Beatrice Rogers, Senior
Programme Manager, Intellect
Data retention is an issue where Government is forcing Industry to
become an arm of the state.
The ICT industry continues to uphold its role as a good corporate
citizen and supports legitimate law enforcement. However, Government is
requiring companies to hand over information for purposes it was not meant for,
placing Industry in compromising position between compliance and abusing customer
trust; inhibiting Industries productivity and its role within society as a
money generator. Industry is a private commercial entity and does not exist to
implement public policy.
The Home Office is taking forward data retention as part of the
"emergency powers" first set out in the Anti Terrorism Crime and
Security Act two years ago. In
developing its position, Intellect considered the following questions:
-
What is the correct balance between national and
public security, privacy, and measures taken to protect them?
-
What are the roles, liability and responsibility of
government and the private sector in securing this balance?
-
Why does Industry exist? What is
its purpose?
This act is part of a real worrying strain of policy development where
Industry is forced to be the implementer – risk, liability and costs are pushed
straight onto Industry by a Government which is looking for private industry to
do their policing for them. In the context of today’s environment, the
implementation of this act smacks of political opportunitism, where Government
requires Industry to hold the greatest pools of data, on the greatest number of
people, for the widest possible usages; where data collected for national
security and terrorism prevention is used to track tax evasion.
Intellect always welcomes the opportunity to
participate in open consultation and to share Industry expertise with
Government. We commend the positive changes to the original proposals for RIPA
& ATCSA and value the increasing effort by the Home Office to be inclusive
of Industry in its approach. Therefore, it is disappointing that Government,
despite consulting with Industry, continues to ignore our fundamental concerns.
So for the remainder of my time I will be addressing the following subjects:
·
Legal concerns
·
Technology & Implementation
·
Value of data
·
Consequences
Firstly, Legal concerns: There is a lack of certainty that data
retention and access will always be compatible with Data Protection and Human
Rights legislation. The Home Office has not provided firm evidence that if
such incompatibility occurs, liability for breaches of the Data Protection Act
(DPA) and Human Rights Act (HRA) will not rest with Industry.
If Communication Service Providers (CSP’s)
are required to retain data for national security on a voluntary basis this
opens them up to legal liability, with the possibility of customers suing. This
presents obvious legal risk. However, even more harmful would be the effect on
the relationship with our customer base. Brand and reputation would be damaged;
customers would no longer trust the company. The consequences would impact
consumer trust and confidence in new technologies.
The Home Office has made moves to verbally reassure Industry of its
indemnity in terms of the legal uncertainty around the Human Rights Act, Data
Protection Act, Regulation of Investigatory Powers and Anti Terrorism Crime and
Security Act. But what is the true value of this offer? There has been no firm
commitment for indemnity and Industry must ask the question “has the Secretary
of State got the power to offer indemnity?”. There is
no precedent that we are aware of. This commitment needs to be clear on paper.
Intellect believes in order for this legislation to be truly effective
that the Home Office needs to look at the root of the problem and create a
harmonious legislative regime; rather than offering Industry symptomatic
solutions – such as the verbal reassurance given to underwrite CSP’s for any
civil litigation in terms of funding and costs. Although monetary loss would be
a primary concern, we hope that Government recognises that the damage to brand
and consumer trust and confidence arising from such litigation could be
irredeemable.
Secondly, Technical and
Implementation issues –The
technical and implementation issues appear been sidelined, not fully understood
or taken into account. It is as though the Home Office has refused to look
at the issue as a whole.
Although companies that comply with the Code need not retain additional
communications data beyond what they already keep for business purposes, the
data must be retained often for longer periods of time, and in a manner that
allows for law enforcement access. If you wish to access data held under the
Anti Terrorism Crime and Security Act, it must be catalogued, searchable and
retrievable. This does not only have implications for software and integration,
but also for hardware & storage media. The technical challenge includes
maintenance of legacy systems, interrogating large amounts of data, ensuring
sufficient computing power, future proofing. It is impossible to extrapolate
what Public Authority and law enforcement demand will be and businesses are
held in a state of uncertainty, unable to plan for costs. The difference in
technical requirements for a system dealing with 50 requests a month and 1000
requests a week is significant.
