one that just addresses the data retention and oversight provisions? Is there really sufficient time to consider other elements – such as overhauling the bulk data and equipment interference provisions in 2016? A second Bill, containing the remaining provisions, could always be considered in 2017.

The Parliamentary calendar will be constrained this year as much business will cease during the EU referendum campaign, the dates of which have not yet been set. 

Looking at the 2016 Parliamentary holidays for the House of Commons (the House of Lords will set slightly different dates), the February recess is from today (11 February) until 22 February. The Easter recess is set from 24 March to 11 April. The Summer recess will be from late July to early September, the Conference recess will be from mid September to mid October, there will be a week’s break in mid November and then the Christmas recess will commence in mid December. That doesn’t leave a lot of time for legislating.

So, a new bill needs to be ready and tabled within weeks. And, if it is to get through both Houses of Parliament unscathed, it really does needs to take full account of each of the 123 recommendations that have been made by the scrutiny Committees.

There will be no rest for the Home Secretary, her officials and the Parliamentary draftsmen for the foreseeable future.


Tuesday, 18 August 2015

In praise of David Smith

As Deputy Commissioner David Smith completes his last lap of the data protection conference circuit, various speakers are extending their hastily-prepared remarks to include a short homily on his contribution to data protection over the decades. Yes, he really has been at the ICO for decades.

It's a convention that public servants are never presented with anything other than small tokens of appreciation from grateful hosts. It’s the ICO’s practice for gifts to be declared in a central register and, to the extent that is practical, for them to be used as prizes at the ICO’s annual Xmas raffle.

At it's summer party last night, the Crouch End Chapter of the Institute of Data Protection decided not to present David with a physical token of their appreciation of his work. Instead, a toast was proposed by the Chairwoman of the Dagenham Data Practitioners, who had been invited to the party along with all the other members of the DDP.

To round off the evening, we sang an ode in David’s honour. The words are reproduced below, in case the ICO Chorus fancy sending David off in song, too.

Eternal David, strong to save,
We thank you for advice you gave,
You bidd'st the mighty Google deep
Its own appointed limits keep;
Oh, hear us when we cry to Thee,
For those in peril because of me

O Dave! Whose voice we always heard
And hushed our raging at Thy word,
Your temper never would explode,
Just point us to a data Code;
Oh, hear us when we cry to Thee,
For those in peril because of me

Most gentle Smithie! Who didst brood
Upon the chaos dark and rude,
And bid its angry tumult cease,
And give, for wild confusion, peace;
Oh, hear us when we cry to Thee,
For those in peril because of me

And now you’re off! It is the end
Of kind words from a distant friend;
We hope and pray the next one in
Will forbear us should we start to sin,
Support us when we cry oh ****
Our data’s gone, we’re out of luck


Monday, 17 August 2015

The (discrete) search for the new Information Commissioner

The (discrete) search to appoint a successor to David Smith, soon-to-retire Deputy Information Commissioner and Director of Data Protection is over.

Shortly, the successful candidate will be unveiled. Don't worry, it’s not me. And a (discrete) search will commence to find a suitable replacement for Chris Graham, soon-to-be outgoing Commissioner.

How secret should this process be, and when is it appropriate to extend the selection process?

Given the transparency and manner in which people can participate in elections for leaders of political parties, perhaps the time is ripe for a larger group of people to be involved in selecting public officials who will be involved in determining information rights enforcement strategies.

After all, in the UK, we generally police by consent. So, given the resource challenges that the ICO faces, surely it is right that a significant body of people help determine the identity of the “independent” person who subsequently determines the enforcement priorities that his officials will adopt.

Otherwise, what checks are available? Can we always trust the “backroom bods?”

When even a person as eminent as the Chairman of the House of Lords Privileges and Conduct Committee can be alleged to have behaved as badly as he has, why should it be assumed that the current appointment system is perfectly fit for purpose?

But, more to the point, why should Data Protection Officers, who actually play a very significant role in ensuring that organisations comply with their data protection, be disenfranchised from a compliance process they play such an integral part in?

If I had my way, the DPOs of all registered data controllers would be able to register their interest in participating in the selection process by paying a £3 fee to the ICO – just as the Labour Party currently allows interested individuals to participate in elections for party leader.

Hopefully, it won’t be too long before it is more generally realised that the Office of the Information Commissioner is, in many respects, a political office. In determining how precisely how laws will be enforced, the Commissioner currently exercises his own judgment (supported, presumably, by the ICO Board and his Executive Committee). But he plays a political role – and this is a role for which he’s pretty unaccountable to the data controllers he’s regulating.

Future Commissioners will get one term to rule. And as they won’t need to concern themselves with the need to remain on good terms with those who would (previously) have extended their initial appointment, there is a risk that they will adopt enforcement strategies that will really rub people up the wrong way.

Accordingly, to give the incoming Commissioner a greater sense of legitimacy, the selection process really needs to be made more transparent.

The days are numbered where a meek group of regulated organisations will simply accept the whim of whomever will be selected to step into a senior office.

So an election – or even hustings from a selection of the more promising applicants - would do nicely, thank you.


Image credit:
Today’s image is that of the ballot machine used in Florida during the 2000 Presidential election – many votes were disputed because incompletely punched holes resulted in “hanging chads.”


Wednesday, 12 August 2015

Do privacy laws prevent police forces from naming suspects?

