Home Office Evidence
MR. WHITE: We appreciate you taking the time out to come here to help us. I do not know whether you have heard any other evidence, but do you want to make an opening statement by way of introduction?
MR. WATKIN: We welcome what the Inquiry is doing and we wish to help as much as we can. We have submitted our evidence and, hopefully, that will give you some line as to where we are coming from and where you might wish to take us.
MR. WHITE: One of the things which have become clear is that there is a myriad of powers which exist in different pieces of legislation. Is that a problem which you have looked at and, if so, are there any suggestions that they ought to be rationalised?
MR. WATKIN: Our objective is that RIPA should establish a single regulatory regime for access to communications data for those authorities which are tasked with the investigation of crime, whether it be serious and organised crime, which Mr. Gamble was talking about, or whether it is very minor crime which is impacting on people at the very local level, which is dealt with not by the police but by local environmental health officers and/or trading standard officers. They are still crimes which impact upon people, and communications data can be relevant to the investigation of such matters.
MR. ALLAN: What we are trying to do, and which is as I understand it what the Home Office is trying to do, is to get a sense of what the public feels is reasonable, given particularly the fuss we had in the summer. As often has been said, when we had the Daily Telegraph and Guardian editorials on the same side, we then know that something is cooking. In terms of trying to reach that understanding, one of the key questions which has come out in terms of the legal debate has been the fact that retained data, which is retained under ATCS or anything else, could be accessed by a whole variety of people and, therefore there are concerns about the principle of data retention. Perhaps most people would say “I would be more or less happy to have data retained if it were about stopping September 11th. That is something I understand. However, I am not happy about it being retained if it is going to be dragged into civil cases that I might be involved in, or this, that and the other”. Will we be looking at that issue in the consultation of the wider issues of the potential access to that data, or will we be looking at it narrowly, purely in the light of RIPA and the ATCS?
MR. LACK: There will be two consultation papers, clearly. The additional data that will be retained and the access to it is something that we will be inviting comment on. Clearly, it is very difficult for the Home Office to make comments on other people’s legislation. It is difficult for the Home Office to make statements which will mean changes in other people’s legislation. I think that Simon’s comment is the right comment to make. We would like to see RIPA as the over-arching regime for everything. There is an issue about the retention of data. There is an issue which concerns both the Information Commissioner, the industry and ourselves. However, our legal advice is that we note the problems which have been created but we do not consider that that prevents access through RIPA once we have RIPA Part I Chapter II in. So we think that is a perfectly reasonable route to go through, to access any data which is retained for whatever purpose. However, I cannot comment on Acts which do not concern the Home Office.
MR. ALLAN: Let us be clear about this. You are responsible for RIPA, the Data Protection Act, the Human Rights Act and the ATCS Acts, and anything else, whether it is food standards, environmental health, trading standards and that sort of stuff, is outside the remit of the Home Office?
MR. LACK: Other Acts which allow access are outside of our remit.
MR. ALLAN: And anything to do with the civil law would be a matter for the Lord Chancellor and not yours?
MR. LACK: We find ourselves in a difficult position; yes.
MR. ALLAN: Is the consultation you are embarking upon a consultation with a view to getting Part I Chapter II implemented?
MR. WATKIN: We are looking to publish very early in the new year a consultation document on the implementation of Part I Chapter II of RIPA whereby we will seek to place in the public domain more openly than has been the case, the totality to which communications data is being used by a great variety of public authorities, not all of whom are automatically associated with the investigation of crime but they are all involved with the investigation of crime at some point, and seeking to engage the public in a more informed way than was possible in the summer to validate what it is that the public would wish to see being done in terms of providing access to communications data by those who are tasked with the investigation of crimes, which are obviously of concern to the public. What happened in the summer was a presumption as to what the public would want done for them. Obviously, the message came back, “Hang on. We need to be a bit clear as to what is being done and by whom so that we can take a view”. Obviously, the point of the consultation is to take a clear view of what the public is prepared to countenance in terms of public authorities having access to data, but within the ring fence of the purposes provided by RIPA. Essentially, we are talking about everything from the detection of serious crime to the issue of public safety. What we are not discussing here is how communications data has a role to play in civil case law, which clearly it does, but that is beyond our scope.
