Communications Data Bill/Draft/explanatory notes

< Communications Data Bill‎ | Draft

From Communications Data Bill/Draft. These notes are interleaved with the draft bill in the published form.

Content under the Open Government Licence

Contents

Introduction

1. This document contains a draft Communications Data Bill and Explanatory notes related to the Government's proposals to update the framework for ensuring the availability of communications data and the regulatory regime governing how public authorities obtain this data.

2. The Explanatory Notes have been prepared by the Home Office in order to assist the reader in understanding the draft Bill and to help inform debate on it. They do not form part of the draft. References to “the Bill” in these Explanatory Notes are to the draft Bill.

3. The notes which appear on the left-hand pages need to be read in conjunction with the Bill. They are not, and are not meant to be, a comprehensive description of the Bill. So where a clause or part of a clause does not seem to require any explanation or comment, none is given.

Summary

4. The Bill provides an updated framework for ensuring the availability of communications data and its obtaining by public authorities. It contains standard provisions in respect of, amongst other things, orders and regulations, commencement and extent. The new regime replaces Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) and Part 11 of the Anti-Terrorism Crime and Security Act 2001 (“ACTSA”) and sits alongside the Data Retention (EC Directive) Regulations 2009. The Bill is in three Parts.

5. Part 1 makes provision for ensuring or otherwise facilitating the availability of communications data to be obtained from telecommunications operators. Clause 1 enables the Secretary of State, by order, to ensure that communications data is available to be obtained by public authorities under Part 2. Clauses 2 to 7 make express provision for safeguards in relation to Part 1. These safeguards include, by virtue of clauses 3 to 6, mandatory obligations on telecommunications operators who hold communications by virtue of this Part relating to data integrity and security, retention periods, access to the data and destruction of the data at the end of the retention period. Clause 2 imposes consultation requirements on the Secretary of State and clause 7 makes provision for further procedural safeguards, including the referral of notices to the Technical Advisory Board (established by section 13 of RIPA). Clause 8 imposes a duty, enforceable through the civil courts, to comply with requirements or restrictions imposed under Part 1.

6. Part 2 provides for an updated scheme for the obtaining of communications data by relevant public authorities. Clause 9 enables a designated senior officer of a relevant public authority, subject to tests of necessity and proportionality, to grant an authorisation authorising the obtaining of communications data. Clauses 10 to 12 set out procedural matters in respect of such authorisations. Clause 11 provides that an authorisation made by a designated senior officer in a local authority can only take effect if approved by a relevant judicial authority. Clauses 14 to 16 and Schedule 1 enable the Secretary of State to establish, maintain and operate filtering arrangements for the purpose of facilitating the obtaining of communications data by relevant public authorities, and assisting the designated senior officer to determine whether the tests for granting an authorisation are met. These filtering arrangements may be operated directly by the Secretary of State or by a body designated by order. Clauses 17 to 21 contain supplementary provisions; amongst other things they confer a power on the Secretary of State to impose restrictions on the granting of authorisations under this Part.

7. Part 3 contains further provisions supplementing those in Parts 1 and 2. Clauses 22 and 23 confer further scrutiny functions on the Interception of Communications Commissioner and Investigatory Powers Tribunal. Clause 24 and Schedule 2 abolish other general information powers so far as they enable public authorities to secure the disclosure of communications data from telecommunications operators or postal operators without the consent of the operator. Clause 25 applies the provisions in Parts 1 and 2 to postal operators and postal services. Clause 26 requires the Secretary of State to ensure that arrangements are in force for making appropriate contributions to postal and telecommunications operators to meet the costs incurred by them in engaging in activities permitted or required by virtue of Parts 1 and 2.

8. Clauses 29 to 33 and Schedule 4 deal with the making of orders under the Bill, make financial provision for additional expenditure incurred as a result of the provisions in the Bill, and provide for the short title, commencement and extent.

Background

9. Communications data is information about a communication; it can include the details of the time, duration, originator and recipient of a communication; but not the content of the communication itself. Communications data is used by the security, intelligence and law enforcement agencies during investigations regarding national security, organised, serious and volume crime. It enables investigators to identify members of a criminal network, place them in specific locations at given times and in certain cases to understand the criminality in which they are engaged. Communications data can be vital in a wide range of threat to life investigations, including the investigation of missing persons. Communications data can be used as evidence in court.

10. Communications data falls into three categories: subscriber data; use data; and traffic data. The scope of these terms is set out in the Annex. Subscriber information is information held or obtained by a provider about those to whom the service is provided e.g. the name and address of the person who has subscribed to a particular phone number. Use data relates to the use made by any person of a postal or telecommunications service, for example, itemised telephone call records or itemised records of connections to internet services. Traffic data is data that is comprised in or attached to a communication for the purpose of transmitting the communications, for example, the address on an envelope or the location of a mobile phone.

11. Given the role communications data plays in the investigation of offences and bringing offenders to justice, statutory arrangements have been in place for a number of years to ensure that it is retained by telecommunications operators and then made available on a case by case basis to designated public authorities. Part 11 of ATCSA provides a legal framework for the voluntary retention of communications data in the UK for certain purposes. The provisions in that Act are supported by a statutory code of practice (“Voluntary Retention of Communications Data under Part 11: Anti-terrorism, Crime and Security Act 2001— Voluntary Code of Practice”) which came into force on 5 December 2003 by virtue of the Retention of Communications Data (Code of Practice) Order 2003 (S.I. 2003/3175).

12. In March 2006 the European Parliament and Council adopted the EU Data Retention Directive (Directive 2006/24/EC)[1] which provided for a mandatory framework for the retention of certain communications data. This was transposed into UK law in two stages. The Data Retention (EC Directive) Regulations 2007 (S.I. 2007/2199) implemented the Directive in respect of mobile and fixed line telephony. The Data Retention (EC Directive) Regulations 2009 (S.I. 2009/859), which revoked and replaced the 2007 Regulations, implemented the Directive with respect to the retention of communications data relating to internet access, internet telephony and internet e-mail as well as mobile and fixed line telephony.

13. The Strategic Defence and Security Review (Cm 7948)[2], published in October 2010, committed this Government to a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain communications data within the appropriate legal framework (paragraph 4.A.5).

14. The acquisition and disclosure of communications data by law enforcement agencies and others is principally governed by Chapter 2 of Part 1 of RIPA. That Act ensures that the acquisition of communications data is in accordance with the European Convention on Human Rights (“ECHR”). RIPA enables a “relevant public authority” to make requests to obtain communications data, on a case by case basis, subject to specific tests of necessity and proportionality. The relevant public authorities are those listed in section 25(1) of RIPA or in an order made under that section (see Article 3 and Schedule 2 to the Regulation of Investigatory Powers (Communications Data) Order 2010 (S.I. 2010/480)). Any request for communications data may only be made for one or more of the purposes permitted in section 22(2) of RIPA or in an order made under that section (see Article 2 and Schedules 1 and 2 of the Regulation of Investigatory Powers (Communications Data) Order 2010 (S.I. 2010/480)). Guidance to relevant public authorities on the acquisition and disclosure of communications data is contained in a code of practice made under section 71 of RIPA[3]. The Interception of Communications Commissioner, appointed under section 57 of RIPA, keeps under review the use of the powers in Chapter 2 of Part 1 of RIPA. Complaints about the exercise of these powers may be made to the Investigatory Powers Tribunal, established under section 65 of RIPA.

