Recommendation | Government Response |
A | The targeted interception of communications (primarily in the UK) is an essential investigative capability which the Agencies require in order to learn more about individuals who are plotting against the UK. In order to carry out targeted interception, the Agencies must apply to a Secretary of State for a warrant under Section 8(1) of RIPA. From the evidence the Committee has seen, the application process followed by MI5 is robust and rigorous. MI5 must provide detailed rationale and justification as to why it is necessary and proportionate to use this capability (including, crucially, an assessment of the potential collateral intrusion into the privacy of innocent people). | The Government welcomes the ISC’s endorsement of the strong safeguards that apply to the targeted interception regime under existing legislation. These safeguards have been carried across to the provisions in Chapter 1 of Part 2 of the draft Investigatory Powers Bill and will be strengthened by the application of further safeguards. |
B | GCHQ and SIS obtain fewer 8(1) warrants. When they do apply for such warrants, they do so via a submission to the Foreign Secretary. While this submission covers those aspects required by law, it does not contain all the detail covered by MI5’s warrant applications. We therefore recommend that GCHQ and SIS use the same process as MI5 to ensure that the Home Secretary and the Foreign Secretary receive the same level of detail when considering an 8(1) warrant application. | The Government agrees that there should be consistency in processes and applications where appropriate. Part 2, Chapter 1 of the draft Bill provides a single, clear warrant granting regime and ensures consistency through the application of robust oversight and authorisation arrangements for all agencies that use interception powers. The draft Bill provides for targeted interception warrants and targeted examination warrants (clause 12). Further details will be in Codes of Practices, which will be published in draft on formal introduction of the Bill in 2016. |
C | RIPA expressly prohibits any reference to a specific interception warrant. We do not consider this is proportionate: disclosure should be permissible where the Secretary of State considers that this could be done without damage to national security. | The Government recognises the importance of being as transparent as possible. The draft Bill provides for greater transparency than ever before by clarifying, within the constraints imposed by national security, the current restrictions and prohibitions relating to the disclosure of warrants and intercepted material (RIPA ss.15 and 19, Official Secrets Act 1989 s.4) in order to ensure, in particular, that: (a) there is no legal obstacle to explaining the uses (and utility) of warrants to Parliament, courts and public. Clause 43(5)(h) allows for the disclosure of information which does not relate to any specific warrant but relates to interception warrants in general. This will allow for the explaining of the uses and utility of warrants to Parliament, courts and the public. (b) as recommended by the Police Ombudsman for Northern Ireland in his report of 30 October 2014 on the Omagh bombing, there is “absolute clarity as to how specific aspects of intelligence can be shared in order to assist in the investigation of crime”. Clause 40 imposes restrictions on the access to and disclosure of intercept material, limiting this to the minimum necessary for the authorised purposes. The authorised purposes include prevention or detection serious crime. This clause, in combination with s19 of the Counter-Terrorism Act 2008 (which includes provisions on the disclosure of information by the Intelligence Agencies) permits intelligence to be shared with law enforcement bodies in order to assist in the investigation of a serious crime. |
D | The Agencies have described ‘thematic warrants’ as covering the targeted interception of the communications of a “defined group or network” (as opposed to one individual). The Committee recognises that such warrants may be necessary in some limited circumstances. However, we have concerns as to the extent that this capability is used and the associated safeguards. Thematic warrants must be used sparingly and should be authorised for a shorter timescale than a standard 8(1) warrant. | Clauses 13 and 83 of the draft Bill provide for ‘thematic’ warrants by enabling targeted interception and equipment interference warrants to be issued in relation to a specific operation or investigation. Such warrants will be subject to strict safeguards. Clause 23 of the draft Bill requires that operation-specific interception warrants should include details of the targets who are the subjects of those warrants. Clause 93 makes equivalent provisions in respect of equipment interference warrants. The overall warrantry authorisation regime is also being made more robust. |
E | There are other targeted techniques the Agencies can use which also give them access to the content of a specific individual’s communications. However, the use of these capabilities is not necessarily subject to the same rigour as an 8(1) warrant, despite providing them with the same result. All capabilities which provide the content of an individual’s communications should be subject to the same legal safeguards, i.e. they must be authorised by a Secretary of State and the application to the Minister must specifically address the Human Rights Act ‘triple test’ of legality, necessity and proportionality. | The Government recognises the need to provide a single, clear warrant granting regime and to ensure consistency. Covert capabilities, such as the use of interception (including through Wireless Telegraphy) and equipment interference have been put on a clear statutory footing through Parts 2 and 5 of the draft Bill and will be subject to strict safeguards. Bulk interception and equipment interference powers are also available to the security and intelligence agencies and provided for in Part 6 of the draft Bill. Similar safeguards are set out in the Bill in relation to both targeted and bulk use of these powers. Ministers will be directed, through the Bill to only authorise a warrant where they are assured that it is both necessary and proportionate. |
F | GCHQ’s bulk interception capability is used either to investigate the communications of individuals already known to pose a threat, or to generate new intelligence leads, for example to find terrorist plots, cyber attacks or other threats to national security. It has been alleged – inaccurately – that this capability allows GCHQ to monitor all of the communications carried over the internet. GCHQ could theoretically access a small percentage (***%) of the 100,000 bearers which make up the internet, but in practice they access only a fraction of these (***%) – we detail below the volume of communications collected from these bearers. GCHQ do not therefore have ‘blanket coverage’ of all internet communications, as has been alleged – they have neither the legal authority, the technical capacity nor the resources to do so. | The Government welcomes the ISC’s clarification that GCHQ does not have ‘blanket coverage’ of all internet communications, and that it only examines those communications that relate to its statutory purposes. This is provided for in Part 6 of the Bill at clauses 107 (bulk interception), 122 (bulk communications data acquisition), and 137 (bulk equipment interference) of the draft Bill. These statutory purposes are set out clearly in the draft Bill and limit examination to those situations where it is necessary in the interests of national security; for the purposes of preventing or detecting serious crime; or in the interests of the economic well-being of the UK so far as those interests are also relevant to the national security of the UK. Examination is only permitted for the statutory purpose the warrant has been issued. The draft Bill maintains the strong safeguards that apply to the bulk interception regime. It will strengthen existing statutory safeguards so that analysts will only be able to search for and examine communications where it is necessary in the pursuit of a specified operational purpose that has been authorised by the Secretary of State and approved by the Judicial Commissioner. This will apply irrespective of the person’s nationality or location and will apply to both the content of communications and related communications data that may be intercepted under the bulk interception regime. Clause 119 provides that where an intelligence agency is investigating a person in the British Islands, the agency will need to obtain a targeted examination warrant under clause 12(1)(b) before it may examine the contents of that person’s communications intercepted under a bulk warrant. Clause 147 applies similar safeguards in respect of data acquired under bulk equipment interference warrants. |
G | It has been suggested that GCHQ’s bulk interception is indiscriminate. However, one of the major processes by which GCHQ conduct bulk interception is targeted. GCHQ first choose the bearers to access (a small proportion of those they can theoretically access) and then use specific selectors, related to individual targets, in order to collect communications from those bearers. This interception process does not therefore collect communications indiscriminately. |
H | The second bulk interception process we have analysed involves the *** collection of large quantities of communications. ***. However, this collection is not indiscriminate. GCHQ target only a small proportion of those bearers they are able to access. The processing system then applies a set of selection rules and, as a result, automatically discards the majority of the traffic on the targeted bearers. |
I | There is a further filtering stage before analysts can select any communications to examine or read. This involves complex searches to draw out communications most likely to be of greatest intelligence value and which relate to GCHQ’s statutory functions. These searches generate an index. Only items contained in this index can potentially be examined – all other items cannot be searched for, examined or read. |
J | Our scrutiny of GCHQ’s bulk interception via different methods has shown that while they collect large numbers of items, these have all been targeted in some way. Nevertheless, it is unavoidable that some innocent communications may have been incidentally collected. The next stage of the process – to decide which of the items collected should be examined – is therefore critical. For one major method, a ‘triage’ process means that the vast majority (***%) of the items collected are never looked at by an analyst. For another major method, the analysts use the search results to decide which of the communications appear most relevant and examine only a tiny fraction (***%) of the items that are collected. In practice this means that fewer than *** of ***% of the items that transit the internet in one day are ever selected to be read by a GCHQ analyst. These communications – which only amount to around *** thousand items a day – are only the ones considered to be of the highest intelligence value. Only the communications of suspected criminals or national security targets are deliberately selected for examination. | The Government welcomes the ISC’s conclusion that only the communications of suspected criminals or national security targets are deliberately selected for examination by GCHQ. Part 6 of the draft Bill maintains the strong safeguards that apply to the bulk interception regime and provides equivalent safeguards in respect of bulk communications data and bulk equipment interference. It strengthens existing statutory safeguards so that analysts will only be able to search for and examine communications where it is necessary in the pursuit of a specified operational purpose that has been authorised by the Secretary of State and approved by a Judicial Commissioner. This will apply to both the content of communications and related communications data that may be intercepted under the bulk regime. |