MR. WHITE: In the consultation paper which is coming out in the new year, are other departments involved in it?
MR. WATKIN: All the departments which are responsible for authorities which are using communications data or seeking to use communications data, like the Food Standards Agency, the Medical Devices Agency and the Financial Services Authority — there are a number of government departments and public authorities which are all involved — clearly are part of our objective in preparing a paper because it properly reflects the work which they do.
MR. WHITE: One of the things which has been suggested to us is that there is a myriad of security overseers which look at different parts. Richard reminds me of the list that RIPA has. Do you think that there are too many people looking at the oversight of RIPA and looking at the oversight of this function. Should there not be just one body which looks at it for everybody?
MR. WATKIN: We have the Office of the Interception Commissioner, who is responsible for the oversight of Part I of RIPA, of the provisions of interception of communications and the acquisition of communications data, and the Office of the Surveillance Commissioner, who oversees the covert and intrusive surveillance provisions in Part II. They are quite separate.
MR. WHITE: As well as the Interception Commissioner and the Surveillance Commissioner, you also have other bodies as well.
MR. WATKIN: I am talking about the ones which have responsibility for overseeing how RIPA works and how RIPA is being used.
MR. WHITE: But I, as a citizen, have this myriad of people who exist, but I do not know who to go to.
MR. ALLAN: Or the Police Complaints Authority about a police officer who has behaved wrongly. It has been put to us in evidence from a citizen’s point of view that it is not clear who to turn to. Given that you do not probably know what has been done with your data — almost by definition you should not know what has been done — but you think that something has been done with your data (you have probably seen the effect of it in that some information about you is out there. You think somebody must have done something wrong but you do not know whether it is communications data, interception or whatever) if you, the citizen, wants to go somewhere and say, “Oi, I want to know what has gone on here”, it has been put to us that from a citizen’s point of view the path is not clear.
MR. WATKIN: In the consultations which we have gone through and the comments which have been put to us in preparing where we are, that is not a concern which has been aired. The concerns which have been aired are about the effectiveness of the Commissioners which we have in place. The Government is already committed to ensuring that the Interception Commissioner has the resources to enable him, effectively, to oversee the provisions of Part I Chapter II of RIPA.
MR. WHITE: When do you expect Part I Chapter II to come into effect if the consultation is favourable in the new year? Are we talking about two years down the line?
MR. WATKIN: What we are looking to do in the consultation is to explain clearly what the options are in terms of enacting RIPA Chapter I Part II and variations on a theme of which public authority should have access to what. If we get a broad consensus from Parliament and from the public that the approach which is being set out is appropriate or an option becomes clear that that is what Parliament and the public prefer, we would be looking to implement the provisions some time after Easter but certainly during 2003.
MR. ALLAN: In terms of selling it to the public or to get public acceptance about what might take place, every intrusion into privacy must be proportionate and necessary. That is the human rights background to it. What happened in the summer was that all the Home Office could say was that it will be proportionate and necessary but nobody understood that. You can understand why a trading standards investigation into fireworks which will blow up and kill people will be more acceptable to the public than investigating something which is harmless but a bit dodgy. I am wondering how you are able to do that? Will there be a collection of codes of practice which spell out for people in terms of what they can understand “necessary and proportionate” means or are we still to fall back and say, “If you have a problem, you can take a case under the Human Rights Act”?
MR. WATKIN: Again, I fall back on the consultations and discussions that we have had. My consultations tends to be with the technical and computer literate lobby. The concerns are not necessarily about proportionality. There is a broad understanding of what that means, but it is to whom that applies. You cannot possibly say, “In this sort of circumstance, this will happen”, because the number of possible circumstances you can have is so enormous. You could have a great compendium saying, “If this event happens, this is what will be necessary and proportionate in that instance”.
What you can say is that whatever happens must be necessary and proportionate as required by the legislation, but that we should have a common collective view of the sorts of things that people will be doing and are looking to use the legislation for. Clearly, the Food Standards Agency, which has a particular function in protecting the public health from eating contaminated foodstuffs, has a necessary and proportionate role to, occasionally, have access to communications data which will help trace the sources of unfit food, which would otherwise be going into the food chain or may have already gone into the food chain. The necessity and proportionality of what they need to do will be quite different from the National Crime Squad’s investigation into an organised gang which is seeking to move class A drugs from one side of the world to the UK. The proportionality and the needs which they have will be different.