15. A number of other enactments (for example the Social Security Fraud Act 2001 and the Financial Services and Markets Act 2000) also confer powers on certain public authorities to acquire information, including communications data. These alternative powers were considered as part of the review of counter-terrorism and security powers announced by the Home Secretary in an oral statement to Parliament on 13 July 2010 (Hansard, House of commons, columns 979 to 809; the statement was repeated in the House of Lords at columns 644 to 652). The Home Secretary reported the outcome of the review[4] in a further oral statement to Parliament (Hansard, House of Commons, columns 306 to 326; the statement was repeated in the House of Lords at columns 965 to 978). The review concluded that other statutory powers with weaker safeguards which are currently used by public authorities to acquire communications data should be removed. Lord Macdonald of River Glavan, who provided independent oversight of the review, published a separate report of his findings[5].

16. The Bill provides for a new framework to ensure the availability of communications data and its obtaining by law enforcement agencies and other approved public authorities. This framework in respect of the retention of communications data by operators (provided for in Part 1) replaces that in Part 11 of the ATCSA, which is repealed, but sits alongside that provided for in the Data Retention (EC Directive) Regulations 2009. The new regime for the obtaining of communications data (provided for in Part 2) replaces that in Chapter 2 of Part 1 of RIPA. Amongst other things, Part 3 implements the recommendation in the review of anti- terrorism and security powers that other statutory powers with weaker safeguards which are currently used by public authorities to acquire communications data should be removed.

Territorial Extent

17. The Bill extends to the whole of the United Kingdom. In relation to Scotland, Wales and Northern Ireland the provisions relate to non-devolved matters.

Commentary on Clauses

Part 1: Ensuring or facilitating availability of communications data

18. Part 1 makes provision for ensuring that communications data is available to be obtained from telecommunications operators by relevant public authorities under Part 2, or otherwise facilitating the availability of such data to be so obtained from telecommunications operators. At present communications data may be retained by telecommunications operators because: i) it has been processed as part of their normal business, for example for marketing or billing purposes; ii) under the Data Retention (EC Directive) Regulations 2009, public communications providers are required to retain some types of telephony and internet related communications data, generated or processed in the UK in connection with their business, for 12 months; iii) certain data can be retained in accordance with a voluntary code of practice on data retention, under the ATCSA. The processing of personal information, including communications data, is regulated by the Data Protection Act 1998.

19. The UK communications infrastructure is rapidly changing as new voice and data applications are made available over the internet. New business models and communications technologies mean that communications service providers (described as telecommunications operators in the Bill) are retaining less communications data for business purposes. Part 1 builds on existing legislation by requiring telecommunications operators to obtain and retain communications data they would not ordinarily retain for their business purposes for a period of up to 12 months. This might include data relating to i) the operator’s own services which are not within the scope of existing legislation, and from which data is not otherwise retained for business purposes; ii) the services of overseas providers used by people in this country which transit systems but which the system provider currently has no business to retain. An affirmative order under clause 1 of the Bill will make provision for ensuring that communications data of this sort continues to be available to be obtained from telecommunications operators by the law enforcement agencies and other relevant public authorities.

20. Part 1 also makes express provision for safeguards to ensure that the power in clause 1 can only be exercised following consultation with operators and furthermore that any data held by virtue of Part 1 is adequately protected and destroyed when no longer required.

Clause 1: Power to ensure or facilitate availability of data

21. Subsection (1) provides for the Secretary of State by order (subject to the affirmative resolution procedure – see clause 29(2)) to ensure or otherwise facilitate the availability of communications data from telecommunications operators so that it can be obtained by relevant public authorities in accordance with Part 2. The term ‘telecommunications operator’ is defined in clause 28 as a person who controls or provides a telecommunication system, or provides a telecommunications service. The term ‘communications data’ is also defined in clause 28. In summary it is information such as telephone numbers dialled, times of calls, details of callers and receivers, and website addresses. It is not the content of the communication. The Annex provides an illustration of what communications data means for particular forms of communication.

22. Subsection (2) sets out the main ways in which it is expected that the clause 1 power will be exercised. In practice, it is likely that an order under clause 1 may, amongst other things, impose requirements on operators to: generate all necessary communications data for the services or systems they provide; collect necessary communications data, where such data is available but not retained; retain the data safely and securely; process the retained data to facilitate the efficient and effective obtaining of the data by public authorities; undertake testing of their internal systems; and co-operate with the Secretary of State or other specified persons to ensure the availability of communications data.

23. Subsection (3) provides examples of the more specific requirements that may be imposed on individual telecommunications operators or other persons under subsection (2). These may include: ensuring that communications data can be disclosed without undue delay to relevant public authorities; compliance with specified standards; acquiring, using or maintaining specified equipment or systems; or using specified techniques. In practice, it is expected that requirements of this nature will be imposed by notice of the Secretary of State and will relate to particular systems and services, or classes of systems and services, provided by an operator, and particular descriptions of data. The expectation is that notices will therefore be individually tailored to each system or service (or class of system or service) in respect of which there is an operational need for communications data to be available from an operator. The notices will describe, by reference to each service and system, the description of data which must be retained, where the data should be stored and, if necessary, how the data should be collected, generated and processed.

24. Subsection (4) makes clear that nothing in Part 1 authorises any conduct consisting in the interception of communications.

Clause 2: Consultation requirements

25. Clause 2 requires the Secretary of State to consult with a number of people prior to making an order under clause 1. These persons include OFCOM (which is the independent regulator and competition authority for the UK communications industries). The Secretary of State must also, as appropriate, consult the persons likely to have requirements or restrictions imposed on them (for example, telecommunications operators) and their representatives, the Technical Advisory Board (established by section 13 of RIPA), and bodies which have statutory functions affecting telecommunications operators. The Technical Advisory Board’s makeup (as determined by the Regulation of Investigatory Powers (Technical Advisory Board) Order 2001 (S.I. 2001/3734)) includes a balanced representation of the interests of communications service providers and appropriate public authorities.

Clause 3: Data security and integrity

26. Clause 3 requires telecommunications operators to ensure that the data they hold by virtue of Part 1 is of the same quality and subject to the same security as network data, and is protected against accidental or unlawful destruction, processing, access or disclosure. These duties are consistent with those in Regulation 6 of the Data Retention (EC Directive) Regulations 2009 (S.I. 2009/859).

Clause 4: Period for which data is to be retained

27. Subsection (1) of this clause requires telecommunications operators to retain the communications data they hold under Part 1 for up to a maximum of 12 months from the date of the communication concerned. The maximum period of retention is consistent with that set out in Regulation 5 of the Data Retention (EC Directive) Regulations 2009.

28. Subsections (2) and (3) provides for an extension of the retention period if the telecommunication operator has been notified by a public authority that the data is, or may be, required for the purpose of legal proceedings.

29. Subsection (4) requires that the public authority must notify the telecommunications operator as soon as reasonably practicable after the authority becomes aware that the data is not required for legal proceedings.

