How to keep on the right side of the law while obeying the
principles of data protection.
It would appear that the Government's war on terrorism is losing
its edge, at least in the telecommunications sector, writes
Alex
Lundie.
The heralded code of practice for the retention of communications
data under the Anti-Terrorism, Crime and Security Act has yet to
appear, despite plans to produce a working draft by Easter. The
proposed code has been criticised as contrary to the principles of
privacy legislation and its delayed introduction may be down to the
difficulties of reconciling two conflicting areas of law.
On one hand, anti-terrorism legislation seeks to encourage the
retention of data to help track down terrorists, while on the
other, the Data Protection Act tells companies to destroy such data
as soon as possible to protect the individual's right to privacy.
A review of the legislation shows that communications companies
that decide to co-operate with the security forces could face the
prospect of civil and even criminal liability for breaches of the
Data Protection Act. Therefore it would seem prudent for those
involved in the communications sector, whether they are telcos,
ISPs or even postal services, to avoid collecting and retaining
this sort of data. Such a conclusion will, no doubt, be welcomed by
a communications industry anxious to avoid further increased costs
in already expensive regulatory compliance.
Which way to turn?
Communications data is generated by
and used within communications networks to route calls, e-mails or
Web page requests, for example telephone numbers and IP addresses.
A prime example when tracing terrorists is the tracking of mobile
phones within and across different cell sites to determine where
the phone was at a particular time.
Communications data details where calls or e-mails were made and
received and is distinct from interception, which deals with the
actual content of a message or what was said.
Interception and disclosure of communications data are both placed
on a legal footing in the Regulation of Investigatory Powers (RIP)
Act 2000. There are differences in procedure between interception
and access of communications data and the Government's latest moves
under the anti-terrorism code of practice, focused on increasing
its ability to access communications data.
Data that consists of information that identifies an individual,
such as a telephone or e-mail subscriber, is also personal data
protected by the Data Protection Act. Consequently, this requires
operators processing or storing such information to observe
specified principles.
The first requires operators to process the data fairly and
lawfully, meaning it must be obtained and processed with the
knowledge of the individual, unless such processing is necessary
for a legal obligation. The data must be obtained for specified
purposes and not be processed for any other uses or held for longer
than is necessary.
Finally, the Telecommunications Data Protection Directive requires
that the data be erased or made anonymous as soon as the
transmission is finished subject to limited exemptions, such as for
billing.
Immunity from liability
The powers for the security
services to access communications data were already available under
the RIP Act but there was a lack of data held by communications
providers. The Government wants to use the new code of practice to
increase the rate of data retention by granting immunity from civil
liability arising under the data protection regulation. This in
turn will provide the security services with a larger pool of data.
Unfortunately the provisions in the anti-terrorism code of practice
conflict with the data protection principles. Meanwhile, the first
data protection principle still requires that processing is lawful
unless there is a legal obligation.
According to the Anti-terrorism Act, failure to observe the code of
practice is not to render any person liable to any criminal or
civil proceedings but is admissible in evidence in certain legal
proceedings. If this does not amount to a legal obligation, then it
seems that operators may breach the data protection principles by
retaining communications data under the code of practice.
With the prospect of civil or possibly criminal liability for
breaches of the Data Protection Act it would seem that the safer,
and cheaper course would be to not observe the anti-terrorism code
of practice, as there is purported to be no liability.
But while the anti-terrorism code of practice seems to have failed
due to the absence of a binding legal obligation, there are
additional powers available to the Government to rectify this and
ensure that stored data is exempt from the data protection and
privacy regime.
It might only be a matter of time, therefore, before the security
services triumph over the right to privacy.
Alex Lundie is a solicitor at Tite & Lewis