I am very conscious that this is not about “making” the public understand. It is about having information in the public domain and letting the public and Parliament decide what it thinks is appropriate. We do not want to suggest that the Home Office knows what is best for you. If anything, that is an argument which could have been laid at our door in June. What we are seeking to say is, “This is the range of activity which is going on. There are needs for communications data. They vary. The necessity and proportionality vary. So long as what is being sought is necessary and proportional, then the law should allow that”. It will all be overseen by a Commissioner, and there is an avenue of complaint through the Investigatory Powers Tribunal.
MR. ALLAN: The other side of the coin, and this is what people will want to know, is this. Can you describe the sort of penalty regime that is in place in RIPA. It may help people to understand if their communications data were taken off. We have had examples of the Police National Computer. There have been public cases where officers have been reprimanded. That means it only becomes more and more powerful in having a greater impact on our lives. We would expect those who have used it to be severely dealt with, I think.
MR. WATKIN: There is no express provision within Part I Chapter II for abuse of those specific powers. What the issue would be is why are they being abused? Are they being abused because someone is being blackmailed? In that case, there would be an offence of blackmail. Are they being abused because somebody is trying to defraud somebody? There would be an offence there. So the purpose for which that abuse is taking place is an issue. Whatever the abuse is, it would be covered under the Data Protection Act. The personal data would be required for a purpose that it was not expressly being asked for. Personal data could be asked for disguised as having a legitimate reason for a certain disclosure — using it for other purposes would be an offence under the Data Protection Act. We would want the consultation paper and the discussion which follows it to explore that more widely.
MR. ALLAN: So the serious penalties for abuse of data are only for the abuse of intercepted data, the IOCA-type data, the actual record of the communication or the transcript, the tape of your telephone call or the content of your e-mail. Within RIPA itself there are penalties for people who have disclosed that data in ways that they should not have done, but there are no parallel provisions for communications data?
MR. WATKIN: No. It would have to be under something like the Data Protection Act or in relation to an offence for which the acquisition of the data was the precursor.
MR. ALLAN: As we heard in the tipping-off offences in terms of the whole communications data, Chapter II is weaker in a sense than the Part I Chapter I regime, because it is regarded as less sensitive.
MR. WATKIN: Yes. It is considered less intrusive data.
MR. WHITE: One of the things mentioned throughout this inquiry is the differential between communications data and subscriber data, like “Whose is this mobile phone? Whose is this e-mail address?”. RIPA does go some way to looking at that. Do you think that there are amendments which could be made to RIPA to make that definition much clearer?
MR. WATKIN: We have within RIPA explanations of communications data, which basically breaks it into three categories, which are traffic data, use of a service and information about the user of the service. Those are, by necessity, broadly defined categories. They are technology neutral categories. What would be helpful, and what we are already seeing, are discussions that help establish common degrees of understanding within law enforcement and industry about what sort of data is what, and that will need to be constantly reviewed as technology changes and different sorts of data emerge and different services. That is one of the reasons why it is better that the primary legislation does not spell it out in detail. I think we have workable definitions which recognise the different levels of intrusion relating to the different categories of data. Obviously, in terms of implementing those, having codes of practice and building up common understandings as to what sort of data sits where within that framework is obviously the way to go.
MR. WHITE: It has been suggested that judicial authorisation ought to be required for everything except basic subscriber data. Is that a view which the Home Office has looked at?
MR. WATKIN: Can you repeat the question?
MR. WHITE: Some of our witnesses have suggested that subscriber data is at superintendent authority level, but that much more sensitive data ought to require a judicial authority.
MR. WATKIN: That was a matter which Parliament considered at the time when the legislation went through, and Parliament decided that the regime which we have is the regime which should be followed.
MR. WHITE: From a practical point of view, has the Home Office looked at the impact of that?
MR. WATKIN: We still believe that the regime that Parliament has adopted is practicable.
MR. ALLAN: I remember moving that amendment in Committee. There was a very good brief against it, so I think they have considered it in detail. Let me ask you about the relationship with ATCS, which is the other thing that has come up. Where are we now from the Home Office point of view in terms of a voluntary/mandatory scheme for the retention of data?
