Draft super-snoop bill's data protection Code of Practice is a blank canvas – expert
Code should be published as draft before bill becomes law
IPB Today the Information Commissioner will give his views on the draft Investigatory Powers Bill to a cross party Parliamentary Committee examining it.
The Bill proposes a power for the national security agencies to collect Bulk Personal Datasets (BPD) by a warrant signed by the Secretary of State which is subject to review by a Judicial Commissioner (the “double lock”). A Bulk Personal Dataset is any collection of personal data, where the “majority of the individuals are not, and are unlikely to become, of interest to the intelligence service” (Clause 150(1)(b) of the Bill).
The Bill promises a Code of Practice with respect to the processing of Bulk Personal Datasets, but provides no detail as to what that Code contains.
The main questions addressed in this blog are:
- Should the comprehensive Section 28 national security exemption in the Data Protection Act continue when most personal data in a Bulk Personal Dataset concerns those who are not of interest to the national security agencies?
- If the Section 28 exemption is to continue, how good is the protection for individuals in the Bill?
This blog provides an overview of the weaknesses in the protection on offer, identifies how the absent privacy protections should be implemented and provides a link to my full written evidence to the Committee.
Article 8 of the Human Rights Act
The first structural problem is that there is no detailed explanation in the Bill as to how Article 8 of the Human Rights Act is to be satisfied given that the national security agencies will collect Bulk Personal Datasets when there is no prior suspicion with respect to the vast majority of data subjects.
The legal advice that the government has relied on to substantiate Article 8 compliance should be published so that this issue can be debated properly; at the moment, compliance with Human Rights obligations has been asserted without evidence. The whole purpose of the draft Bill procedure is to facilitate a fully informed debate on the issues; failure to publish the legal advice on Article 8 undermines that debate.
This is especially important as there might be changes to Article 8 regime that arises from the Government’s review of the Human Rights Act (i.e. the Committee might assume Article 8 protection but these protective goalposts might be moved by the Government after this Bill becomes law).
A Commissioner who polices himself
The next structural problem is that the main protection for individuals lies with the post of “Investigatory Powers Commissioner” where the Commissioner is also one of the Judicial Commissioners who checks the warrants, signed by the Secretary of State, that authorise the collection of Bulk Personal Datasets.
This means that the Investigatory Powers Commissioner, in order to meet the obligation to “keep under review the acquisition, retention, use or disclosure of bulk personal datasets by an intelligence service” (clause 169(3)(a)) may be investigating the consequences of his own warrant authorisation decisions as a Judicial Commissioner.
The lack of separation between the roles of the Investigatory Powers Commissioner and the Judicial Commissioners could easily undermine public confidence in ALL the double lock protection in ALL aspects of the Bill’s powers. For instance, if in future, you have something akin to the Snowden revelations what would be the public response if the Investigatory Powers Commissioner were to investigate his own actions as a Judicial Commissioner and then subsequently exonerate himself?
In my view the Investigatory Powers Commissioner must not be conflicted in any investigation of the actions of any Judicial Commissioner; hence the need for separation.
Code of Practice on Bulk Personal Datasets
With respect the Bulk Personal Dataset provisions, paragraph 74 of the Bill’s preamble (which appears under a heading “What safeguards will there be?”) states that “A statutory Code of Practice will set out additional safeguards which apply to how the agencies access, store, destroy and disclose information contained in the BPDs”. The Bulk Personal Dataset Code of Practice is hence proffered as a safeguard in addition to the “double lock”.
However, in Schedule 6 which concerns Codes or Practice, there is no detail as to what should appear in this Code of Practice. In other words, the Bulk Personal Dataset Code is no more than a blank canvas to be completed by the Secretary of State once a future Bill becomes law.
One can also see that the fact that this Code of Practice is offered as a protection implies that the Government is anticipating the continuation of an unchanged Section 28 national security exemption in the Data Protection Act.
Before the Bill becomes law, this Code of Practice should be published as a draft.
Code of Practice on Communications Data
With respect to the processing of communications personal data (Part 3 of the Bill), there is another Code of Practice proposed. However, unlike the Bulk Personal Dataset Code, the Principles underpinning this Communications Data Code of Practice have been published.
The Principles underpinning the Communications Data Code of Practice are truly awful; they are likely to be the Principles underpinning the Bulk Personal Dataset Code. I say this because if these Principles were different, one would have different Principles applying to personal data depending on whether the personal data were Communications Data or not.
In addition, given that a database containing bulk Communications Data will also be Bulk Personal Dataset, there is no information in the draft Bill as to how these Codes interact with each other (e.g. which one prevails). In summary, the provisions relating to these two Codes of Practice possess the hallmarks of an idea drafted on the back of a fag packet.
The Principles (I call them “Ersatz Principles”) underpinning the Communications Data Code of Practice are as follows:
“(a) why, how and where the data is held,
(b) who may access the data on behalf of the authority,
(c) with whom, and under what conditions, the data may be disclosed,
(d) the processing of the data for purposes otherwise than in connection with the purposes for which it was obtained or retained,
(e) the processing of the data together with other data,
(f) the processes for determining how long the data should be held and for the destruction of the data” (in Schedule 6, paras 3(2)(a)-(2)(f)).
Note that these Ersatz Principles are phrased in a permissive way that allows the national security agencies to do things, unlike the Data Protection Principles which restricts things from happening.
For example, the Second Principle in the Data Protection Act requires that any personal data obtained for specific purposes should not be further used or disclosed for an “incompatible purpose” (i.e. the use of "not" and "incompatible" restricts the further purpose). By contrast, the Ersatz Principles (c) and (d) clearly allows for far wider uses/disclosure purposes by the national security agencies as the words “incompatible” and “not” are missing (i.e. permissive).