K | It is essential that the Agencies can ‘discover’ unknown threats. This is not just about identifying individuals who are responsible for threats, it is about finding those threats in the first place. Targeted techniques only work on ‘known’ threats: bulk techniques (which themselves involve a degree of filtering and targeting) are essential if the Agencies are to discover those threats. | The Government welcomes the ISC’s acknowledgement of the need to maintain the ability to find those who seek to cause harm to the United Kingdom and our citizens and interests abroad. Part 6 of the draft Bill provides a clear statutory basis for all of the ‘bulk’ powers used by the agencies for the purpose of discovering previously unknown threats, including the safeguards and oversight arrangements covering the use of these powers. |
L | We are satisfied that current legislative arrangements and practice are designed to prevent innocent people’s communications being read. Based on that understanding, we acknowledge that GCHQ’s bulk interception is a valuable capability that should remain available to them. | The Government is grateful to the ISC for their conclusion that GCHQ’s bulk interception capability is a valuable tool and that the current legislative arrangements and practices are designed to prevent innocent people’s communications being read. Chapter 1 of Part 6 of the draft Bill carries across all of the existing safeguards that apply to the bulk interception regime. The draft Bill also reduces the number of agencies that can apply for a bulk interception warrant, enhances the authorisation regime and limits the purposes for which intercepted communications may be examined |
M | While we recognise privacy concerns about bulk interception, we do not subscribe to the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy – nor do we believe that the vast majority of the British public would. In principle it is right that the intelligence Agencies have this capability, provided – and it is this that is essential – that it is tightly controlled and subject to proper safeguards. | The Government agrees that it is never acceptable to let terrorist attacks happen where they can be prevented. Chapter 1 of Part 6 of the draft Bill ensures the security and intelligence agencies maintain their vital bulk interception capabilities, which will be subject to enhanced safeguards, a more robust authorisation framework and strengthened oversight arrangements. |
N | Bulk interception is conducted on external communications, which are defined in law as communications either sent or received outside the UK (i.e. with at least one ‘end’ of the communication overseas). The collection of external communications is authorised under 19 warrants under Section 8(4) of RIPA. These warrants – which cover the Communications Service Providers who operate the bearers – do not authorise the examination of those communications, only their collection. The warrants are therefore all accompanied by a Certificate which specifies which of the communications collected under the warrant may be examined. GCHQ are not permitted by law to examine the content of everything they collect, only that material which falls under one of the categories listed in the Certificate. In the interests of transparency we consider that the Certificate should be published. | The Government agrees that bulk interception is a vital tool designed to obtain foreign-focussed intelligence. There are strict safeguards governing the use of bulk interception, which ensure the agencies comply fully with their human rights obligations. Applications for bulk interception warrants will continue to be limited to the security and intelligence agencies and only for limited purposes. Proposals in the draft Bill mean that the Certificate will be replaced with a more detailed set of operational purposes for which material intercepted under a bulk warrant may be examined (clauses 107 and 119). Those operational purposes will be authorised in advance by the Secretary of State and approved by a Judicial Commissioner. In circumstances where the intelligence agencies wish to examine a communication of a person known to be in the British Islands they must apply to the Secretary of State for a targeted examination warrant. Publishing the categories of Operational Purposes in detail would be detrimental to national security. |
O | 8(4) warrants allow GCHQ to collect ‘external communications’ – these are defined in RIPA as communications where at least one end is overseas. However, in respect of internet communications, the current system of ‘internal’ and ‘external’ communications is confusing and lacks transparency. The Government must publish an explanation of which internet communications fall under which category, and ensure that this includes a clear and comprehensive list of communications. | The draft Bill implements the spirit of this recommendation in full; however the Government does not believe that the answer lies in trying to categorise all internet communications according to ‘internal’ or ‘external’ criteria. The draft Bill clarifies the current terminology, replacing the definition of ‘external’ communications with a new requirement that bulk interception warrants should only be authorised where there is a ‘foreign focus’ – i.e. where the intention is to acquire the communications of persons overseas (clause 106) . |
P | The legal safeguards protecting the communications of people in the UK can be summarised as follows: - The collection and examination of communications with both ends known to be in the UK requires an 8(1) warrant.
- All other communications can be collected under the authority of an 8(4) warrant.
- Of these, GCHQ may search for and select communications to examine on the basis of a selector (e.g. email address) of an individual overseas – provided that their reason for doing so is one or more of the categories described in the 8(4) Certificate.
- GCHQ may search for and select communications to examine on the basis of a selector (e.g. email address) of an individual in the UK if – and only if – they first obtain separate additional authorisation from a Secretary of State in the form of an 8(1) warrant or a Section 16(3) modification to the 8(4) warrant.
- It would be unlawful for GCHQ to search for communications related to somebody known to be in the UK among those gathered under an 8(4) warrant without first obtaining this additional Ministerial authorisation.
- This is reassuring: under an 8(4) warrant the Agencies can examine communications relating to a legitimate overseas target, but they cannot search for the communications of a person known to be in the UK without obtaining specific additional Ministerial authorisation.
| The Government thanks the ISC for its helpful summary of the current safeguards that protect the communications of people in the UK. The draft Bill strengthens these further and requires that where an agency seeks to select for examination the communications of a person in the UK it will have to apply to the Secretary of State for a targeted examination warrant, which will need to be approved by a Judicial Commissioner before it can come into force (clause 119). |
Q | The nature of the 16(3) modification system is unnecessarily complex and does not provide the same rigour as that provided by an 8(1) warrant. We recommend that despite the additional resources this would require – searching for and examining the communications of a person known to be in the UK should always require a specific warrant, authorised by a Secretary of State. | The Government accepts this recommendation in full. The draft Bill strengthens the safeguards that apply to the communications of persons in the UK, requiring that where an agency seeks to select for examination the communications of a person in the UK it will have to apply to the Secretary of State for a targeted examination warrant, which will need to be approved by a Judicial Commissioner before it can come into force (clause 119). |
R | While the protections outlined above apply to people in the UK, they do not apply to UK nationals abroad. While GCHQ operate a further additional system of authorisations, this is a policy process rather than a legal requirement. We consider that the communications of UK nationals should receive the same level of protection under the law, irrespective of where the person is located. The interception and examination of such communications should therefore be authorised through an individual warrant like an 8(1), signed by a Secretary of State. While we recognise this would be an additional burden for the Agencies, the numbers involved are relatively small and we believe it would provide a valuable safeguard for the privacy of UK citizens. | Whilst the Government understands the intention behind the ISC’s recommendation it does not believe that there is an objective justification for different protections based purely on nationality. The draft Bill provides strong protections for the examination of content or communications data irrespective of nationality. |
S | While the law sets out which communications may be collected, it is the selection of the bearers, the application of simple selectors and initial search criteria, and the complex searches which determine what communications are read. The Interception of Communications Commissioner should be given statutory responsibility to review the various selection criteria used in bulk interception to ensure that these follow directly from the Certificate and valid national security requirements. | The Government agrees that strong oversight of the use of investigatory powers is essential. That is why Part 8 of the draft Bill will reform oversight by creating a new Investigatory Powers Commissioner who will have the power to inspect any aspect of the security and intelligence agencies’ use of investigatory powers that he or she considers appropriate, including selection criteria. In addition, a Judicial Commissioner will have a role alongside the Secretary of State in approving the operational purposes for which material collected in bulk can be examined. |
T | From the evidence we have seen, there are safeguards in place to ensure that analysts examine material covered by the 8(4) Certificate only where it is lawful, necessary and proportionate to do so. GCHQ’s search engines are constructed such that there is a clear audit trail, which may be reviewed both internally and by the Interception of Communications Commissioner. Nevertheless, we were concerned to learn that, while misuse of GCHQ’s interception capabilities is unlawful, it is not a specific criminal offence. We strongly recommend that the law should be amended to make abuse of intrusive capabilities (such as interception) a criminal offence. | Unlawful interception is already a criminal offence under the Regulation of Investigatory Powers Act 2000 and clause 2 of the draft Bill replicates this provision. The deliberate misuse of any agency interception capability may also engage existing offences, including misfeasance in public office or offences under the Computer Misuse Act. |