MR. LACK: The legislation makes it quite clear. I describe it to the industry and law enforcement agencies as “hoops and hurdles” which we are required to go through. We can only provide a code of practice to a voluntary scheme for initial discussions. The legislation does not allow us to go to a mandatory scheme immediately. What we have been doing with the industry, with law enforcement agencies and with the Information Commissioner is discussing the basis of a voluntary code of practice which will be the subject of a consultation paper and, we hope, will subsequently be discussed in both Houses of Parliament.
MR. ALLAN: So if you came forward with a voluntary code of practice and the Government said, “You, the industry, should retain the data for X amount of time”, and the industry said, or some voices in the industry were saying, “We think we will be hung under the Human Rights Act if we do that. Therefore, we are not prepared to implement your voluntary code of practice”, what kicks in then?
MR. LACK: We need to give the industry time to consider its position once the voluntary code of practice has passed through Parliament with whatever amendments are made to it. Industry must be given sufficient time to consider its position. Then we will need to go back to the Secretary of State with the consideration of making directions which will lead to mandatory provisions.
MR. ALLAN: And the voluntary code of practice has to come here as a statutory instrument for an affirmative resolution?
MR. LACK: Yes.
MR. ALLAN: So it is quite a long process?
MR. LACK: It is a process which takes somewhere around 10 months, which is why we would be looking for consultation shortly after the consultation started on the access provisions.
MR. ALLAN: How would that mandatory scheme be brought in?
MR. LACK: That would be brought in, in the same way, by an affirmative resolution.
MR. ALLAN: So, if we went to that point, we would certainly be running into 2004 before any actual data was retained?
MR. LACK: It depends on the decisions of Parliament as to what is a reasonable time between publishing a voluntary code of practice and being able to review that voluntary code of practice. If we took a reasonable time as being — this is a figure from the top of my head — four months, we could finish before the sunset clause comes in, basically.
MR. ALLAN: And the sunset clause comes in when?
MR. LACK: On 13th December next year, 2003.
MR. ALLAN: 2003. So it is a race against time?
MR. LACK: It is not really a race against time. The issue, really, is to follow the process that we have. It will be for you, gentlemen, to decide what that process will be and the timescales of that process.
LORD NORTHESK: In effect, you are saying that even with a voluntary code of practice, with the best will in the world, Parliament will not be in a position effectively to legislate on this issue for two years?
MR. LACK: That is correct; just under two years if we are to be in front of the sunset clause.
MR. ALLAN: Picking up the cost point again, which we have heard evidence about, my understanding of the figures that we have been given, an example of which is from large service providers like AOL, is $40 million to set up data retention, whether it is a voluntary or mandatory system, to retain all their data and something like $14 million a year to run. Thus quoted us 5 million or 6 million in Sterling for their business. We understand that you have a budget head of 20 million for the industry. Is that correct? Do you think that means that the industry can agree to something for which, as it looks, they will not be refunded for anything like the larger part of their expenditure?
MR. LACK: The initial budget head under the anti-terrorism budget from the Treasury allocated just over 20 million pounds for that purpose. However, when you read the Act, the Act is not just about what you do now, what capital provision you have to deliver now, but you have to look at the revenue implication thereof. We are working with the industry and law enforcement agencies through a working group to discuss these issues. I, myself, have had discussions with AOL back in May and June. In fact, I spent time in discussing it with most of the major US suppliers, at which time they made it quite clear that they had a global concept but to break that global concept down would be impossible. To deliver data retention in the way that the UK wants it would not comply with the situation in the US, which is data preservation. They are happy working with their data preservation rules. It seems that they may still want to change their stance, but we still have to consider that that would be a global stance, and it will be for the UK to pay for a global provision for AOL. At the moment data preservation, as I was given to understand, works in the States. I do not know how much data they have got preserved, though.
MR. WHITE: One of the things which is concerning me about ATCS and RIPA are the implications to the way the UK does business versus other countries. One of the original concerns I had with RIPA was to the effect of driving ISPs out of the country so you would not get the data, anyway, as they would be operating in another country. What are you doing about addressing those concerns about how you get data from other countries and how you work with industry to make sure that they stay in the UK?