Clause 5: Access to data

30. Subsection (1) stipulates that communications data held by a telecommunications operator under Part 1 can only be accessed in accordance with the provisions in Part 2 or as otherwise authorised in law. These may include a request under section 7 of the Data Protection Act 1998 (which provides an individual with the right of access to personal data) or in pursuance of a court order.

31. Subsection (2) requires the operator to put in place adequate security systems to govern access to the communications data and ensure that the data is only disclosed in accordance with subsection (1).

Clause 6: Destruction of data

32. This clause provides for the destruction of communications data at the end of the period of retention, or when the data is no longer required for the purposes of legal proceedings or otherwise authorised by law. The data must be destroyed in such a way that it can never be retrieved. The deletion of data must take place within a month of the end of the retention period. The requirement to destroy data must be kept under review by the Information Commissioner as set out in clause 22(5).

Clause 7: Other safeguards

33. Clause 7 sets out additional safeguards in relation to the power established by clause 1. It also references clauses 22, 23 and 24. Clauses 22 and 23 confer additional scrutiny functions on the Interception of Communications Commissioner, the Information Commissioner and the Investigatory Powers Tribunal. Clause 24 provides for the abolition of certain general information powers which enable public authorities to secure the disclosure by a telecommunications operator or postal operator of communications data without the consent of the operator.

34. Subsection (1) sets out the procedural requirements in respect of notices provided for by an order under clause 1.

35. Subsections (2) and (3) provides that an order under clause 1 must ensure that any person given a notice under clause 1(2)(b) can refer it to the Technical Advisory Board within a period specified by the Secretary of State. The Board will consider the technical requirements and financial consequences of the notice and report their conclusions to the person on whom the notice was served and to the Secretary of State. After consideration of a report from the Technical Advisory Board, the Secretary of State may withdraw the notice or issue a further notice under clause 1 confirming its effect, with or without, modifications. A further notice given following the Board’s report may not be the subject of any further reference under this clause.

Clause 8: Enforcement and protection for compliance

36. Subsection (1) places a duty on a telecommunications operator, or other person, on whom a requirement or restriction is imposed by clauses 3 to 6 or a clause 1 notice, to comply with the requirement or restriction concerned. The duty to comply does not apply to a requirement or restriction imposed by a clause 1 order.

37. Subsection (2) provides that if a telecommunications operator fails to comply with that duty then the Secretary of State may take civil proceedings against them for an injunction or other appropriate relief.

38. Subsection (3) has the effect of making conduct lawful for all purposes if it is conduct in which a person is authorised or required to engage by virtue of this Part, and the conduct is in accordance with, or in pursuance of, the authorisation or requirement. This ensures that there is no liability attached to actions undertaken as a result of a requirement or authorisation under this Part.

39. Subsection (4)(a) ensures that a person undertaking conduct that is incidental or reasonably undertaken in connection with conduct which has been authorised or required by virtue of subsection (3) is not subject to any civil liability.

40. Subsection (4)(b) provides that such conduct must not be conduct for which an authorisation or warrant is capable of being granted under any of the enactments mentioned in subsection (5), and might reasonably have been expected to have been sought in the case in question.

Part 2: Regulatory regime for obtaining data

41. At present, RIPA regulates how law enforcement, the security and intelligence agencies and other relevant public authorities obtain communications data from telecommunications operators. Chapter 2 of Part 1 of RIPA was enacted in order to provide public authorities with a European Convention of Human Rights (“ECHR”) compliant framework for obtaining communications data. RIPA places strict rules on when, and by whom, communications data can be obtained and establishes safeguards including independent oversight by the Interception of Communications Commissioner and the Investigatory Powers Tribunal.

42. The new scheme set out in Part 2 of the Bill preserves the essential elements of this framework. In particular, the substantive protections of Article 8 ECHR (right to respect for private and family life) will continue to be guaranteed by the express terms of Part 2 which only permit the exercise of the relevant powers if the tests of necessity, proportionality and legitimate aim are satisfied. Paragraph 5 of Schedule 4 repeals sections 21 to 25 in Chapter 2 of Part 1 of RIPA, which relate to the acquisition and disclosure of communications data.


Clause 9: Authorisations by police and other relevant public authorities

43. Subsection (1) provides that an authorisation to obtain communications data may only be granted if a designated senior officer of a relevant public authority believes in respect of the data (“Part 2 data”) that:

  • it is necessary to obtain the data for a permitted purpose;
  • it is necessary to obtain the data for the purposes of a specific investigation or a specific operation or for the purposes of testing, maintaining or developing equipment, systems or other capabilities relating to the availability or obtaining of communications data; and
  • the conduct authorised is proportionate to what is sought to be achieved.

44. Article 8(2) of the ECHR. For example these include the interests of national security, the prevention and detection of crime or in an emergency preventing death or injury. ‘Designated senior officers’ are defined in clause 21 as such individuals holding ranks, offices or positions with relevant public authorities as are specified by order of the Secretary of State. Restrictions on the exercise of the power relating to granting authorisations are set out in clause 17.

45. If the conditions in subsection (1) are met, subsection (2) provides that a designated senior officer may grant an authorisation for the designated senior officer or individuals holding offices, ranks or positions with the same relevant public authority as the designated senior officer to engage in any conduct in relation to a telecommunication system, or the data derived from a telecommunication system, for obtaining the Part 2 data from any person.

46. Subsection (3) sets out a non-exhaustive list of the types of conduct which fall within clause 9(2). Such conduct may include the following: an authorised officer obtaining the Part 2 data themselves from any person with the consent of that person; asking any person whom the authorised officer believes is, or may be, in possession of the Part 2 data, to disclose it to an individual identified by the authorisation; asking any person whom the authorised officer believes is not in possession of the Part 2 data but is capable of obtaining the data to obtain it and disclose it to an individual identified by the authorisation; requiring by notice a telecommunications operator whom the authorised officer believes is, or may be, in possession of the Part 2 data, to disclose it to an individual identified by the authorisation; requiring by notice a telecommunications operator whom the authorised officer believes is not in possession of the Part 2 data but is capable of obtaining the data, to obtain it and disclose it to an individual identified by the authorisation.

47. Subsections (4) and (5) set out the particular conduct that may, or may not be, authorised by an authorisation. Subsection (4) specifies that an authorisation may, for example, authorise any conduct by a person who is not an authorised officer which enables or facilitates the obtaining of Part 2 data.

48. Subsection (5) makes explicit that an authorisation may not authorise the following: any conduct consisting in the interception of communications; an authorised officer to ask or require a person to disclose Part 2 data to any person other than an authorised officer or a person holding an office, rank or position with the same relevant public authority as an authorised officer.

49. Subsection (6) sets out the permitted purposes, consistent with Article 8(2) ECHR, for which communications data may be obtained under this Part. These may include the interests of national security, the prevention or detection of crime or for the purpose, in an emergency, of preventing death or injury. The list of purposes replicates that in section 22(2) of RIPA (which covers the purposes in subsection (6)(a), (b), (d), (e), (f), (g) and (h)) as augmented by Regulation 2 of the Regulation of Investigatory Powers (Communications Data) Order 2010 (S.I. 2010/480) (which covers the purposes in subsection (6)(i) and (j)). The purpose in subsection (6)(c) is new. The new purpose relates to the prevention and detection of any conduct in respect of which civil enforcement action for market abuse may be taken by the Financial Services Authority. It has been added to the list of permitted purposes as a result of the provisions in clause 24 and Schedule 2 which contain repeals of certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator or postal operator of communications data.