Indeed any consideration of the “purpose” of any disclosure, which is crucial to several Data Protection Principles including the Second Principle, is absent from Ersatz Principle (c).
The Fifth Principle requires that personal data “shall not be kept for longer than is necessary for that purpose or those purposes” (i.e. restrictive); the Ersatz Principle (f) clearly omits the word not (i.e. permissive) and has no consideration of the “purpose” of retention and is inferior for that reason.
If the intended function of these Ersatz Principles is to reassure the public, they will fall well short that objective. In my view (and this comment might be uncharitable), the Ersatz Principles are not designed to protect the data subject; they are there to facilitate further processing (perhaps function creep) on the part of the national security agencies.
In general, these Ersatz Principles should be replaced by the Data Protection Principles in both Codes of Practice .
A Section 28 national security certificate (if needed) is timeless. This is illustrated by the Investigatory Powers Tribunal case involving Privacy International in October last year ( UKIPTrib 13_77-H; para 19) where barrister for GCHQ produced a certificate signed by David Blunkett thirteen years previously (in 2001) to show that key obligations in the Data Protection Act were exempt.
In the Bill, any national security exemption should be applied to the acquisition of bulk personal datasets or communications personal data when the agencies apply for each warrant (or on warrant renewal) from the Secretary of State and a Judicial Commissioner. This step will integrate data protection considerations as part of bulk personal data warrant considerations.
There is an opportunity for Parliament to review the whole Section 28 exemption scheme which commenced with the Data Protection Act 1984 at the heart of the Cold War. For example, the Investigatory Powers Commissioner could have a role in supervising all Section 28 certificates under the Data Protection Act and Parliament could consider whether each application of the Section 28 exemption should be covered by a certificate which needs to be renewed on a six monthly basis (i.e. same as the warrants under the Bill).
A review of Section 28 should be undertaken as a matter of urgency
The role of the Investigatory Powers Commissioner
Clause 169 of the Bill should provide for an independent Investigatory Powers Commissioner separate from the Judicial Commissioners. The Investigatory Powers Commissioner should possess the following powers and obligations to enforce the application of the Data Protection Principles to the national security function and where appropriate, protect the rights of data subjects.
- The Investigatory Powers Commissioner should exercise powers in the Data Protection Act with respect to bulk personal datasets and communications personal data in the same way as the Information Commissioner does in relation more normal personal data. Where the Investigatory Powers Commissioner exercises powers, these can be appealed to the Investigatory Powers Tribunal (e.g. by the data controllers – the national security agencies).
- The Investigatory Powers Commissioner under the current Bill has no role in handling or investigating complaints from data subjects. As the majority of data subjects are “not of interest” to the national security agencies, the Commissioner should be able to consider complaints directly from them.
- Organisations that are required to provide bulk personal dataset and communications personal data should be able to raise a formal complaint to the Investigatory Powers Commissioner that the warrant or authorisation approved by a Judicial Commissioner provides for disproportionate data sharing (i.e. organisations should have the right to ask for a review of a warrant/authorisation procedure if they have concerns over proportionality). To avoid prejudicing an operation, disclosure should first occur; however, any disclosed personal data should be destroyed if the Investigatory Powers Commissioner arrives at the same conclusion as the complainant (subject to appeal to the Investigatory Powers Tribunal).
- The Investigatory Powers Commissioner should have a role in assessing whether bulk personal dataset and communications personal data, once approved under the warranting arrangements, have proved to be useful. The Commissioner ought to be able to establish Key Performance Indicators that demonstrate effectiveness of obtaining such datasets (with the implication that if access is not worthwhile, the warrant can become void and the datasets destroyed).
- All holdings of bulk personal dataset and communications datasets should be reported to the Investigatory Powers Commissioner as well as the Secretary of State; this should be on the face of the Bill. This step will ensure the Commissioner knows the extent of bulk dataset collections and will be able to comment on these in his annual report, and where necessary exercise powers with respect to such personal data
- Data matching across any combination of bulk personal datasets and communications datasets should be considered in the context of any data sharing to other bodies of the product of data matching/profiling. However, intended or actual data sharing and data matching should be identified in an authorisation, or on a warrant, or on warrant renewal, or reported to the Investigatory Powers Commissioner when a warrant lapses. The intent here is to allow the Investigatory Powers Commissioner to compile a complete picture of such activities and be able to investigate any data sharing or data matching/profiling arrangements.
- The Investigatory Powers Commissioner should ensure that there is a commitment, as far as possible, to transparency with respect to bulk dataset acquisition/communications personal data. Such transparency already occurs without harm to national security. For instance with respect to Police & national security access Congestion Charge ANPR data, the TfL website states:
“… we use to enforce our Road User Charging schemes, for the purposes of preventing and detecting crime…..….This was an expansion of a pre-existing arrangement with the MPS established in 2007, under which they were given access to TfL's ANPR data specifically for the purpose of using it to safeguard national security. This arrangement was approved by the Home Secretary, who signed a certificate confirming that TfL, and the MPS, are exempt from certain provisions of the Data Protection Act 1998 for that purpose.” (my emphasis; see references).
Finally, there should be a “sunset clause” on this Part of the Bill as Parliament needs to review the legislation in the context of future technological developments that will result in further bulk personal datasets being created (e.g. Internet of things, smart metering, ANPR datasets).
The problems identified above explains why I have concluded that the Bill does not currently offer adequate protection for individuals with regards its bulk personal data provisions.
The same applies to the Codes of Practice that apply to the processing of personal data.
TfL Fair Processing Notice re national security: https://tfl.gov.uk/corporate/privacy-and-cookies/road-user-charging
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: Becoming a Pragmatic Security Leader