I was asked this question at 6.15 am today. And, if I knew the answer, was I available for a BBC radio interview immediately after the 7.00 am news?

No and Yes were my answers – so I subsequently had a chat with BBC Radio’s Adrian Goldberg.

The question arose because the Birmingham Mail had asked West Midlands Police to disclose the names and images of ten suspects it had been hunting for at least a decade for crimes including rape and murder.

Initially, the force had refused to name any of the suspects, pointing to the relevant exemptions in the Freedom of Information Act. The Mail reported that the force had explained that naming them would be an unfair breach of their privacy.

This decision was criticized by local MP Khalid Mahmood as being “utterly bizzare.”

But lets get real, here.

The media has no automatic right to be informed by the police of the name of a person who is under investigation or who has been charged with a criminal offence.

While not naming nine of the ten suspects, the police did provide background information on them, and they indicated that there were operational reasons for withholding their identities.

So I’m not joining the rush to condemn the police for their behaviour. There are often extremely good reasons why suspects should not be named – particularly when there is no serious public interest at stake.

The National Police Chief’s Council (formerly known as ACPO, the Association of Chief Police Officers) currently considers that:

  • Those who have been charged should be named.
  • For those who have been arrested, there is a presumption that they should not be named;

But, that presumption can be displaced where (and only where): 

  • Releasing the name promotes the prevention or detection of crime; and/or
  • There is a serious public interest in releasing the name.
Suspects should not routinely be named. And media organisations must be careful not to identify suspects at this stage, as they would be able to sue the organisation for libel if the police investigation does not lead to a criminal prosecution.

Many suspects are never arrested or charged – for a variety of reasons including lack of evidence of their guilt or positive evidence of their innocence. Remember the witch-hunt against Christopher Jeffries, the retired Bristol teacher arrested on suspicion of the murder of his tenant Joanne Yates in 2010. His life was turned upside down following the news of his arrest, even though he was later publicly exonerated. He was able to recover substantial damages from the media organisations that had unfairly named him, but no amount of money can properly account for the impact to his reputation.

As Lord Leveson recommended in his 2012 report on the culture, practices and ethics of the press:

“…Police forces must weigh very carefully the public interest considerations of taking the media on police operations against the rights of the individuals who are the subject of such an operation… I think that it should be made abundantly clear that save in exceptional and clearly identified circumstances (for example, where there may be an immediate risk to the public), the names or identifying details of those who are arrested or suspected of a crime should not be released to the press or the public.”

I won’t be encouraging vigilantes to join this particular witch-hunt.

Sources:  (Volume 2, p.984, paragraph 3.3)


Tuesday, 11 August 2015

Not a lot of news from Big Brother Watch today

What are we to make of today’s Big Brother Watch report which claims that local authorities commit 4 data breaches every day?

In the words of TV magician Paul Daniels: “Not a lot.” 

At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April 2011 and April 2014) actually were.

BBW started work on this report by submitting FOI requests to each local authority in June 2014. Quite why it has taken so to publish the results, bearing in mind that FOI requests should be returned within 20 days, is beyond me.  Although BBW claims to have received a 98% response rate, some 212 authorities either declined to provide information, or claimed that they had experienced no data breaches between 2011 and 2014.

Evidently, the safest place to live these days is Northern Ireland, where 21 of the 25 Northern Irish District Councils did not report a single data breach. 

The report’s recommendations, unfortunately, don’t reflect too deep an understanding of the improvements to information handling procedures that are already currently likely to emerge in the foreseeable future.

BBW calls for “proper punishments for the misuse of personal information,” without acknowledging that (even) magistrates courts are already capable of levying unlimited fines for DPA offences. Instead, BBW joins the chorus for custodial sentences, but it failed to point out whether any of the data breaches featured in the report would have been cases where a jail term, rather than a fine, would have been a more appropriate punishment.

BBW calls for anyone who knowingly commits a data protection breaches to receive a criminal record. Currently, offences are classed as civil offences. BBW is concerned that this raises the potential for an individual to gain further employment that allows them to access personal information, despite the fact they have been punished for committing a data protection offence in a previous job.

Perhaps in a future report, BBW will also advocate sending miscreants to the stocks for a couple of days.

BBW calls for mandatory data protection training for members of staff with access to personal information – but it does not appear to know how many of the reported data breaches had occurred despite the DPA training that was in place.

BBW calls for the mandatory reporting of a breach if it concerns the public – but it failed to mention the breach reporting standards advocated by the GDPR.

BBW calls for standardised reporting systems and approaches to handling a data breach – but it failed to mention the work the ICO has already done in this area to encourage standardised breach reporting.

BBW also echos the ICO’s calls for it to be able to audit local authorities.

But enough of all this negative stuff – the report does some examples of poor data handling practices that will be useful for DPOs to feature in future presentations. They include:

  • A CCTV operator watched part of the wedding of a member of the CCTV team.
  • An officer wrote down his contact details on what he thought was a scrap of paper but contained personal details of a complainant.
  • A care agency left 23 black sacks of paperwork behind after an office move. 100s of clients in several authorities were affected.
  • A child report was sent to wrong recipient. The recipient used Facebook to track down correct client and passed report on. The client reported this.
  • An advisor recorded incorrect details for noise complaint which resulted in an officer visiting the person being complained about rather than the complainant.

Happy reading.