50. Subsection (7) provides that the Secretary of State may, by order (subject to the affirmative resolution procedure – see clause 29(2)) amend subsection (6) in order to add to or restrict the permitted purposes (the power to add permitted purposes mirrors that in section 22(2)(h) of RIPA).

Clause 10: Form of authorisations and authorised notices

51. Clause 10 makes provision for the form of authorisations and authorised notices.

52. Subsection (1) sets out that the authorisation to obtain communications data must specify the conduct that is authorised and the Part 2 data in relation to which the conduct is authorised.

53. Subsection (2) provides that an authorisation must specify the matters falling within the list of permitted purposes set out in clause 9(6) by reference to which the authorisation is granted, and the office, rank or position held by the person granting the authorisation.

54. Subsection (3) explains that an authorisation which authorises a person to impose requirements by notice on a telecommunications operator must specify the nature of the requirements to be imposed but need not specify the other contents of the notice.

55. Subsection (4) provides that an authorised notice must specify the following: the office, rank or position held by the person giving it; the requirements that are being imposed; and the telecommunications operator on whom the requirements are being imposed. Furthermore, the notice must be given in writing or if not in writing, then it must be in a form which produces a record of it having been given.

56. Subsection (5) specifies that an authorisation for which judicial approval is required (see clause 11(1)), must be granted in writing.

57. Subsection (6) provides that any other authorisation must be granted in writing or, if not in writing, in a manner that produces a record of it having been granted. An example of the latter sort of record would be a control room or operational log required to support an urgent oral grant of authorisation.

Clause 11: Judicial approval for certain authorisations

58. This clause provides a procedure by which local authority authorisations to obtain communications data can only take effect if approved by a relevant judicial authority. The clause also provides a mechanism by which the requirement for judicial approval may be applied to authorisations granted by officials in other public authorities by order made by the Secretary of State.

59. Subsection (1) provides that a local authority authorisation granted under clause 10 will not take effect until the "relevant judicial authority" has given its approval. The relevant judicial authority is defined in subsection (6). In England and Wales, the judicial authority is a justice of the peace, in Northern Ireland it is a district judge (magistrates’ court) and in Scotland, a sheriff.

60. Subsection (2) provides that notice of such applications need not be given to either the subject of the authorisation or their legal representatives.

61. Subsection (3) sets out the test for the judicial approval of a local authority authorisation to obtain communications data. The relevant judicial authority must be satisfied that not only were there reasonable grounds for the designated senior officer to believe that the tests in clause 9(1) were satisfied (subsection (3)(a)(i)), but that there also remain reasonable grounds for believing so (subsection (3)(b)). The judicial authority must also be satisfied that the "relevant conditions", which relate to the authorisation or notice, were met (subsection (3)(a)(ii)). These relevant conditions are set out at subsection (4).

62. Subsection (4) lists the relevant conditions that must be met if the relevant judicial authority is to approve the making of an authorisation. For local authorities, in England, Wales and Scotland (and in Northern Ireland where the authorisation is granted for the purpose relating to an excepted or reserved matter), these conditions are: (a) that the person granting the authorisation was a designated senior officer within the meaning of clause 21; (b) that the authorisation was not in breach of any other restrictions (see clause 17); and (c) that the authorisation satisfied any other conditions set out in an order (subject to the negative resolution procedure – see clause 29(3)) made by the Secretary of State. In relation to conditions (a) and (b), the Regulation of Investigatory Powers (Communications Data) Order 2010 (S.I. 2010/480) currently applies. For authorisations granted by public authorities other than local authorities to which the judicial approval requirement may in the future be applied, the relevant conditions are those that will be set out in an order (subject to the negative resolution procedure) made by the Secretary of State.

63. Subsection (5) allows the relevant judicial authority on refusing an approval of the grant of an authorisation to quash that authorisation. Subsection (6) defines various terms used in clause 11.

Clause 12: Duration and cancellation of authorisations

64. Clause 12 limits the duration of authorisations and sets out when they must be cancelled.

65. Subsection (1) provides that an authorisation ceases to have effect at the end of the period of one month beginning from the date it was granted.

66. Subsections (2) and (3) permit an authorisation to be renewed at any period during the month, by following the same procedure as in obtaining a fresh authorisation. The renewed authorisation will last for a period of one month from the date the current authorisation expires.

67. Subsection (4) places a duty on the designated senior officer who has granted an authorisation to cancel it if they are satisfied that the position is no longer as set out in clause 9(1).

68. Subsections (5) and (6) permit the Secretary of State to specify by order the person required to carry out the duty set out in subsection (4) in the event that this would otherwise fall on a person who is no longer available to perform it. This order is subject to the negative resolution procedure (see clause 29(3).


Clause 13: Duties of telecommunications operators in relation to authorisations

69. Subsection (1) places a duty on a telecommunications operator who is obtaining or disclosing communications data in response to a request or a requirement for Part 2 data in pursuance of an authorisation to carry out these activities in a way that minimises the amount of data that needs to be processed for the purpose concerned.

70. Subsection (2) places a duty on a telecommunications operator to comply with a requirement imposed by notice given in pursuance of an authorisation.

71. Subsection (3) sets out that a person on whom the duties in subsections (1) and (2) are placed is not required to do anything in pursuance of this duty that it is not reasonably practical to do.

72. Subsection (4) specifies that the duties imposed by subsections (1) or (2) are enforceable by the Secretary of State by civil proceedings for an injunction, or for the specific performance of a statutory duty under section 45 of the Court of Session Act 1988 or for any other appropriate relief.

Clause 14-16: Overview

73. There are a number of features of internet based communications which have an impact on the acquisition of communications data by public authorities:

  • The technology which is used to operate internet and mobile services, and collaboration between numerous companies may mean that communications data regarding a single communication is no longer retained in a single place. This fragmentation of data makes it difficult to obtain and aggregate all of the communications data a public authority may need to answer a specific question.
  • Companies who provide internet communication services do not always require authenticated identity information, making it more difficult to identify the genuine user of a communication service. Moreover, a range of technologies are available which attempt to anonymise both the location and the identity of service users.
  • Numerous mobile communication devices can be used to access Internet communication services while on the move, making it more difficult to establish from where a communication was made.
  • There are a vast range of global internet communication services. It is very easy to communicate simultaneously using multiple services and move quickly to new services.

74. There are three broad consequences of these technical trends.

  • As dependence on internet-based communications data increases, there is a risk that the utility of data may decline: it becomes harder to obtain key facts about a communications event.
  • Obtaining communications data may require greater data analysis. For example, when the police need the details of the registered user of an email address, if the information cannot be obtained from the email service provider, it may be necessary to investigate more widely. Use data from the email service provider may be matched with Use and Subscriber records held by other internet companies.
  • Unless otherwise regulated systems to analyse data may lead to the acquisition by public authorities of more data to identify key facts around a communication, with the potential risk of more collateral intrusion into privacy.