U | In our 2013 Report on the draft Communications Data Bill, we concluded that “it is essential that the Agencies maintain the ability to access Communications Data”. The Committee remains of that view: it is a critical capability. | The Government shares the Committee’s view that it is essential for the Agencies to maintain the ability to access communications data. Part 3 of the draft Bill provides a clear statutory basis for the acquisition of communications data and Part 4 provides for the retention of communications data, both subject to robust safeguards. Chapter 2 of Part 6 makes explicit provision for bulk acquisition of communications data and sets out safeguards that apply to related communications data acquired under the bulk interception regime. |
V | The Committee considers that the statutory definition of Communications Data – the ‘who, when and where’ of a communication – is narrowly drawn and therefore, while the volume of Communications Data available has made it possible to build a richer picture of an individual, this remains considerably less intrusive than content. We therefore do not consider that this narrow category of Communications Data requires the same degree of protection as the full content of a communication. | The Government accepts that there is a need to clarify the different types of communications data and accepts the spirit of the ISC’s recommendations. Clause 193 of the draft Bill includes revised definitions of the categories of communications data: - Entity data will include data about persons or devices, such as subscriber or billing information. - Event data will include data about interaction between persons or devices, such as the fact of a call between two individuals. Recognising the more intrusive nature of events data, Schedule 4 of the draft Bill requires authorisation of access to such data be at a more senior level than for entity data. In describing the communications data obtained, clause 71 of the draft Bill provides for the retention of internet connection records. The Government recognises the sensitive nature of internet connection records and for that reason clause 47 restricts the purposes for which they can be acquired further than other forms of communications data. A designated senior officer in a public authority will only be able to require disclosure or processing of internet connections records for the following purposes: - To identify the sender of an online communication. This will often be in the form of an IP address resolution and the internet service used must be known in advance of the application - To identify which communication services a person has been using. For example whether they are communicating through apps on their phone - To identify where a person has accessed illegal content. For example an internet service hosting child abuse imagery. Clause 71 of the draft Bill also provides that local authorities will not be permitted to acquire internet connection records under any circumstances. Before making a request for communications data, public authorities will need to consider which data type they require access to and whether it is necessary and proportionate to do so. |
W | However, there are legitimate concerns that certain categories of Communications Data – what we have called ‘Communications Data Plus’ – have the potential to reveal details about a person’s private life (i.e. their habits, preferences and lifestyle) that are more intrusive. This category of information requires greater safeguards than the basic ‘who, when and where’ of a communication. |
X | The Agencies’ use Bulk Personal Datasets – large databases containing personal information about a wide range of people – to identify individuals in the course of investigations, to establish links, and as a means of verifying information obtained through other sources. These datasets are an increasingly important investigative tool for the Agencies. The Intelligence Services Act 1994 and the Security Service Act 1989 provide the legal authority for the acquisition and use of Bulk Personal Datasets. However, this is implicit rather than explicit. In the interests of transparency, we consider that this capability should be clearly acknowledged and put on a specific statutory footing. | The Government shares the ISC’s conclusion that Bulk Personal Datasets are an increasingly important investigative tool for the Agencies. Part 7 of the draft Bill provides explicit statutory safeguards governing the Agencies’ acquisition and use of Bulk Personal Datasets. These include a warrantry regime with an authorisation process that is consistent with other bulk capabilities in the draft Bill. |
Y | The Intelligence Services Commissioner currently has responsibility for overseeing the Agencies’ acquisition, use and destruction of Bulk Personal Datasets. This is currently on a non-statutory basis. Given that this capability may be highly intrusive and impacts upon large numbers of people, it is essential that it is tightly regulated. The Commissioner’s role in this regard must therefore be put on a statutory footing. | The government agrees that wherever possible, oversight should be on a statutory basis. That is why, In an immediate response to the ISC’s report, the Prime Minister issued a direction to the Intelligence Services Commissioner putting onto a statutory basis his oversight of the Agencies’ acquisition, use, retention and destruction of Bulk Personal Datasets. The proposed new Investigatory Powers Commissioner will have a clear remit to oversee the use of all of the powers available to the security and intelligence agencies, including those relating to Bulk Personal Datasets (see clause 169(3)(a)). |
CC | The Agencies may undertake IT Operations against computers or networks in order to obtain intelligence. These are currently categorised as ‘Interference with Property’ and authorised under the same procedure. Given the growth in, and intrusiveness of, such work we believe consideration should be given to creating a specific authorisation regime. | The Government accepts the ISC’s recommendation. Part 5 of the Bill provides a bespoke statutory framework for the ability of the Security and Intelligence Agencies, Armed Forces and law enforcement agencies to undertake equipment interference to obtain communications and other private information and imposes strong safeguards that reflect the interception regime (though not in respect of prohibiting the use of product from equipment interference in criminal trials). |
FF | In relation to the activities that we have considered thus far, those which are most intrusive are authorised by a Secretary of State. Some witnesses questioned whether Ministers had sufficient time and independence and suggested that the public had lost trust and confidence in elected politicians to make those decisions. The Committee recognises these concerns. However, one aspect which we found compelling is that Ministers are able to take into account the wider context of each warrant application and the risks involved, whereas judges can only decide whether a warrant application is legally compliant. This additional hurdle would be lost if responsibility were to be transferred to judges and may indeed result in more warrant applications being authorised. | The Government shares the ISC’s view that it is important that Ministers continue to be able to authorise the use of investigatory powers. The Bill preserves the ability of Ministers to make decisions about the necessity and proportionality of a particular warrant and, in doing so, take account of the wider context and risks involved. The Bill also recognises the need to provide further reassurance that these warrants are subject to robust scrutiny and independent oversight. That is why the draft Bill also includes a new provision for a judicial commissioner to approve warrants before they come into force. The Government feels that this new ‘double lock’ provides the right balance between the need for executive oversight and accountability and the need to have a robust authorisation process appropriate to the degree of potential intrusion brought about by each type of warrant. |
GG | In addition, Ministers are democratically accountable for their decisions. It is therefore right that responsibility for authorising warrants for intrusive activities remains with them. It is Ministers, not judges, who should (and do) justify their decisions to the public. (We consider later the need for greater transparency: the more information the public and Parliament have, the more Ministers will be held to account.) |
HH | Intrusive capabilities which fall below the threshold requiring a warrant are authorised by officials within the relevant Agency or department. While this is appropriate, there should always be a clear line of separation within the Agencies between investigative teams who request approval for a particular activity, and those within the Agency who authorise it. Further, those capabilities that are authorised by officials should be subject to greater retrospective review by the Commissioners to ensure that these capabilities are being authorised appropriately and compensate for the lack of individual Ministerial Authorisation in these areas. | The draft Bill provides that an authorising officer within a public authority may only authorise the acquisition of communications data where they are independent of the relevant operation (clause 47). There is an exemption for national security purposes. The use of these capabilities will be subject to robust independent oversight by the Investigatory Powers Commissioner. |
II | The Commissioners’ responsibilities have increased as the Agencies’ capabilities have developed. However, this has been piecemeal and as a result a number of these responsibilities are currently being carried out on a non-statutory basis. This is unsatisfactory and inappropriate (as the Commissioners themselves recognise). The Commissioners’ non-statutory functions must be put on a clear statutory footing. | The Government accepts the need to enhance the already strong oversight regime. Part 8 of the draft Bill creates a new role of Investigatory Powers Commissioner, who will have the ability to inspect and oversee any aspect of the use of investigatory powers that he or she deems appropriate. The Prime Minister will retain the ability to give statutory directions to the Commissioner to inspect or oversee particular aspects of the agencies’ work. |
JJ | Throughout this Report, we have recommended an increased role for the Commissioners – in particular, where capabilities are authorised at official level. While this would require additional resources, it would mean that the Commissioners could look at a much larger sample of authorisations. | The Government accepts the ISC’s recommendation. The Investigatory Powers Commissioner, provided for in Part 8 of the draft Bill, will have a considerable staff, including inspectors and technical experts. The Commissioner will have the ability to draw on independent expert legal advice as necessary. |
KK | While oversight systems in other countries include an Inspector General function, we note that Inspectors General often provide more of an internal audit function, operating within the Agencies themselves. As such, the Committee does not accept the case for transferring to this system: it is important to maintain the external audit function that the Commissioners provide. | The Government agrees that it is important to maintain the external audit function that the current Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner provide. The draft Bill creates a new office of The Investigatory Powers Commissioner which will provide independent and more visible scrutiny of the agencies and their work (clause 167). |
LL | The Investigatory Powers Tribunal is an important component of the accountability structure. However, we recognise the importance of a domestic right of appeal and recommend that this is addressed in any new legislation. | The Government has accepted the ISC’s recommendation and the draft Bill provides a domestic route of appeal from the IPT to the Court of Appeal on a point of law (clause 180). |
