Under the Data Retention and Investigatory Powers Act 2014, public telecommunications operators notified by the Secretary of State are required to retain for up to 12 months certain data generated or processed in the UK relating to telephony and Internet communications. “Communications data” (or “metadata” as it is called in the US) – information about subscribers and their use of a communications service – is collected by many government agencies from UK Communications Service Providers using powers in Part 1 Chapter 2 of RIPA.
The statutory Code of Practice expands on the definitions of communications data given in s.21(4) RIPA as including “subscriber information” that relates to the customer receiving a telecommunications service, and “traffic data” that includes the following:
- Identity information relating to a person, apparatus or location e.g. calling line identity and mobile phone cell site location details
- Data identifying or selecting apparatus e.g. routing information
- Signalling information to actuate apparatus – to cover ‘dial-through fraud’
- ‘Packets’ of data that indicate which communications attach to which communications.[1]
However, as the Interception of Communications Commissioner’s Office has recently noted, “subscriber information” now covers a very broad range of information held about individuals, such as “viewing preferences for online media, sexual preferences, political or religious associations etc.” – and can be authorised for access by relatively junior officials.[2]
A very large number of central and local government departments are able to access communications meta-data by having a senior official authorise a request to a Communications Service Provider. These agencies are specified in The Regulation of Investigatory Powers (Communications Data) Order 2010. The Interception of Communications Commissioner commented in his 2004 report that: “In addition to the agencies covered by Chapter I of Part I of RIPA, and the prisons (138 in number) there are 52 police forces in England, Wales, Scotland and Northern Ireland and 510 public authorities who are authorised to obtain communications data, all of whom will have to be inspected. This is clearly a major task.” [3] In 2013, 514,608 requests for communications data were approved. [4]
Section 37 of the Protection of Freedoms Act 2012 requires that local councils obtain judicial approval from a magistrate before accessing communications data. The Interception of Communications Commissioner’s Office has recently noted that many magistrates are yet to receive the promised training on the legislation, and hence are authorising illegal conduct. [5]
Several reviews have noted that as modes of communication develop online, the distinction between communications data or meta-data and the content of these communications has become increasingly blurred. The Intelligence and Security Committee’s Privacy and Security report recommended the creation of a new category of data, ‘Communications Data Plus’, “which is not content, but neither does it appear to fit within the narrow ‘who, when and where’ of a communication, for example information such as web domains visited or the locational tracking information in a smartphone.” [6] The report proposed that this data – the capture of which, they contend, remains less intrusive than content – should attract greater safeguards than conventional communications data. The review by David Anderson proposed that the power to require service providers to retain communications data should continue to exist, but that a detailed operational case needs to be made in support of proposals to require the retention of ‘web logs’, data which would fall under the ISC’s definition of ‘communications data plus’. [7]
[1] Home Office (2007) Acquisition and Disclosure of Communications Data Code of Practice, London: The Stationary Office, at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97961/code-of-practice-acquisition.pdf
[2] Interception of Communications Commissioner’s Office, Evidence for the Investigatory Powers Review p.21, at http://www.iocco-uk.info/docs/IOCCO%20Evidence%20for%20the%20Investigatory%20Powers%20Review.pdf
[3] The Right Honourable Sir Swinton Thomas, 2004 Annual Report of the Interception of Communications Commissioner, HC 549, London: The Stationary Office, Ordered by the House of Commons to be printed 3 November 2005, p. 5.
[4] The Right Honourable Sir Anthony May, 2013 Annual Report of the Interception of Communications Commissioner, HC 1184, Ordered by the House of Commons to be printed 8 April 2014, p.22
[5] Interception of Communications Commissioner’s Office evidence, note 10, p.35
[6] Intelligence and Security Committee of Parliament Privacy and Security: A modern and transparent legal framework, March 2015, p.6.
[7] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.5.