MR. LACK: There are two sides to that question. I think I will refer the question of data from other countries back to Simon. The other issue is how we are trying to make things work in the UK. We have to ensure that the Government realise that this is not a commitment for this year, next year or the year after but it is a permanent commitment to support UK Plc. If you are asking for data to be retained then subsequent access and additional access to that data needs supporting.
MR. ALLAN: There needs to be an on-going budget head in the Home Office to say, “We will pay you year-on-year”?
MR. LACK: That would be my recommendation. If we improve what goes on in UK Plc and we make the Internet in the UK a very safe place and a very honest place to do business, we will attract customers.
MR. ALLAN: Broadband has ten times as much data and ten times as much data to retain.
MR. LACK: I am aware of the enormous implications.
MR. WATKIN: Let me make the point that the UK is not alone in pondering on these issues. Other countries are pondering the same issues at the same time as we are. There are, clearly, issues about the cultural approaches they have to it and the legal traditions which they have, which means they all come at it in slightly different ways with slightly different approaches in the way they work on them which means they come at it in slightly different timescales. Those are all difficulties for the Government and for law enforcement in trying to deal with criminality, especially when it is international criminality. We have mechanisms and regimes which seek to address that through Interpol, etc. It is important to say that, anecdotally, I sometimes hear members from industry saying that they have foreign law enforcement officers turning up at their doors demanding data. My advice to them when that happens is to shut the door on them and to explain that they have no authority to turn up their doorsteps seeking information, in the same way that a British police officer should not expect to turn up on one’s door overseas demanding data. There are special provisions for that. That is an area of concern which flies around. It is important to try and make sure that it is dealt with very early on.
MR. WHITE: There are some companies which are designing systems, for example in the UK, the US and in the Far East, and the designs which they are working on are virtually there and they all have access to it but nobody knows which country has jurisdiction over the data. In applying that to a criminal scenario, how do you go about finding where the data actually is in those circumstances, and how do you actually then apply the RIPA?
MR. WATKIN: It depends from whom you are seeking data. If it is an organisation which you are looking to assist you, then that body, within its corporate being, will see that information within its company jurisdiction is within the jurisdiction of, say, UK law enforcement. That is very helpful. Equally, a company in that position may equally well say, “That data is not in this jurisdiction but it is in the jurisdiction of Spain”, for example. If it is in the jurisdiction of Spain, then, obviously, there are mechanisms and procedures whereby that material may be formally requested through the Spanish Government.
MR. WHITE: So if I am this mythical West Dorset ISP and I move my data offshore, how do we deal with that kind of scenario?
MR. WATKIN: In very much the same way as the international community has dealt with financial services. That is the point I was going to make at the end, but as you have led me to it I will make it now. What do criminals do? Criminals need to communicate. I heard points made about the Internet. Criminals communicate and they use communication services, disproportionately, perhaps, to other services in the conduct of their criminal activities. The other sorts of services which criminals tend to use a lot are financial services, because they are largely in it for the money. Other sorts of services they do not tend to use significantly or disproportionately, whether it is buying cars or groceries. The communications and financial services are services which criminals, particularly organised international criminals, use disproportionately compared with other services. As we have seen what the international community does with financial services, through organisations such as the Financial Action Task Force, it recognises concerns about financial data havens where you had unregulated financial services and, occasionally, you had countries advertising their financial sector as a haven for dirty money. It is important for the international community to work together to ensure that worldwide there are standards which apply to the provision of financial services and to ensure that money laundering is not able to flourish. One can see something similar in relation to the provision of communication services. I am quite sure that the British Government and other national governments would not wish to see certain jurisdictions thriving as data havens for dirty data, let us say, or data within which there is some dirt, in the same way as money within which there is some dirty money. It is a similar sort of analogy.
MR. ALLAN: I understand the point being made about the difficulty in defining which communications services criminals use. All the evidence we have had so far suggests that in the vast majority of cases where communications data has been useful and where criminals have been caught because they have used communication services, has been through telephone services, not Internet services. Have you done work to indicate that these are the cases which are occurring now where the Internet is an integral part of the crime and we will catch them if we bring this regime in?
MR. WATKIN: One of the great difficulties for us and the Government is in trying to predict where commercial business is going in terms of what services are being delivered and trying to force how they may be exploited by criminals.