NN | We are reassured that the Human Rights Act 1998 acts as a constraint on all the Agencies’ activities. However, this safeguard is not evident to the public since it is not set out explicitly in relation to each intrusive power. The interactions between the different pieces of legislation which relate to the statutory functions of the intelligence and security Agencies are absurdly complicated, and are not easy for the public to understand (we address the requirement for a clearer legal framework later in this chapter). | The Government welcomes the ISC’s conclusion that the principles set out in the Human Rights Act 1998 underpin and act as an appropriate constraint all of the activities of the Security and Intelligence Agencies. The draft Bill provides a comprehensive and comprehensible framework governing the acquisition of private communications by the state. All of those powers will be subject to extensive human rights safeguards. |
OO | Section 7 of the Intelligence Services Act 1994 allows for a Secretary of State to sign an authorisation which removes civil and criminal liability for activity undertaken outside the British Islands which may otherwise be unlawful under UK law. We have examined the Class Authorisations allowed under ISA in detail and are satisfied that they are required in order to allow the Agencies to conduct essential work. Nevertheless, that may involve intruding into an individual’s private life, and consideration should therefore be given to greater transparency around the number and nature of Section 7 Authorisations. | The draft Bill provides a comprehensive basis for all of the powers available to interfere with private communications, including the use of equipment interference to obtain stored communications (currently authorised under the Intelligence Services Act 1994) (provided at Part 5). The Bill does not provide for interference with equipment for purposes other than the acquisition of communications and other private data. All equipment interference under the Bill must be authorised by a warrant, which will require the Agencies to provide details of the operational purposes or a description of the targets of the warrant as appropriate (clauses 81 to 94). The warrants will be renewable every six months. |
PP | We consider that Ministers must be given greater detail as to what operations are carried out under each Class Authorisation: a full list should be provided every six months. We also recommend that Ministers provide clear instructions as to what operations they would expect to be specifically consulted on, even if legally no further authorisation would be required. |
QQ | Under the Intelligence Services Act 1994 and Security Service Act 1989, the Agencies are legally authorised to seek intelligence from foreign partners. However, there are currently no legal or regulatory constraints governing how this is achieved. | The Government considers it vital to be able to share intelligence with foreign partners. We work closely with our allies to prevent terrorist attacks and to stop serious and organised criminals from causing harm. Safeguards already exist that govern the sharing of intelligence material. The draft Interception of Communications Code of Practice includes specific details on the sharing of intercept material. The draft Bill creates a new role of Investigatory Powers Commissioner, who will have the ability to inspect and oversee any aspect of the use of investigatory powers that he or she deems appropriate, including arrangements for sharing material with foreign partners. |
RR | We have explored in detail the arrangements by which GCHQ obtain raw intercept material from overseas partners. We are satisfied that, as a matter of both policy and practice, GCHQ would only seek such material on individuals whom they themselves are intercepting – therefore there would always be a RIPA warrant in place already. |
SS | We recognise that GCHQ have gone above and beyond what is required in the legislation. Nevertheless, it is unsatisfactory that these arrangements are implemented as a matter of policy and practice only. Future legislation should clearly require the Agencies to have an interception warrant in place before seeking communications from a foreign partner. |
TT | The safeguards that apply to the exchange of raw intercept material with international partners do not necessarily apply to other intelligence exchanges, such as analysed intelligence reports. While the ‘gateway’ provisions of the Intelligence Services Act and the Security Service Act do allow for this, we consider that future legislation must define this more explicitly and, as set out above, define the powers and constraints governing such exchanges. |
UU | The Committee does not believe that sensitive professions should automatically have immunity when it comes to the interception of communications. However, some specific professions may justify heightened protection. While the Agencies all operate internal safeguards, we consider that statutory protection should be considered (although we acknowledge that it may be difficult to define certain professions). | The Government agrees that it is important that the use of investigatory powers respects the privilege that attaches to certain communications. The draft Bill will not hinder the ability of lawyers and doctors to do their jobs and protect the privacy of their clients and patients. The Bill – and accompanying codes of practice – will provide strong protections for sensitive professions. Codes of practice will underpin all of the powers in the draft Bill and will be required to include provision relating to the safeguards that apply in respect of sensitive professions and privileged material. The draft Bill also makes explicit provision for additional protections in respect of communications to or from certain sensitive professions. Clauses 16 and 85 of the draft Bill introduces a new statutory requirement for a Secretary of State to consult the Prime Minister before issuing a targeted interception warrant, targeted equipment interference warrant or a targeted examination warrant, where it is intended to intercept or examine the communications of a Member of Parliament or other specified legislative member. In addition, the Government recognises that communications data requests intended to identify journalistic sources should attract additional safeguards beyond authorisation at official level. The Communications Data Code of Practice currently requires public authorities to seek judicial authorisation before obtaining communications data to identify a journalistic source. Clause 61 of the draft Bill puts this requirement onto a statutory footing. |
VV | Given the nature of current threats to the UK, the use of Directions under the Telecommunications Act is a legitimate capability for the Agencies. However, the current arrangements in the Telecommunications Act 1984 lack clarity and transparency, and must be reformed. This capability must be clearly set out in law, including the safeguards governing its use and statutory oversight arrangements. | The Government accepts the ISC’s conclusion and has included provisions in Part 6 of the draft Bill for the acquisition of communications data in bulk, to put this capability on a more transparent footing, with strengthened safeguards. Strict safeguards are already in place, including regular Secretary of State review of whether the capability continues to be necessary and proportionate. For more than 10 years, successive governments have authorised this critical capability. In a similar way to warrants, Secretaries of States authorise the continued use of Directions on a 6 monthly basis and they are overseen by the Intelligence Services Commissioner. The capability has provided fast and secure access to communications data so that the Agencies can join the dots in their investigations. The draft Bill strengthens these safeguards even further. The power will become subject to the ‘double-lock’ safeguard of Ministerial and Judicial authorisation and the data is only accessible for specified Operational Purposes. A bulk communications data warrant will have to meet the following test: there must be a national security justification for acquiring the data, it must be necessary and proportionate, and both a Secretary of State and a Judicial Commissioner must approve it. Warrants will last for six months, subject to renewal. Access to data on a day-to-day basis will be strictly controlled and subject to internal justification on grounds of necessity and proportionality. The new Investigatory Powers Commissioner – a senior judge – will provide oversight of the use of this capability. Clause 188 of the Bill provides a power for the Secretary of State to issue a national security notice requiring an operator to take necessary steps in the interest of national security. The type of support that may be required includes the provision of services or facilities which would help the intelligence agencies in safeguarding the security of their personnel and operations, or in providing assistance with an emergency (as defined in the Civil Contingencies Act 2004). The Bill makes clear that a national security notice cannot be used for the primary purpose of interfering with privacy, obtaining communications or data. In any circumstance where a notice would involve interference with privacy or the acquisition of communications or data as its main aim, an additional warrant or authorisation provided for elsewhere in the Bill would always be required. As such, a notice of itself does not authorise an intrusion into an individual’s privacy. |
WW | While our previous recommendations relate to the changes that would be required to the existing legislative framework, the evidence that we have seen suggests that a more fundamental review is now overdue. | The introduction of the draft Bill illustrates the Governments acceptance of the ISC’s recommendation. The draft Bill provides a comprehensive and comprehensible framework governing the acquisition of private communications by the state. |
YY | The new legislation should clearly list each intrusive capability available to the Agencies (including those powers which are currently authorised under the implicit authorities contained in the Intelligence Services Act and the Security Service Act) and, for each, specify: - The purposes for which the intrusive power can be used (one or more of: the protection of national security, the safeguarding of the economic well-being of the UK, or the detection or prevention of serious crime).
- The overarching human rights obligations which constrain its use.
- Whether the capability may be used in pursuit of a specific person, location or target, or in relation to a wider search to discover unknown threats.
- The authorisation procedures that must be followed, including the review, inspection and oversight regime.
- Specific safeguards for certain individuals or categories of information – for example, UK nationals, legally privileged information, medical information etc. (This should include incidental collection where it could not reasonably have been foreseen that these categories of information or individuals might be affected.)
- Retention periods, storage and destruction arrangements for any information obtained.
- The circumstances (including the constraints that might apply) in which any intelligence obtained from that capability may be shared with intelligence, law enforcement or other bodies in the UK, or with overseas partners.
- The offence which would be committed by Agency personnel abusing that capability.
