MPs call for new data retention law

A cross-party parliamentary committee has urged the government to take controversial legislation - which gives police, law...

A cross-party parliamentary committee has urged the government to take controversial legislation - which gives police, law enforcement, trading standards and other government agencies the right to access details of e-mail, web and telephone communications - back to the drawing board.

The committee of nine privy counsellors supported the need for police and government to have the right to access to communications traffic data, which gives details of where e-mails have been sent, and the times and destinations of phone calls, rather than content, to fight crime and terrorism.

But they have effectively called on the government to scrap existing legal provisions introduced to combat terrorism under the Anti-Terrorism,Crime and Security Act, and replace them with mainstream civilian legislation under the supervision of the Information Commissioner.

The review highlights concerns that under the existing anti-terrorism law, once internet service providers (ISPs) retain communications data for anti-terrorism purposes, the data can be accessed by government agencies for a wide range of reasons that have nothing to do with terrorism - placing it in conflict with data protection and human rights legislation.

The recommendation will come as a blow to the Home Office, which has been struggling for more than two years to convince ISPs to sign up to a voluntary code of practice governing data retention.

The existing Act does "not provide a sound legislative basis for the retention of communications data because, no matter whether the retention requirements are implemented by a voluntary code or by a mandatory order, the legality of access to that data for purposes unrelated to national security remain contentious", the committee concluded.

It called for the government to replace the Anti-Terrorism Act with new, better thought-out legislation that would continue to give the government powers to require ISPs, phone companies or businesses providing internal communication services to their staff, to retain communications data for up to a year, in line with existing Home Office plans.

In a potentially controversial move, the committee has also called on the government to introduce legislation to give police additional powers to require phone companies and ISPs to order the preservation of communications data needed for specific investigations. This is system is favoured by law enforcement agencies in the Us, where there is no mandatory system of data retention.

The privy counsellors say in their report that they have seen no evidence that the cost of data retention will be excessive.

However, ISPs have consistently argued that the costs of retaining data and storing it in a form where it can be easily retrieved, combined with the costs of retrieving stored data for the police, will fall far short of the levels compensation that are being discussed by government.

One ISP, America Online, said it had spent £15.8m on systems to store and retrieve customer data for three months. The government is understood to be considering offering £20m over five years to the whole ISP industry to compensate for the cost of retaining and retrieving data.

Main recommendations

  • Government should make data retention part of mainstream legislation not anti-terrorist legislation
  • Communications data should be retained for defined purposes, such as prevention and detection of terrorism and serious crime
  • Data should be retained for a maximum of one year
  • Information Commissioner should oversee retention and access regime
  • A coherent legislative framework is needed to govern both access and retention of data

Read more on IT risk management