MR. ALLAN: I am thinking more of criminologists predicting the way criminals are going rather than the mass of industry.
MR. WATKIN: If the service is not there, it cannot be misused. As services come on line, we will always find that they will seek to exploit and misuse them. The task of Government is trying to predict what those might be. We already are seeing the use of the Internet, whether it is sending hate mail, posting websites, soliciting dubious financial investments or offering for sale unlawful images. I expect someone in the room will say that telephony will become Internet based sooner than later. The distinction between telephony and Internet will disappear and the distinction between television and Internet will disappear. Again, it is difficult for me as a civil servant to quite predict how that technology market will change. However, I can see from my experience during the past few years that it is changing very quickly and it may not always change in ways that we understand.
You made the point earlier about going into every building and capturing an image of who did it and was it fair to apply that regime to the Internet? Going back to what I said that bad people do in relation to financial services, I think we have all accepted long ago that when we went into a bank there would be a camera which will capture our picture in the event that there was a bank robbery. I have never been in a bank when a bank robbery has been in progress, but I have been in a lot of banks where my picture is on a screen which shows me that I am being recorded. There is public acceptance that bank robberies happen and, therefore, it is important that banks should have the facilities to record the image of people who come into their premises. If the public accepts that for banks and building societies with information being placed in the public domain and letting the public take a view and decide, maybe the concerns about the extent to which that regime applied in some similarly analogous way to the Internet can be allowed to be debated. I think what is important is that there is that debate and understanding.
MR. ALLAN: It is a very interesting and philosophical point as to whether the Internet has space — effectively, there are CCTV cameras everywhere — or is there space where they do not exist?
MR. WATKIN: It is a question as to whether it is a space where there are some CCTV areas looking at various things.
MR. ALLAN: But 100% data retention means CCTV cameras everywhere.
MR. WATKIN: No. It means there is a recording of images. The question is whether people look at them and the reason for which they look at them.
MR. LACK: We come back to our criminal investigation. At the pinnacle of the pyramid, you would not expect to have your data recorded and you would not expect your information to be in the vault of the bank where you have your safety deposit box. If we apply the same expectation to the Internet, there are some places where you may expect that people would be looking after you and in some places you would expect to be on your own. I think that is part of the realities that we are discussing. I think the consultation paper will open that reality.
MR. WHITE: You said that one of the things you have to do is to look at the way technology is changing. Although it is slightly outside the terms of reference, we have heard suggestions that the Computer Misuse Act needs up-dating. Are you looking at that and also at the Cybercrime Convention and what is coming out of that, mainly to legislative changes?
MR. LACK: We, personally, are not but the Home Office itself is. I was at a meeting a week ago where those discussions were taking place with the service providers, the law enforcement agencies and the Crown Prosecution Service to decide what was the way forward.
MR. WATKIN: You do not hear people talking so much about “Internet years”, but the Computer Misuse Act is now 12 years old in real terms and it was designed for an age when computers were designed to keep people out. Now we are looking at a world where computers are designed to let people in. We recognise that. What is at issue is whether what we do have in place still works in today’s era. We are keeping that very much under review. We are working with the Crown Prosecution Service to explore some test cases which actually challenge the extent to which the Computer Misuse Act is robust in today’s technological era. To the extent that it is not, we are reviewing the extent that we need to address it and to ratify the Council of Europe’s Cybercrime Convention.
MR. ALLAN: So we can expect 2003 to be a bumpy year for ISP public policy officers.
MR. WHITE: One of the concerns which led to SPOCs coming into existence was how do CSPs and ISPs know if the person they are dealing with is the real person. What procedures have you got in place, apart from our SPOCs? There has been some suggestion that they are under-resourced or have been in the past leading to delays. What procedures have you got in place and what plans have you got in place for dealing with this problem?
MR. WATKIN: I will leave the Police Service to decide and indicate whether their SPOCs are resourced. What I would say, clearly, is that the joint provision of training between law enforcement and industry of SPOCs and the creation of points of contact play an effective role in that they are known to industry. They know how the industry works and they know the art of what is feasible and what is not feasible. They play an effective role in cutting off requests for data which are inappropriate, they provide a model that we would wish to see replicated throughout those public authorities who fall within the RIPA regime in terms of making sure that the people who, effectively, work with the powers on a day-to-day basis are accredited in a way which industry recognises, which we are told by industry they do recognise and welcome, and look to have that as the model backed up by manuals and standards, which we would want to make sure were clearly in the public domain.