- The transparency and reporting requirements.
| The Government acknowledges the need to ensure that the public are able to understand the laws governing when and how the security and intelligence agencies and law enforcement are allowed to obtain and use their information. The draft Bill provides a clear and comprehensible framework that clarifies which powers different agencies can use and for what purpose. It specifies: - The purposes for which each power may be used and the statutory tests that must be satisfied before a power can be used. - The safeguards that apply to each of the powers, including consideration of wider human rights obligations. - Whether powers must be directed at an individual or a specific operation, or whether they may be used to acquire data in bulk for target discovery purposes. - The authorisations process that applies to each power, reflecting the sensitivity and intrusiveness of that power. - The Codes of Practice that must be laid in respect of each power and which will set out specific safeguards for sensitive professions and privileged material. - The retention, storage and destruction safeguards that apply to material obtained under each of the powers, including, where appropriate, provision through Codes of Practice. - The offences that will apply to unauthorised use of powers and capabilities, including the offence of unlawful interception and wilful and reckless acquisition of communications data without lawful authority. - The role of the Investigatory Powers Commissioner in overseeing the use of those powers and ensuring appropriate levels of transparency to aid public understanding. |
ZZ | In terms of the authorisation procedure, the following principles should apply: - The most intrusive activities must always be authorised by a Secretary of State.
- When considering whether to authorise the activity, the Secretary of State must take into account, first, legal compliance and, if this is met, then the wider public interest.
- All authorisations must include a summary of the expected collateral intrusion, including an estimate of the numbers of innocent people who may be impacted, and the extent to which the privacy of those innocent people will be intruded upon.
- Any capability or operation which would result in significant collateral intrusion must be authorised by a Secretary of State.
- All authorisations must be time limited (usually for no longer than six months).
- Where an authorisation covers classes of activity conducted overseas, this must include the requirements for recording individual operations conducted under those authorisations, and the criteria for seeking separate Ministerial approval.
- Where intelligence is sought from overseas partners, the same authorisation must be obtained as if the intrusive activity was undertaken by the UK Agency itself.
- Where unsolicited material is received, the circumstances in which it may be temporarily held and assessed, and the arrangements for obtaining retrospective authority (or where authority is not given, destruction of the material) must be explicitly defined.
| The draft Bill provides for enhanced authorisation arrangements, including: - Strict legal tests that must be satisfied before authorising a particular activity or imposing an obligation on a communications service provider. - A requirement to take into account collateral intrusion arising as a result of a particular interference. - A strict time limit on each authorisation (ordinarily six months, subject to renewal or review) |
AAA | In relation to communications, given the controversy and confusion around access to Communications Data, we believe that the legislation should clearly define the following terms:
- ‘Communications Data’ should be restricted to basic information about a communication, rather than data which would reveal a person’s habits, preferences or lifestyle choices. This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information. - ‘Communications Data Plus’ would include a more detailed class of information which could reveal private information about a person’s habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards. - ‘Content-Derived Information’ would include all information which the Agencies are able to generate from a communication by analysing or processing the content. This would continue to be treated as content in the legislation. | The draft Bill includes revised definitions of the categories of communications data (clause 193): - Entity data will include data about persons or devices, such as subscriber or billing information. - Event data will include data about interaction between persons or devices, such as the fact of a call between two individuals. Before making a request for communications data, public authorities will need to consider which data type they require access to and whether it is necessary and proportionate to do so. Due to the potentially higher level of intrusion associated with Event data, its acquisition must be authorised at a more senior level within the police or other public authorities. Separate safeguards will apply to the acquisition of Related Communications Data (including that derived from content) which may be obtained as a result of bulk interception. |
BBB | The Committee has identified a number of areas where we believe there is scope for the Government to be more transparent about the work of the Agencies. The first step – as previously set out – is to consolidate the relevant legislation and avow all of the Agencies’ intrusive capabilities. This will, in itself, be a significant step towards greater transparency. Where it is not practicable to specify the detail of certain arrangements in legislation, the Government must nevertheless publish information as to how these arrangements will work (for example, in Codes of Practice). We recognise that much of the detail regarding the Agencies’ capabilities must be kept secret. There is, however, a great deal that can be discussed publicly and we believe that the time has come for much greater openness and transparency regarding the Agencies’ work. | This draft Bill provides more detail than ever before about the powers available to the agencies, how they are authorised, and the safeguards that apply to them. It will be underpinned by detailed statutory codes of practice. The Investigatory Powers Commissioner will play a visible, independent role in overseeing the work of the agencies and ensuring there is appropriate transparency and public understanding of how they work. |
1 | RIPA Part I, DRIPA 2014 and Part 3 of CTSA 2015 should be replaced by a comprehensive new law, drafted from scratch, which:
(a) affirms the privacy of communications;
(b) prohibits interference with them by public authorities, save on terms specified; and
(c) provides judicial, regulatory and parliamentary mechanisms for authorisation, audit and oversight of such interferences. | On enactment, the Investigatory Powers Bill will repeal Part 1 of RIPA and the entirety of DRIPA (and the corresponding amendments made by the CTSA). It also repeals section 94 of the Telecommunications Act 1984 (directions in the interests of national security) and Part 11 of the Anti-Terrorism, Crime and Security Act 2001 (retention of communications data). Part 1 of the Bill asserts the privacy of communications and provides for related offences of unlawful interception or acquisition of communications data. The Bill introduces judicial approval, following the Secretary of State’s decision, for the use of interception and equipment interference powers as well as the issue of all bulk warrants, so that there is a ‘double-lock’ authorisation on the use of these powers. Part 8 of the Bill provides for the creation of a new, more visible oversight body – led by the Investigatory Powers Commissioner (IPC), a senior judge with a team of senior judicial commissioners, and the resources and technical support required, to approve and scrutinise the use of investigatory powers. |
2 | The new law should amend or replace RIPA Part IV. If Recommendation 82 below is adopted, changes will also be needed to Police Act 1997 Part III, RIPA Parts II and III and RIP(S)A. | Part IV of RIPA will be substantially amended due to the introduction of the Investigatory Powers Commissioner and the creation of a domestic route of appeal from the IPT. The Investigatory Powers Commissioner will have responsibility for the oversight (and in some cases authorisation) of powers exercised under Part III of the Police Act 1997, Parts II and III of RIPA and RIP(S)A. |
3 | The new law should be written so far as possible in non-technical language. | The Bill has been drafted in so far as possible to be technologically neutral in language. The technical terms that remain in the draft Bill are included to ensure the provisions in the Bill are clear in their intent and application; they are explained in fact sheets and Explanatory Notes published alongside the draft Bill. |
4 | The new law should be structured and expressed so as to enable its essentials to be understood by intelligent readers across the world. | The Investigatory Powers Bill brings all of the existing powers available to law enforcement and the security and intelligence agencies to obtain communications and data about communications into once piece of legislation, setting out more clearly than ever before what investigatory powers are available to the state, exactly which public authorities are allowed to acquire, access and retain data and under what safeguards and authorisation. It is intended that the public should be able to understand clearly the law governing access and use of their information. |
5 | The new law should cover all essential features, leaving details of implementation and technical application to codes of practice to be laid before Parliament and to guidance which should be unpublished only to the extent necessary for reasons of national security. | The Investigatory Powers Bill brings the existing law governing the acquisition of communications and communications data into one single piece of legislation. The Bill makes provision for Parliament to approve statutory Codes of Practice that will govern the use of the powers in the Bill. These will cover: Interception of communications Communications data (retention and acquisition) Bulk acquisition of communications data Equipment interference Bulk Personal Datasets |
6 | The following should be brought into the new law and/or made subject to equivalent conditions to those recommended here | |
6a | (a) the general power under section 94 of the Telecommunications Act 1984, so far as it relates to matters covered by this Review (cf. ISC Report, Recommendation VV) | Paragraph 1 of Schedule 9 to the Bill will repeal section 94 of the Telecommunications Act 1984. Chapter 2 of Part 6 covers the acquisition of communications data in bulk, which had previously been provided for under section 94 of the 1984 Act. Clause 188 provides for other capabilities that have been provided for under the 1984 Act by allowing the Secretary of State to issue a notice to a telecommunications operator requiring them to provide assistance in the interests of national security. The new power is subject to strict safeguards, including a prohibition on notices being authorised where the primary purpose is to obtain communications or communications data. |
6b | (b) equipment interference (or CNE) pursuant to sections 5 and 7 of the Intelligence Services Act 1994, so far as it is conducted for the purpose of obtaining electronic communications (cf. ISC Report, Recommendations MM-PP); | Equipment Interference (EI) is currently authorised under sections 5 and 7 of the Intelligence Services Act 1994 and part 3 of the Police Act 1997. The use of EI powers will in future be authorised under Part 5 of the Investigatory Powers Bill. This reflects the recommendations of David Anderson QC and the Intelligence and Security Committee of Parliament. A warrant under Part 5 must be sought whenever an agency intends to undertake EI where there is a connection to the British Islands. This applies, as suggested, only to EI conducted with the intention to obtain communications and/or other information. Other EI conduct will continue to be authorised by the relevant current legislation. The IP Bill provides appropriate safeguards for Equipment Interference, reflecting other investigatory powers such as interception. Equipment Interference will be subject to a ‘double lock’, requiring all EI warrants to be approved by a Judicial Commissioner before they come into force. |
6c | (c) interception pursuant to sections 48 and 49 of the Wireless Telegraphy Act 2006 (cf. ISC Report, Recommendations XX-ZZ) | Clause 192 of the Bill amends the Wireless Telegraph Act 2006 so that interception currently authorised under that Act will instead need to be authorised under Part 2 of the draft Bill. Clause 36 authorises interception by OFCOM in order to maintain the security of the radio frequency network. |