The Home Office has stated that “The government is prepared to
contribute to communication service providers’ reasonable costs” and the ATCSA
makes it the duty of the Secretary of State to ensure that an appropriate
contribution is made to CSP’s in respect of costs incurred.
The systems needed will also create major
business process change projects. Costs will be incurred not only for the
storage and retention of data, retrieval systems etc, but also from the cost of
business process re-engineering, training, increased load on systems (including
security), policy development and so on.
It appears that Government has not taken into account practical
timescales needed to comply with the act or its impact on business. The
timescales have been set up solely for the process of legislation, not for the
rollout of systems and business implementation. The systems are unlikely to be
top of the agenda for many businesses and it can be assumed that without the
relevant business case, Boards will be reluctant to sign off the projects.
There is no direct return on investment for companies and the ICT
industry is not currently well endowed with capital for non-business critical projects.
To enforce compliance would negatively affect ongoing business concerns;
diverting resources from investment in business development, innovation and
improving customer service. Government is pushing the
Thirdly, Value of data – Likely expenditure to comply with the Code
of Practice is not justified by the end product of such retention.
Data is not a panacea to crime prevention and anti terrorism; indeed
business acknowledges that without management skills, communication and good
processes, data is almost useless.
Industry has not been persuaded of the value of the data towards its
intended purpose. There has been no business case presented, although the Home
Office has committed to demonstrate one. Industry believes that authorities are
not fully exploiting data already available. There has been no evidence of an
assessment or qualification for these specific lengths of time or types of
data. There is no evidence to show that the system of data retention will allow
agencies to retrieve and interrogate the data necessary for investigations in
an effective and timely manner.
Intellect recognises that the Home Office has moved forward from early
proposals and is now requesting that only information that is part of the
business plan is to be retained. However, definitions of data to be stored are
still not clear enough. The current information given is open to interpretation
- to the extent that every packet containing IP addresses could have to be
stored. There is also not enough clarity on why retention of such data is
necessary for law enforcement purposes. It appears a blanket approach has been
taken which is neither cost effective for Government or Industry nor
sympathetic to the privacy needs and concerns of citizens.
Finally, a look at the
Consequences - Data retention requirements
outlined in the consultation paper threaten consumer confidence and the take up
of e-services, are technologically challenging and excessively expensive.
Privacy is a very sensitive subject within today’s societies and within
the British culture, specifically, is of great importance. The data retention regime as set out in the Statutory Instruments raise
troubling privacy concerns for citizens – our customers. The vast amounts of
data required to be stored indiscriminately presents risks to individuals
privacy, by providing increased opportunities for misuse or improper disclosure
of sensitive information.
Consumers are increasingly concerned with what data is stored and for
what purposes. If their concerns are not addressed it could threaten consumer
confidence in electronic services. Indeed it could be projected that the
proposals within the consultation will impair the growth of the eMarket and
inhibit the take up of eGovernment.
Since 2001 the
There is a risk that applying the Code could lead to a distortion of
trade in the
Many Intellect members view applying a data retention regime on
This might also create a two-tier system where criminals and threats to
national security would use alternative service providers to try and avoid the
capture of data – e.g. using Internet Cafes and services held outside of UK
jurisdiction – pushing crime further out of the reach of investigation.
To sum up
·
This legislation places undue burden, cost, and
liability on industry – preventing competitiveness. This goes against
reassurances made to industry in 2001 that the ATCSA would not place cost or
technical burden on industry to the point of inhibiting competitiveness.
·
No business case has been put forward by Government
to Industry in terms of return on investment and value of data retention
·
There is a high risk of negative impact on customers
- in terms of cost, increased citizen’s privacy concerns and a drop in trust
and confidence in electronic services
Policy created without a true understanding of
regulatory impact has the potential to seriously damage the