75. This Bill provides for arrangements to address these issues through a filtering process, described in these explanatory notes as a Request Filter. The purpose of this Request Filter will be to:

  • inform a public authority of the communications data which is available to resolve a specific enquiry; and enable that authority to judge whether in that context the request for data remains necessary and proportionate;
  • obtain, process and filter communications data needed to resolve more complex requests so that only data (specified in the authorisation) which identifies the key facts about a communication is passed to a public authority; and
  • protect privacy and minimise necessary interference with the rights of telecommunications users by processing the data without human intervention, and destroying any communications data irrelevant to the investigation.

76. The powers set out in clauses 14 to 16 will provide an express statutory basis to establish and operate the new Request Filter, as well as providing additional safeguards and oversight and protecting privacy. The Request Filter can operate alongside and in addition to existing automated systems by which public authorities usually obtain communications data. The Request Filter need only be used in those cases where answering the “who, how, when and where” questions for a single communication relies on fragmented communications data and when use of the Filter is both necessary and proportionate.

77. The powers ensure that the Request Filter will operate in accordance with the duties and privacy safeguards set out in the Bill at one remove from the police, law enforcement and security agencies. The Request Filter will be operated either by the Secretary of State or, subject to the approval of Parliament, by a designated public authority (see clause 20). Parliament will designate which public authorities will be permitted to use the Request Filter. Parliament will also set out the minimum grade of the designated senior officer within each police force or agency permitted to authorise the use of the processing and filtering functions in particular investigations.

78. Operation and oversight of the Request Filter requires further information to function effectively and to support and maintain the proposed statutory safeguards. This information is not communications data and is explained in paragraphs 85 and 86 below.

79. Operation of the filtering arrangements will be overseen by the Interception of Communications Commissioner (see clause 22).

Clause 14: Filtering arrangements for acquisition of data

80. Clause 14 provides a power to establish filtering arrangements to facilitate the lawful, efficient and effective obtaining of communications data by relevant public authorities and to assist a designated senior officer in each public authority to determine whether he believes the tests for granting an authorisation to obtain data have been met. The filtering arrangements will minimise the interference with Article 8(1) rights to which requests for internet based communications data will give rise thereby ensuring that privacy is properly protected. “Filtering Arrangements” is defined in clause 21(1) as arrangements under clause 14(1).

81. The power to establish filtering arrangements in subsection (1) operates solely in the context of Part 2 of the Bill which creates a regulatory regime for obtaining data. The power is intended to facilitate the obtaining of data in particular cases by public authorities in accordance with an authorisation under clause 9 whilst protecting privacy. Any communications data obtained by the filtering arrangements must be immediately destroyed in such a way that it can never be retrieved once the purposes of the authorisation have been met. The power will be exercised in two main ways.

82. First, the Request Filter under clause 14(1) will provide the designated senior officer with assistance in determining whether he believes the tests for granting an authorisation are met in any particular case. The Request Filter may: a) provide details of different options the Request Filter may employ to provide a response to a specific public authority data request; and b) for each identified option, provide details of the anticipated levels of interference and the likely precision of the returned results. The information provided by the Request Filter will enable the designated senior officer to understand how the Filter will answer particular questions, and will guide him through the process of determining which questions he believes it is necessary and proportionate to ask, taking into account the filtering and processing which will be undertaken and the volume of filtered data which will be disclosed.

83. Second, if the designated senior officer grants the authorisation, the Request Filter will facilitate where necessary the efficient and effective obtaining of required Part 2 data under the authorisation on behalf of investigators whilst minimising any interference with the privacy of those whose data is processed and disclosed. As explained above, the Request Filter will be operated at arm’s length from the investigation under the oversight of the Interception of Communications Commissioner by virtue of clause 22.

84. In accordance with subsection (2), the Filter will:

  • automate the obtaining of communications under an authorisation in response to a lawful, authorised data request from a public authority. Where extra data has to be obtained by the filter in order to obtain the data which has been requested, this extra data will only be available to the filter and will not be disclosed to the requesting public authority;
  • where necessary process the obtained communications data to obtain the data which has been requested; and
  • disclose to the public authority only the requested filtered Part 2 data specified in the authorisation which is required to answer the request. The duties imposed under clause 16 will ensure that the Request Filter can only ever disclose the filtered Part 2 data necessary to answer a particular request. Once the filter has provided the answer to the question to the public authority, all other data relating to the request must be destroyed in such a way that it can never be retrieved.

85. Subsection (3) further provides that the exercise of the clause 14 power may, in particular, provide for the generation or use of certain categories of additional information.

86. Aside from communications data, any new processing and filtering capability under Part 2 will require some additional information to assist the designated senior officer in determining whether the tests for granting an authorisation are met and to provide audit and oversight information to the operator of the Request Filter and the Interception of Communications Commissioner. This information is specified in subsection (3)(a) and (b) and may include:

  • information about the type and volume of data likely to be obtained by the Filter in any particular case to ensure that the designated senior officer can assess the anticipated levels of interference, and make an informed decision as to whether he believes it is necessary and proportionate to obtain the data;
  • audit and management information relating to the use made of the Request Filter to enable administrative, financial and security oversight to be exercised on a day-to-day basis; and
  • information required by the Interception Commissioner to keep under review and report on the proper operation of the Request Filter.

87. Subsection (3) ensures that express statutory provision is made for this additional information, and that the use of such information is subject to appropriate safeguards. Part 2 ensures, in particular, that information of this type can only be disclosed for the limited set of purposes set out on in clause 16(2).

88. Subsection (4) specifies that provision must be made for the generation and retention of information or documents which are needed by the Interception of Communications Commissioner to carry out his functions. These functions are inserted into RIPA by clause 22.

Clause 15: Use of filtering arrangements in pursuance of an authorisation

89. Clause 15 will apply in relation to the use of any Request Filter established under the power in clause 14.

90. The effect of subsection (2) is that any Request Filter may be used to obtain, process and disclose Part 2 data if, but only if, these uses have been specifically authorised by the authorisation.

91. Subsection (3) sets out the matters which the designated senior officer must record within the authorisation to obtain Part 2 data. These include: a) whether the Part 2 data may be obtained and disclosed by use of the filter; b) whether the processing of data under the filter is allowed; c) if the processing of data is allowed, then a description of data that may be processed must also be included.

92. Subsection (4) prevents a designated senior officer from authorising the use of a Request Filter, either to obtain or process the data, unless satisfied that it is proportionate to do so.

93. Subsections (2) to (4) will accordingly ensure that the use of any Request Filter under Part 2 is specifically authorised by the authorisation, is proportionate and is recorded within the authorisation.

Clause 16: Duties in connection with operation of filtering arrangements

94. Clause 16 imposes duties in connection with the operation of filtering arrangements under clause 14.

95. In the case of a Request Filter, subsection (1) provides that no communications data must be obtained or processed under the filter except for the purposes of an authorisation. Data which has been obtained or processed under the filter, and is to be disclosed in accordance with the authorisation or for the purposes of assisting the designated senior officer, shall only be disclosed to authorised individuals. Further, subsection (1)(c) specifically requires any data obtained by the filter to be immediately destroyed in such a way that it can never be retrieved, once the purposes of the authorisation or of the assistance function have been met or if at any time it ceases to be necessary to retain the data for these purposes.

96. Subsection (1) will ensure that only the filtered data relevant to the investigation is disclosed to the requesting agency. Once the filter has provided the answer to the question, all the data relating to the request will be destroyed by the filter in such a way that it can never be retrieved.