6d | (d) the acquisition and use of bulk personal data (cf. ISC Report, Recommendation X). | A BPD is essentially a description of a category of information and can be obtained through a wide variety of means. We therefore do not consider there is a need for the IP Bill to provide for a power to acquire BPDs; instead they are obtained using the general statutory gateways in the Security Service Act 1989 and the Intelligence Services Act 1994 that the intelligence agencies use for acquiring information. However, Part 7 of the Bill provides for robust and transparent safeguards around BPDs, including a requirement for warrants to authorise the obtaining, retention and examination of BPDs. Those safeguards are comparable to those provided for in relation to other powers under the Bill. |
7 | The new law should repeal or prohibit the use of any other powers providing for interference with communications. But for the avoidance of doubt, no recommendations are made in relation to the use of court orders to access stored communications (e.g. PACE s9) or the searching of devices lawfully seized, save that it is recommended that oversight should be extended to the former (Recommendation 92(d) below). | Part 1 of the Investigatory Powers Bill makes it an offence to obtain stored communications without lawful authorisation. The obtaining of such communications may be authorised by an interception warrant issued under Part 2 of the Bill or an equipment interference warrant issued under Part 5, which will be subject to IPC oversight. Clauses 10 and 11 of the Bill prohibit authorisations under the Police Act 1997 or the Intelligence Services Act 1994 from authorising the covert acquisition of stored communications from computers in the UK. As now, other statutes may also authorise the overt acquisition of stored communications. Those powers are already subject to a judicial decision (i.e. court orders) or an existing right of appeal (e.g. Schedule 7). The powers to acquire stored communications provided for the in the IP Bill will be overseen by the Investigatory Powers Commissioner. |
8 | The new law should define as clearly as possible the powers and safeguards governing: | |
8a | (a) the receipt of intercepted material and communications data from international partners; and | Schedule 6 of the Bill requires that Codes of Practice issued under the Bill must contain provision about requests to overseas partners for intercepted material or related communications data and the handling of material received. Clause 179 provides for the creation of codes of practice. Existing safeguards are set out in the current Interception of Communications Code of Practice. |
8b | (b) the sharing of intercepted material and communications data with international partners;
(Recommendations 76-78 below). | Safeguards relating to the disclosure of material overseas are provided in clauses 40 and 41 (and 117 and 118 for bulk). Further information about these safeguards will be included in the Interception of Communications Code of Practice. The Bill includes separate provisions which deal with mutual legal assistance (these are set out in clauses 28 and 39 of the Bill). |
9 | Existing and future intrusive capabilities within the scope of this Review that are used or that it is proposed be used should be (cf. ISC Report, Recommendation BBB):
(a) promptly avowed to the Secretary of State and to ISIC;
(b) publicly avowed by the Secretary of State at the earliest opportunity consistent with the demands of national security; and, in any event;
(c) used only if provided for in statute and/or a Code of Practice in a manner that is sufficiently accessible and foreseeable to give an adequate indication of the circumstances in which, and the conditions on which, communications may be accessed by public authorities. | The Investigatory Powers Bill places all of the powers available to the state to obtain communications and communications data on a clear statutory footing. Relevant Secretaries of State and oversight bodies already have visibility of existing intrusive capabilities and will continue to do so for future such capabilities. The Home Secretary’s statement to Parliament on 4 November avowed the use of section 94 of the Telecommunications Act 1984 to acquire communications data in bulk. As demonstrated by the IP Bill and the publication of the Transparency report and reports by the oversight Commissioners and the Intelligence and Security Committee, the Government is committed to enhancing transparency; the Government agrees that we should seek to keep the public as informed as possible consistent with the demands of national security. All activities of law enforcement, the security and intelligence agencies and other public authorities must be in accordance with the law. The Human Rights Act 1998 means all laws must be compliant with Article 8 (right to respect for privacy and family life) of the European Convention on Human Rights with regard to the foreseeability of their use by public authorities to interfere with privacy and with regard to the safeguards against abuse. The Government is committed to compliance with those requirements. |
10 | Within the constraints imposed by national security, the current restrictions and prohibitions relating to the disclosure of warrants and intercepted material (RIPA ss15 and 19, Official Secrets Act 1989 s4) should be clarified and reviewed (cf. ISC Report, Recommendation C) in order to ensure, in particular, that:
(a) there is no legal obstacle to explaining the uses (and utility) of warrants to Parliament, courts and public, and that
(b) as recommended by the Police Ombudsman for Northern Ireland in his report of 30 October 2014 on the Omagh bombing, there is “absolute clarity as to how specific aspects of intelligence can be shared in order to assist in the investigation of crime”. | Clause 43(5)(h) allows for the disclosure of information which does not relate to any specific warrant but relates to interception warrants in general. This will allow the uses and utility of warrants to be explained to Parliament, the courts and the public. Clause 40 imposes restrictions on the access to and disclosure of intercept material, limiting this to the minimum necessary for the authorised purposes. The authorised purposes include the prevention or detection of serious crime. This clause, in combination with s19 of the Counter-Terrorism Act 2008 (which includes provisions on the disclosure of information by the Intelligence Agencies) permits intelligence to be shared with law enforcement bodies in order to assist in the investigation of a serious crime. |
11 | Breach of Codes of Practice should not automatically constitute a criminal offence: any new criminal offence or enhanced penalty (cf. JCDCDB Report paras 227 and 229; ISC Report, Recommendation T) should be specifically identified in the new law. | A new offence has been created under clause 8 of the Bill of knowingly or reckless obtaining communications data without authority. Other offences are all specified in the draft Bill. |
12 | The definitions of content and of communications data, and any subdivisions, should be reviewed, with input from all interested parties including service providers, technical experts and NGOs, so as to ensure that they properly reflect both current and anticipated technological developments and the privacy interests attaching to different categories of material and data. Content and communications data should continue to be distinguished from one other, and their scope should be clearly delineated in law. | The Government accepts that there is a need to clarify the different types of communications data. Clause 193 of the draft Bill includes revised definitions of the categories of communications data: - Entity data will include data about persons or devices, such as subscriber or billing information. - Event data will include data about interaction between persons or devices, such as the fact of a call between two individuals. Recognising the more intrusive nature of events data, Schedule 4 of the draft Bill requires the acquisition of event data to be authorised at a more senior level than entity data. CSPs and technical experts were consulted in the development of the definitions in the Bill and proposals were shared with NGOs at an early stage. The Government will continue to invite views on the definitions before a revised Bill is introduced to Parliament in 2016. |
13 | ATCSA 2001 Part 11 should be repealed, and the voluntary code of practice issued under it should be withdrawn. | Part 1 of Schedule 9 The Investigatory Powers Bill repeals ATCSA 2001 Part 11 |
14 | The Home Secretary should be able by Notice (as under DRIPA 2014 s1 and CTSA 2015 s21) to require service providers to retain relevant communications data for periods of up to a year, if the Home Secretary considers that the requirement is necessary and proportionate for purposes laid down in Article 15(1) of the e-Privacy Directive. | This is provided for under Clause 71 of the Bill. |
15 | In relation to the subject matter of the 2012 Communications Data Bill, Government should initiate an early and intensive dialogue with law enforcement and CSPs in order to formulate an updated and coordinated position, informed by legal and technical advice, on the operational case for adding web logs (or the equivalent for non-web based OTT applications) to the data categories currently specified in the Schedule to the Data Retention Regulations 2014 for the purposes of: | The Government has considered the operational case for the provisions in the 2012 draft Communications Data Bill. Following consultation with law enforcement and communications service providers, we consider that there is a strong operational case for providing for the retention of internet connection records, which will indicate the specific internet services to which a person or device has connected. The Government recognises the sensitive nature of internet connection records and for that reason clause 47 restricts the purposes for which they can be acquired further than other forms of communications data. A designated senior officer in a public authority will only be able to require disclosure or processing of internet connections records for the following purposes: - To identify the sender of an online communication. This will often be in the form of an IP address resolution and the internet service used must be known in advance of the application - To identify which communication services a person has been using. For example whether they are communicating through apps on their phone - To identify where a person has accessed illegal content. For example an internet service hosting child abuse imagery. Clause 71 of the draft Bill also provides that local authorities will not be permitted to acquire internet connection records under any circumstances. Before making a request for communications data, public authorities will need to consider which data type they require access to and whether it is necessary and proportionate to do so. |
a | (a) resolving shared IP addresses or other identifiers (in particular, to identify the user of a website); | Clause 47 restricts the purposes for which internet connection records can be acquired consistent with this. The retention of ICRs is necessary in order to resolve IP addresses consistently |
b | (b) identifying when a person has communicated through a particular online service provider (so as to enable further enquiries to be pursued in relation to that provider); and/or | Clause 47 restricts the purposes for which internet connection records can be acquired consistent with this. We consider there is a strong case for allowing law enforcement to access ICRs for this purpose. The case for access to ICRs for this and other purposes has been published alongside the draft Investigatory Powers Bill. |
c | (c) allowing websites visited by a person to be identified (to investigate possible criminal activity) | Clause 47 restricts this purpose to establishing whether a person is accessing or making available material the possession of which is a crime (e.g. to identify whether a person had uploaded illegal images to a website). We consider there is a strong case for allowing law enforcement to access ICRs for this purpose. The case for access to ICRs for this and other purposes has been published alongside the draft Investigatory Powers Bill. |
d | Full consideration should be given to alternative means of achieving those purposes, including existing powers, and to the categories of data that should be required to be retained, which should be minimally intrusive. If a sufficiently compelling operational case has been made out, a rigorous assessment should then be conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained. No detailed proposal should be put forward until that exercise has been performed. | The Government has engaged intensively with law enforcement agencies to make the operational case for the inclusion of internet connection records. The case has been published alongside the draft Bill. |
16 | The rules regarding retention of data by CSPs should comply (to the extent that it may be applicable) with EU law as contained e.g. in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and with the ECHR, particularly as regards: | The provisions of DRIPA, with its increased safeguards, together with the robust access regime provided for by RIPA, created a regime that responded to the judgment while still ensuring the system was operationally workable.