One of the concerns which arose in the summer was that, on the face of it, we were giving these powers to local authorities and, therefore, every bureaucrat in a town hall in an idle moment could ring up a telephone company and get his next door neighbour’s telephone bill details. Clearly it was never the case. We need to explain what the role of SPOCs are and what the importance of having an accredited person is, and the manuals, standards and procedures which they should abide by. There must be procedures which can vouchsafe that the requests are proper and appropriate and from an appropriate person.
MR. ALLAN: One of the problems which came out in discussions with lawyers was that the police SPOCs could not be used by local authorities and that every local authority would have to have its own SPOC. The point is that RIPA specifically excludes an agent acting for a third party. It has to be the investigating officer asking for the data themselves.
MR. WATKIN: That is right, and the reason why that is so is to minimalise the intrusion to privacy and to provide an express conformity to the human rights legislation. Clearly, if an agency is seeking to ascertain some private information about someone, the intrusion of privacy is much reduced if the agency asks for it and receives that information back. If that agency has to go through a central agency to get that information, clearly, the intrusion into privacy is greater because not only does the first agency know but the second agency is a party to that intrusion into privacy. That was clearly what the formulation was in the mind of Parliament when RIPA was adopted.
One of the questions which I think we will want to explore through the period of consultation is whether the public, in seeking to be more reassured and more trusting that these powers are being used necessarily and proportionally is whether there is an acceptance that that extra degree of intrusion afforded by a central agency is worth it in terms of ensuring that individual agencies, in which the public does not have so much trust, cannot “run amok”. That is an issue which we will want to explore. If the public said, “We would not mind that extra degree of intrusion in cases where it was appropriate and necessary because it would provide us with that extra bit of reassurance about this authority, who we now understand is involved in the investigation of criminal offences, which we are not as familiar with as we are with the police, and we would quite prefer them to go through some other body”. If that is something which emerges out of the consultation, I think that is something we would want to look at.
MR. WHITE: And you would be happy to propose amending the legislation?
MR. WATKIN: It is an area that, so long as there is an acceptance that that extra degree of intrusion on each case is accepted because it offsets mistrust of individual agencies going about doing what they do, then that is something we would want to discuss and explore.
MR. ALLAN: Would it require a change in the primary legislation?
MR. WATKIN: Although RIPA is not explicit on that point, the way RIPA is worded in terms of disclosures back to the authority which has the notice, for the sake of clarity, if that was the public’s consensus and Parliament’s consensus, we might want to amend that.
LORD NORTHESK: On the issue of public reassurance, it struck me that the poor Information Commissioner with successive Acts of Parliament is becoming somewhat overloaded. In policy terms, do you think that the Office of the Information Commissioner is adequately resourced? That is the first part of the question.
The second part of my question — my colleagues may not be aware of this but, of course, I am, because the Bill started in this House — concerns the Crime (International Co-operation) Bill, which imposes a further duty on the Information Commissioner to make sure that data held by three databases in Europe is overseen by the Information Commissioner. What flows out of this is if the Office of the Information Commissioner is adequately resourced to ensure that data held in those databases on UK nationals is held in terms that are consistent with UK legislation?
MR. WATKIN: I think we would probably defer to our colleagues in the Lord Chancellor’s Department who are responsible for resourcing the Information Commissioner. I can answer questions about the Interception and Communications Commissioner.
MR. ALLAN: The Information Commissioner is the LCD.
MR. WATKIN: Yes; it is the Lord Chancellor’s Department.
MR. WHITE: We have run out of time. Is there anything that you would like to say or indicate to us that that we should be looking at?
MR. LACK: From the point of view of the ATCS, we have had enormous support from the industry to try and get to where we are. Your comments on the Information Commissioner are such that some of the delays have been through delays there. Seeking counsel’s advise has also caused delay. I think you will see, shall we say, a much clearer position being adopted by both the industry and the law enforcement agencies to be able to deliver data retention by one of the means under the Act within the timescales of the Act. I believe that is possible.
MR. WHITE: Thank you very much. What we are hoping to do is to get this report out early in the new year. Thank you very much.