97. Subsection (2) limits the disclosure of the additional subsidiary information explained in paragraph 85 above: a) to assist a designated senior officer to determine whether he believes the tests for granting an authorisation are met; b) for the purposes of support, maintenance, oversight, operation or administration; c) to the Interception of Communications Commissioner for the purposes of any his functions; d) as otherwise authorised by law.

98. Subsection (3) requires strict limits to be placed on the persons who are permitted to read, obtain or otherwise process data for the purposes of support, maintenance, oversight, operation or administration in connection with the Request Filter. No other persons must be permitted to access or use the capability except in pursuance of an authorisation or to assist the designated senior officer to determine whether an authorisation is necessary and proportionate.

99. Subsection (4) requires that an adequate security system is in place to protect against any abuse of access to the Filter, as well as measures to protect against any unauthorised or unlawful data retention, processing, access or disclosure. The duty in subsection (4) will ensure that a Request Filter can only be used in accordance with Part 2 and is subject to adequate and effective safeguards against abuse.

100. Subsection (5)(a) requires procedures to be put in place and maintained to ensure that the any Request Filter is functioning properly, including regular testing of the relevant software and hardware. Subsection (5)(b) requires a report to be made, as soon as possible after the end of each calendar year, to the Interception of Communications Commissioner about the functioning of the Request Filter during that year. Such a report must, in particular,contain information about destruction of data during that year (subsection (6)). Subsections (5) and (6) will ensure that the operation of any Request Filter is subject to rigorous oversight and control.

101. Subsection (7) requires any significant processing errors to be immediately reported to the Interception of Communications Commissioner. Subsection (7) constitutes a further safeguard with respect to the operation of any Request Filter.

Clause 17: Power to impose restrictions on exercise of powers

102. Subsection (1) provides that a designated senior officer of a local authority may not grant an authorisation for obtaining traffic data, or any communications data generated by a telecommunications operator under a clause 1 order. For example, a requirement may be imposed on an operator to generate information about a customer’s name or address in circumstances where the operator’s business model would not otherwise require it to do so. Subsection (1) will prevent local authorities from obtaining access to generated data.

103. Subsection (2) confers a power on the Secretary of State by order (subject to the affirmative resolution procedure – see clause 29(2)) to impose restrictions on the granting of authorisations by designated senior officers. This broadly mirrors the equivalent power in section 25(3) of RIPA. The Order made under that power (see article 5 to 7 of the Regulation of Investigatory Powers (Communications Data) Order 2010) places a number of restrictions on the granting of authorisations, for example, local authorities may only obtain certain types of communications data (i.e. use data and subscriber data) .

104. Subsection (3) provides that an order under this section may impose restrictions: a) on the authorisations that may be granted by a designated senior officer; b) on the circumstances in which, or purposes for which, such authorisations may be granted.

105. Subsection (4) specifies that an order under this clause may in particular impose restrictions relating to the filtering arrangements in three areas: the public authorities that may use the arrangements; the permitted purposes for which the arrangements may be used; and the data that may be processed by means of the arrangements.

Clause 18: Lawfulness of conduct authorised by this Part

106. Subsection (1) has the effect of making conduct lawful for all purposes if it is conduct in which that person is authorised to engage by virtue of an authorisation, and the conduct is in accordance with, or in pursuance of, the authorisation.

107. Subsection (2) exempts a person from civil liability in respect of conduct which is incidental to, or reasonably undertaken in conjunction with, that authorised in subsection (1). The conduct must not itself be conduct for which an authorisation or warrant: (i) is capable of being granted under the enactments referred to in subsection (3), and (ii) might reasonably have been expected to have been sought in the case in question.

Clause 19: Collaborating police forces in England and Wales

108. Clause 19 sets out how authorisations may be granted across collaborating police forces in England and Wales. Subsection (1) provides that subsections (2) and (3) apply if a person is a designated senior officer by reference to an office, rank or position with an England and Wales police force and the chief officer of police of that force has entered into a collaboration agreement under section 22A of the Police Act 1996 with the chief officer of police of one or more other England and Wales police forces.

109. Subsections (2) and (3) ensure that clause 9 treats collaborating police forces as if they were a single force. So subsection (2) makes provision for a designated senior officer to grant an authorisation for individuals with a collaborating force to engage in conduct to obtain Part 2 data if he or she believes that it is necessary and proportionate as set out in clause 9(1).

110. Subsection (3) specifies how clause 9(5)(b) applies in this context. Clause 9(5)(b) limits the persons to whom an authorisation may authorise the disclosure of Part 2 data. Subsection (3) provides that clause 9(5)(b) has effect in its application to conduct under subsection (2) as if the reference to a person holding an office, rank or position with the same relevant public authority as an authorised officer included a reference to a person holding an office, rank or position with the same relevant public authority as the designated senior officer. The effect of this is that, in cases where an authorisation is granted by a designated senior officer in one police force (“Force A”) to enable a person in a collaborating force (“Force B”) to engage in section 9(2) conduct (for example asking a telecommunications operator to disclose data to another person), the person in Force B may ask the telecommunications operator to disclose the data to a person in Force A or Force B.

111. Subsection (4) provides that a police force is a collaborating force if: a) its chief officer of police has entered into a collaboration agreement with another force under section 22A of the Police Act 1996, as mentioned in subsection (1)(b); and the persons holding offices, ranks, or positions with it are permitted by the terms of the agreement to be granted authorisations by the designated senior officer.

112. Subsection (5) defines “England and Wales police force” for the purposes of this clause.

Clause 20 and Schedule 1: Certain transfer and agency arrangements with public authorities

113. Clause 20 and Schedule 1 cater for the possibility that the functions of the Secretary of State under clauses 14 to 16 may, at some point in the future, be transferred to another public authority designated by order, or that a public authority may carry out agency arrangements with the Secretary of State in relation to other matters falling within Part 2. In practice, the Secretary of State or designated public authority may contract with an approved body to undertake the day-to-day operation of the filtering arrangements. However, legal responsibility for ensuring the effective and lawful operation of the filtering arrangements, and complying with the duties imposed by clauses 14 to 16, will remain with the Secretary of State or other designated public authority.

114. Subsection (1)(a) provides for the Secretary of State by order (subject to the affirmative resolution procedure – see clause 29(2)) to transfer responsibility to a designated public authority for the exercise of any functions under clauses 14 to 16. Subsection (1)(b) permits reverse transfers and transfers between public authorities. Any designated public authority would be a public authority for the purposes of the Human Rights Act 1998 (see definition of a public authority in clause 28(1)). The power in subsection (1) may be used to amend the constitutions of such authorities to enable them to exercise the functions concerned (see paragraph 6(1)(a) of Schedule 1). In order to enable a designated public authority to exercise these functions on behalf of the Secretary of State, subsection (2) provides for the Secretary of State by order to modify any enactment about a public authority. ‘Modify’ includes amend, repeal or revoke. This will enable the removal of statutory bars from public authorities acting as agents for the Secretary of State in relation to functions exercisable under Part 2. Subsection (3) provides that any order under subsection (2) does not affect the Secretary of State’s responsibility for the exercise of the functions concerned.

115. Subsection (4) specifies that the functions that may be exercised on behalf of the Secretary of State by virtue of subsection (2) do not include the function of making orders.