The judgment of the Divisional Court in the judicial review of DRIPA has been appealed to the Court of Appeal which has decided to make a preliminary reference to the European Court of Justice to clarify the effect of the Digital Rights Ireland judgment. |
16 a | (a) limits on the data whose retention may be required; |
16 b | (b) ensuring that retention periods are no longer than necessary; |
16 c | (c) ensuring the protection and security of data and their destruction when the retention period ends; and |
16 d | (d) the location in which data are stored. |
17 | To the extent that a requirement is placed on CSPs that may result in them retaining partial or complete web logs or equivalent, the circumstances in which access may be sought by public authorities and the conditions on which access should be granted should be the subject of guidance in a Code of Practice and/or from ISIC, and sufficient records should be kept to allow ISIC to verify through regular audit and inspection that requests have been properly authorised. | Clause 47 restricts the purposes for which internet connection records can be acquired. Local authorities may not acquire internet connection records at all. There is existing guidance in codes of practice on the retention of and access to CD. New codes are provided for in the Bill (Schedule 6) The current Interception of Communications Commissioner (whom the IPC will replace) provides guidance on acquisition issues to forces and we will ensure that appropriate records continue to be kept and that regular audits and inspections continue to take place. |
18 | There should be no question of progressing proposals for the compulsory retention of third party data before such time as a compelling operational case may have been made, there has been full consultation with CSPs and the various legal and technical issues have been fully bottomed out. None of those conditions is currently satisfied. | The Government has decided that there will be no third party data retention requirements imposed on CSPs. While there would still be operational benefit from the retention of third party data, that benefit has declined as a result of encryption. |
19 | The capability of the security and intelligence agencies to collect and analyse intercepted material in bulk should be maintained, subject to rulings of the courts, but used only subject to the safeguards in Recommendations 40-49 and 72-80 below, and only in cases where it is necessary to achieve an objective that cannot be achieved by the new and less extensive power in Recommendation 42(b) below. | Part 6, Chapter 1 of the Bill maintains the ability for the security and intelligence agencies to carry out bulk interception. The safeguards mirror those in the targeted interception clauses in Part 2, Chapter 1. |
20 | In relation to interception and the acquisition of communications data, the following types of compulsory warrant and authorisation should be available: | |
20a | (a) For the interception of communications in the course of transmission,
· an specific interception warrant
· a combined warrant
· a bulk interception warrant. | Clause 12(1)(a) provides for the Secretary of State to make a targeted interception warrant, Clause 184 and Schedule 7 of the Bill provide for the combining of warrants and authorisations. Part 6, Chapter 1 provides for the making of Bulk interception warrants by the Secretary of State. |
20b | (b) For the acquisition of communications data in bulk, a bulk communications data warrant. | Chapter 2 of Part 6 of the Bill provides for this. |
20c | (c) For the acquisition of communications data otherwise than in bulk, an authorisation. | Part 3 of the Bill provides for this. |
21 | To the extent that Recommendation 6 above is adopted, the analogous activities there referred to should be subject to equivalent procedures. | The Investigatory Powers Bill applies strict safeguards and oversight to the EI regime, reflecting other powers, such as interception – detailed at clause 103.
The safeguards and processes cannot be identical, due to the operational differences between the techniques.
The key difference between Interception and EI in this regard is the use of the information obtained as evidence in legal proceedings. Equipment interference techniques are currently used by law enforcement agencies to bring criminals to justice, including through the use of EI product in court. The Bill does not change the current approach. This is set out at clause 103(4)(d).
|
22 | Specific interception warrants, combined warrants, bulk interception warrants and bulk communications data warrants should be issued and renewed only on the authority of a Judicial Commissioner. | The Bill introduces a “double-lock” authorisation model which requires that a targeted interception warrant, bulk interception warrant or bulk communications data warrant signed by the Secretary of State must also be approved by a Judicial Commissioner before it can come into force. Authorising warrants is one of the means by which Secretaries of State hold the agencies and the police to account, and in turn, they are accountable to Parliament for how those powers are authorised and exercised. Introducing a judicial element to the authorisation process will ensure both democratic accountability, and independent verification. The authorisation process in the case of combined warrants is outlined at Schedule 7. It sets out that regardless of who issues the warrant, where two or more powers are authorised under the same warrant then the authorisation of that warrant will be subject to approval by a Judicial Commissioner. |
23 | Authorisations for the acquisition of communications data otherwise than in bulk should be issued only on the authority of a Designated Person authorised to do so by the authorising body. | Clause 46 provides for this. (The Bill also provides for collaboration agreements under which public authorities may, or may be require to, collaborate on use of DPs and SPOCs in line with other recommendations.) |
24 | It is not recommended that service providers wishing to offer services in the UK should be required to have a licence, or that they should be required to store data in the UK. But in order to address deficiencies in access to material from overseas service providers, the Government should: | We agree with this recommendation, and have not legislated in the Bill that service providers wishing to offer services in the UK should be required to have a licence, or that they should be required to store data in the UK. |
24a | (a) seek the cooperation of overseas service providers, including by explaining so far as possible the nature of the threat, how requests are authorised and overseen, and the steps that are taken to ensure that they are necessary and proportionate; | We are continuing to engage and work with communications service providers who provide services to users in the UK. Companies that work across international boundaries regularly have to manage competing legal obligations. We will always work with companies to ensure they can meet their obligations under RIPA. |
24b | (b) seek the improvement and abbreviation of MLAT procedures, in particular with the US Department of Justice and the Irish authorities; and | The UK has been working closely with counterparts in the US to improve the quality of requests and to streamline processes under the existing bilateral MLAT. The UK has also been speaking to the Irish authorities about the extent to which the EU Mutual Legal Assistance Convention might provide for access to data stored in Ireland. |
24c | (c) take a lead in developing and negotiating a new international framework for data-sharing among like-minded democratic nations. | This work is underway. Sir Nigel Sheinwald, the PM’s special envoy on access to data, discussed with the companies and the US and other governments a solution that would allow certain democratic countries - with similar values and high standards of oversight, transparency and privacy protection - to gain access to content in serious crime and counter-terrorism cases through direct requests to the companies. The Government is now taking this forward. Clause 39 of the Bill provides for companies in the UK to comply with interception requests in accordance with any future relevant international agreement. |
25 | Pending a satisfactory long-term solution to the problem, extraterritorial application should continue to be asserted in relation to warrants and authorisations (DRIPA 2014 s4), and consideration should be given to extraterritorial enforcement in appropriate cases. | Clauses 29 and 30 provide for the service of interception warrants on persons who provide services to customers in the UK, irrespective of whether the company is based in the UK or not. Clause 31(8) makes clear that the power is enforceable through civil proceedings. |
26 | Only those currently specified in RIPA s6 should be entitled to apply for a specific interception warrant. | Clause 15 sets out those who may apply for an interception warrant. This is the same position as currently provided for in section 6 of RIPA. |
27 | Specific interception warrants should be limited to a single person, premises or operation. Where a warrant relates to an operation, each person or premises to which the warrant is to apply, to the extent known at the time of the application, should be individually specified on a schedule to the warrant, together with the selectors (e.g. telephone numbers) applicable to that person or premises. | Clauses 23(3) and(4) of the Bill require that a targeted interception warrant must name or describe the person or organisation and, in relation to an operation, must describe the purpose or activity |
28 | The only purposes for which a specific interception warrant can be issued should be, as under RIPA s5(3): | Clause 14(3) sets out the statutory purposes for which an interception warrant can be sought. These are the same as the purposes in section 5 of RIPA. |