116. Subsection (5) introduces Schedule 1 to the Bill, which contains further safeguards and provisions relating to the transfer of responsibility for the arrangements.


Clause 21: Interpretation of Part 2

117. This clause defines relevant terms used in Part 2.

118. A ‘relevant public authority’ means any of the following: a police force; the Serious and Organised Crime Agency; Her Majesty’s Revenue and Customs; any of the intelligence services; and any public authority designated for the purposes of this Part by order of the Secretary of State (subject to the affirmative resolution procedure). Subsection (7) also provides for the Secretary of State by order to remove non-designated public authorities from the list of relevant public authorities in subsection (1). For the equivalent power under RIPA, additional relevant public authorities have been designated by Article 3 of and Schedule 2 to the Regulation of Investigatory Powers (Communications Data) Order 2010 (S.I. 2010/480).

Part 3: Scrutiny and Other Provisions

Clause 22: Scrutiny by Commissioners

119. Under section 57 of RIPA the Interception of Communications Commissioner’s current role includes oversight of the acquisition of communications data by public authorities under Chapter 2 of Part 1 of RIPA. Clause 22 amends section 57 of RIPA so as to extend the role of the Interception of Communications Commissioner to include keeping under review the exercise and performance of the powers and duties conferred by or under Part 1 and 2 of the Communications Data Bill. This does not include oversight of the following powers or duties; those under Part 1 which are subject to review by the Information Commissioner; those under Part 1 which are conferred on the Secretary of State in respect of the making of orders (see section 57(4) of RIPA) or the giving of notices; and those under Part 2 which belong to the relevant judicial authority. In practice, this means that the Interception of Communications Commissioner has responsibility for the oversight of the obtaining of communications data under Part 1 and the acquisition of this data by public authorities under Part 2. Subsection (3) amends section 58 of RIPA so as to place a duty on telecommunications operators, designated senior officers and other officers by or to whom an authorisation has been granted and any public authority designated under a clause 20 order to co-operate with the Interception of Communications Commissioner.

120. Subsection (5) provides for scrutiny by the Information Commissioner of certain provisions in Part 1. The subsection places a duty on the Information Commissioner to keep under review the operation of provisions relating to data security and integrity (clauses 3(a) and (b)); the destruction of data (clause 6); and any provisions in an order under clause 1 which relate to the security of communications data held by telecommunications operators.

121. Subsection (6) obliges the telecommunications operator holding data under Part 1 or 2, and the Secretary of State, to ensure that sufficient records are kept to enable the Information Commissioner, or Interception of Communications Commissioner, to discharge their duties effectively. For example, these records may include information on how telecommunications operators have responded to authorisations for obtaining communications data.

Clause 23: Scrutiny by the Investigatory Powers Tribunal

122. Subsection (1) amends section 65 of RIPA so as to extend the role of the Investigatory Powers Tribunal to provide scrutiny of the new functions relating to communications data. RIPA established the Investigatory Powers Tribunal to provide for review by a judicial body of the activities of the intelligence agencies and other public authorities, including with respect to conduct by them under RIPA. The proceedings and complaints which fall within the jurisdiction of the Tribunal are set out in section 65(2) of RIPA. For example, if any person is aggrieved by conduct in relation to his communications which he believes took place under the authority of Chapter 2 of Part 1 of RIPA, he is entitled to address a complaint to the Investigatory Powers Tribunal. This Tribunal has full powers to investigate and decide any case of this nature within its jurisdiction. The Tribunal is made up of senior members of the judiciary and the legal profession and is independent of Government. The amendments to section 65 of RIPA add the following conduct to the jurisdiction of the Investigatory Powers Tribunal: conduct required or permitted by virtue of an order under clause 1 (other than conduct which is subject to review by the Information Commissioner or conduct in respect of the giving of a notice by the Secretary of State); and conduct to which Part 2 of the Bill applies.

Clause 24 and Schedule 2: Abolition of powers to secure disclosure of communications data

123. This clause introduces Schedule 2 to the Bill which contains repeals of certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. Clause 24 therefore ensures that operators are not required by law to obtain and disclose communications data other than in cases where the relevant statutory framework expressly guarantees the substantive protections of Article 8 and Directive 2002/58/EC (Directive on privacy and electronic communications).


Clause 25: Application of Parts 1 and 2 to postal operators and postal services

124. Subsections (1) and (2) provide for Part 1 to apply to public postal operators and public postal services as it applies to telecommunications operators and telecommunications services.

125. Subsections (3) and (4) provide for Part 2 to apply to postal operators and postal services as it applies to telecommunications operators and telecommunication systems.

Clause 26: Operators’ costs of compliance with Parts 1 and 2

126. This clause requires the Secretary of State to make arrangements to ensure that telecommunications and postal operators receive an appropriate contribution towards such costs they incur in complying with activities permitted or required within Parts 1 and 2 as the Secretary of State considers appropriate.

127. Subsection (3) provides the ability to make the payment of a contribution towards costs subject to certain conditions. Subsection (4) sets out such conditions may include a condition on the telecommunications or postal operator concerned to comply with an audit that may reasonably be required to monitor the claim for costs.

Clause 27 and Schedule 3: Codes of practice in relation to Part 1 and 2 functions

128. Clause 27 introduces Schedule 3 to the Bill which makes consequential amendments to RIPA relating to codes of practice.

Clause 28: Interpretation: general

129. This clause defines relevant terms used in the Bill.

Clause 29: Orders

130. This clause sets out the parliamentary procedure in respect of various order-making powers provided for in the Bill.

Clause 30: Financial provisions

131. This clause authorises out of money provided by Parliament any expenditure incurred by the Secretary of State under the Bill. It also authorises any additional expenditure incurred under any other Acts, where that additional expenditure results from the Bill.


Clause 31: Consequential provision

132. Subsection (1) introduces Schedule 4 which makes consequential amendments to other enactments.

133. Subsection (2) confers a power, by order, to make other consequential amendments to enactments. To the extent that an order under this clause amends or repeals primary legislation, it will be subject to the affirmative resolution procedure, otherwise it will be subject to the negative resolution procedure (see clause 29).

Clause 32: Transitional, transitory or saving provision

134. This clause enables the Secretary of State, by order, to make transitional, transitory or saving provisions in connection with the coming into force of the provisions of the Bill. Such an order is not subject to any parliamentary procedure.

Clause 33: Short title, commencement and extent

135. Subsection (1) sets out the short title for the Bill.

136. Subsections (2) and (3) provide for commencement (see paragraph 132 for further details).

137. Subsections (4) and (5) set out the extent of the provisions in the Bill (see paragraph 17).

Schedule 1: Transfer and agency arrangements with public authorities: further provisions

138. Paragraph 1 provides that an order under clause 20 cannot transfer functions to a public authority without the consent of that authority. The Secretary of State must also be satisfied that the authority in question can discharge the functions effectively and in accordance with the requirements that are set out in an order, for example as to data security.

139. Paragraph 2 provides particular safeguards in connection with clause 16 (duties in connection with the operation of filtering arrangements). Sub-paragraph (2) requires the Secretary of State to approve the measures to be adopted by a designated public authority for complying with the requirements in clause 16. A designated public authority must send the reports required to be produced under clause 16(5)(b), or (7) to the Secretary of State as well as to the Interception of Communications Commissioner. 140. Paragraph 3 requires a designated public authority to make an annual report to the Secretary of State in respect of its functions under clauses 14 to 16.

141. Paragraph 4 sets out that the Secretary of State, in connection with an order made under clause 20, may make a scheme for the transfer of property, rights or liabilities (including rights and liabilities relating to contracts of employment). Such transfers may be from the Secretary of State (in practice, the Home Office) to a designated public authority or from one designated public authority to the Secretary of State or to another designated public authority. Paragraph 4(3) lists consequential, supplementary, incidental and transitional provision that may be made by a transfer scheme. These include making provision the same as or similar to the TUPE regulations (the Transfer of Undertakings (Protections of Employment) Regulations 2006 (S.I. 2006/246)). By virtue of subparagraph (5), a scheme may make provision for the payment of compensation, for example to a designated public authority in circumstances where functions under clauses 14 to 16 conferred on that body are brought back within the Home Office. Sub-paragraph (6) provides that a transfer scheme may either be included in an order made under clause 20 or be a standalone document; in the latter case the scheme must be laid before Parliament after being made.

142. Paragraph 5 provides a power for the Treasury to make an order (subject to the negative resolution procedure in the House of Commons) providing for the tax consequences of a transfer scheme made under paragraph 4. For the purposes of this power the relevant taxes are income tax, corporation tax, capital gains tax, stamp duty and stamp duty reserve tax.

Schedule 2: Abolition of Disclosure Powers

143. Schedule 2 contains repeals of certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator.

Schedule 3: Codes of Practice in relation to Part 1 and 2 Functions

144. Paragraph 2 of Schedule 3 makes consequential amendments to section 71(2) of RIPA to require codes of practice to be issued under that section in respect of the powers and duties under Parts 1 and 2 of the Bill. Codes issued under section 71 are subject to the affirmative resolution procedure.

145. Paragraph 3 of Schedule 3 amends the procedure in section 71 of RIPA for issuing codes of practice under the Act. These changes respond to concerns raised by the Joint Committee on Statutory Instruments in its 30th Report of Session 2002/2003 concerning S.I. 2003/3175 made under equivalent powers in section 103 of the Anti-terrorism Crime and Security Act 2001.

146. Paragraph 6 of Schedule 3 inserts new section 71A into RIPA. The new section is designed to simplify the procedure for revising codes of practice issued under section 71. Practical experience following the enactment of RIPA suggests that the codes of practice need to be revised on a far more regular basis than had originally been envisaged. By way of example, codes of practice which mention relevant public authorities or specify authorisation levels for particular activities quickly become out of date when bodies are abolished or merge following machinery of government and other changes. In many cases, however, the substance of the code remains the same and does not require any significant revisions.

147. New section 71A of RIPA accordingly provides that an order bringing a revision of a code of practice into operation may either be subject to the affirmative resolution procedure or must be laid before Parliament. In both cases, the Secretary of State must first publish the code in draft and consider any representation made about it, and must lay the modified code before Parliament together with the order to which it relates.

Schedule 4: Consequential Provision

148. Schedule 4 makes consequential amendments to other enactments.

Commencement

149. The provisions in clauses 29, 30, 31(2) and (3), 32 and 33 (general) come into force on Royal Assent.

150. All other provisions will be brought into force by means of commencement orders made by the Secretary of State.

Financial Effects of the Bill

151. The programme to ensure the availability of communications data by telecommunications operators and for the obtaining of such data by law enforcement agencies and relevant public authorities, enabled by Parts 1 and 2 of the Bill, is estimated to lead to an increase in public expenditure of up to £1.8 billion over 10 years from 2011/12. Benefits from this investment are estimated to be £5 – 6.2 billion over the same period.

Effects of the Bill on Public Sector Manpower

152. As of 1 April 2012 the Home Office Communications Capabilities Development Programme, which is responsible for the delivery of the activity referred to above, has 120 staff (full time equivalents). This is envisaged to fall to around 40 staff over a 10 year period when the new framework will be fully in place.

Summary of Impact Assessments

153. The Bill is accompanied by an impact assessment and privacy impact assessment. These are available on the Home Office website.

European Convention for Human Rights

154. The Government has published a separate ECHR memorandum with its assessment of the compatibility of the Bill’s provisions with the Convention rights; the memorandum is available on the Home Office website.

Annex: Examples of communications data

155. There are three primary types of communications data as defined in this Bill:

Subscriber Data – Subscriber data is information held or obtained by a provider in relation to persons to whom the service is provided by that provider. Those persons will include people who are subscribers to a communications service without necessarily using that service and persons who use a communications service without necessarily subscribing to it. Examples of subscriber information include:

  • ‘Subscriber checks’ (also known as ‘reverse look ups’) such as “who is the subscriber of phone number 012 345 6789?”, “who is the account holder of e-mail account xyz@xyz.anyisp.co.uk?” or “who is entitled to post to web space www.xyz.anyisp.co.uk?”;
  • Subscribers’ or account holders’ account information, including names and addresses for installation, and billing including payment method(s), details of payments;
  • information about the connection, disconnection and reconnection of services which the subscriber or account holder is allocated or has subscribed to (or may have subscribed to) including conference calling, call messaging, call waiting and call barring telecommunications services;
  • information about the provision to a subscriber or account holder of forwarding/ redirection services;
  • information about apparatus used by, or made available to, the subscriber or account holder, including the manufacturer, model, serial numbers and apparatus codes.
  • information provided by a subscriber or account holder to a provider, such as demographic information or sign-up data (to the extent that information, such as a password, giving access to the content of any stored communications is not disclosed).

Use data – Use data is information about the use made by any person of a postal or telecommunications service. Examples of use data may include:

  • itemised telephone call records (numbers called);
  • itemised records of connections to internet services;
  • itemised timing and duration of service usage (calls and/or connections);
  • information about amounts of data downloaded and/or uploaded;
  • information about the use made of services which the user is allocated or has subscribed to (or may have subscribed to) including conference calling, call messaging, call waiting and call barring telecommunications services;
  • information about the use of forwarding/redirection services;
  • information about selection of preferential numbers or discount calls;

Traffic Data: Traffic data is data that is comprised in or attached to a communication for the purpose of transmitting the communication. Examples of traffic data may include:

  • information tracing the origin or destination of a communication that is in transmission;
  • information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone);
  • information identifying the sender and recipient (including copy recipients) of a communication from data comprised in or attached to the communication;
  • routing information identifying equipment through which a communication is or has been transmitted (for example, dynamic IP address allocation, file transfer logs and e-mail headers – to the extent that content of a communication, such as the subject line of an e-mail, is not disclosed);
  • anything, such as addresses or markings, written on the outside of a postal item (such as a letter, packet or parcel) that is in transmission;
  • online tracking of communications (including postal items and parcels).


Notes

  1. Note 1 page 7 in the original; Data Retention See our Wiki
  2. Note 2 page 7 in the original; Direct Gov SDSR
  3. Note 1 page 8 in the original; Interception Comms Code
  4. Note 2 page 8 in the original; Security Powers Review
  5. Note 3 page 8 in the original; Review of Counter Terrorism Security Powers