28 | (a) preventing or detecting serious crime (including by giving effect to a mutual legal assistance agreement), or |
28 | (b) in the interests of national security (including safeguarding the economic well-being of the UK in a respect directly linked to the interests of national security). |
29 | 29. Applications for interception warrants should contain the following information:
(a) The background to the operation or investigation in the context of which the warrant is sought
(b) The person(s) or premises to which the application relates, to the extent known at the time of application, and how they feature in the operation
(c) A description of the communications to be intercepted, details of the service provider(s) and an assessment of the feasibility of the interception to the extent known at the time of application
(d) A description of the conduct to be authorised or the conduct it is necessary to undertake in order to carry out what is authorised or required by the warrant
(e) An explanation of why that conduct is considered to be necessary for one or more of the permitted statutory purposes
(f) An explanation of why any likely intrusion into privacy is proportionate to what is sought to be achieved by that conduct, explaining why less intrusive alternatives have not been or would not be as effective
(g) Consideration of any collateral intrusion and why that intrusion is justified in the circumstances
(h) Whether the application is made for the purposes of determining matters that are privileged or confidential such as (for example) the identity or a witness or prospective witness being contacted by a lawyer or the identity of or a journalist’s confidential source
(i) Whether the application relates to a person who is known to be a member of a profession that handles privileged or confidential information (including medical doctors, lawyers, journalists, Members of Parliament or ministers of religion), and if so what protections it is proposed will be applied
(j) Where an application is urgent, the supporting justification
(k) An assurance that all material intercepted will be kept for no longer than necessary in accordance with the applicable rules, and handled in accordance with the applicable procedures for minimisation, secure holding and destruction. | Clause 23 sets out the requirements that a warrant must satisfy. Further information about detail that should be included in warrant applications will be provided in codes of practice. |
30 | When a specific interception warrant is sought for the purpose specified in Recommendation 28(b) above (national security) and that purpose relates to the defence of the UK and/or the foreign policy of the Government, the Secretary of State should have the power to certify that the warrant is required in the interests of the defence and/or foreign policy of the United Kingdom. In such cases, the Judicial Commissioner in determining whether to issue the warrant (Recommendation 31 below) should be able to depart from that certificate only on the basis of the principles applicable in judicial review. | The ‘double lock’ authorisation regime applies to all warrants issued under the Bill. This will preserve democratic accountability and introduce a further element of independent verification. |
31 | 3A specific interception warrant should be issued only if it is established to the satisfaction of a Judicial Commissioner that: | Under the provisions in the Bill, warrants will only be authorised by the Secretary of State where they are necessary and proportionate for a permitted statutory purpose and where the conduct is lawful. A Judicial Commissioner will then review the Secretary of State’s decision, applying judicial review principles. This will include considering whether the use of investigatory powers is necessary and proportionate. The Commissioner would also determine whether the use of the powers would be lawful. If the Judicial Commissioner disagreed with the decision of the Secretary of State under our proposed model, the warrant would not come into force. |
31a | (a) the warrant is necessary for one or both of the permitted statutory purposes (Recommendation 28 above); |
31b | (b) the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct; and |
31c | the assurances regarding the handling, retention, use and destruction of the intercepted material, including in relation to privileged or confidential material, are satisfactory. | Clause 14 requires the Secretary of State to be satisfied that these safeguards are in place before authorising a warrant. |
32 | Arrangements should be put in place for the prompt consideration of urgent applications for specific interception warrants from any part of the UK and at any time. | Clause 20 of the Bill provides that if a warrant is deemed by a Secretary of State to be urgent, then it will come in to force immediately. It will then last for five working days and must be reviewed by a Judicial Commissioner during this time. |
33 | Should an application for a specific interception warrant be rejected, the Judicial Commissioner should give reasons for rejection. In the event of rejection, the applicant for a warrant should be able to: | Clause 19 provides that if the Judicial Commissioner disagreed with the decision of the Secretary of State, the warrant would not come into force. In that case, the Judicial Commissioner must provide written reasons for the refusal. The Bill provides an ‘appeal’ mechanism by which the Secretary of State may ask the Investigatory Powers Commissioner to reconsider the warrant, but the IPC’s decision would be final. There is no means by which a Secretary of State could overrule a Commissioner. |
33a | (a) re-submit an amended application, addressing the defects or omissions identified by the Judicial Commissioner; or |
33b | (b) request a final ruling on the original application from the Chief Judicial Commissioner, by way of appeal from the original rejection. |
33c | (c) The Chief Judicial Commissioner may consider any such appeal in conjunction with one or more other Judicial Commissioners. |
34 | It should normally be for a Judicial Commissioner to make major modifications to a specific interception warrant, e.g. the addition of a new person or premises to the schedule. So far as applicable, the information listed at Recommendation 29 above should be supplied and considered before such a modification is authorised. However, a Judicial Commissioner should have the power to authorise a DP meeting the requirements set out in Recommendations 56 and 57 below to make major modifications to a specific interception warrant on the basis that such modifications are then notified promptly to the Judicial Commissioner. The circumstances in which this could be appropriate should be specified in a Code of Practice and might include, for example, (1) urgent or fast moving cases, and (2) cases in which the interference with privacy is always likely to be small, or to be consistent across possible targets. | Clause 26 of the Bill provides that a major modification can be made by: the Secretary of State; a member of the Scottish Government; or a senior official acting on behalf of the Secretary of State or a member of the Scottish Government. The Investigatory Powers Commissioner may retrospectively scrutinise any modifications made to a warrant. |
35 | Provision should be made for minor modifications (e.g. the addition of a new telephone number for an existing target) to be made, after consideration of the implications if any for privacy, collateral intrusion and proportionality, by a DP meeting the requirements set out in Recommendations 56 and 57 below. | Clause 26 provides that a minor modification can be made by: the Secretary of State; a member of the Scottish Government; a senior official acting on behalf of the Secretary of State or a member of the Scottish Government; a senior person in a warrant requesting department, the person to whom the warrant is addressed or another senior official in the warrant requesting department. |
36 | A Judicial Commissioner should have the power to cancel a specific interception warrant at any time, if it appears to the Judicial Commissioner that one or more of the conditions for its issue are no longer satisfied. | The Secretary of State will have an obligation to cancel any warrant that no longer meets the conditions of its issue. The Investigatory Powers Commissioner will provide retrospective oversight of this process and all aspects of the warrantry regime. Judicial Commissioners will formally consider warrants that the point of their issue and renewal. |
37 | Specific interception warrants should have a duration of six months. The Judicial Commissioner who issues the warrant should have a discretion to require that it be reviewed by a Judicial Commissioner at a specified time before its expiry. | Clause 24 makes clear that targeted interception warrants will last six months except in urgent cases, in which they will last only five days. As is currently the case, the Secretary of State will have the ability to attach conditions to the approval of warrants (which might include a requirement for an update to be submitted to the Secretary of State before the sixth month period). |
38 | Warrant renewals should take effect from the date of expiry of the warrant (as currently under RIPA Part I Chapter 2) rather than from the date of renewal (as currently under RIPA Part I Chapter 1). | Clause 24(2)(b) provides for this. |
39 | Combined warrants should be subject to the same rules as interception warrants, save that: | Clause 184 and Schedule 7 of the Bill provide that certain warrants can be combined for purposes of operational efficiency. All combined warrants must include either an EI or interception warrant and so all combined warrants will be subject to the double lock authorisation procedure. A combined warrant allows the Secretary of State and/or Judicial Commissioner who is authorising the warrant to look across the full range of actions that may be applied to the subject of the warrant. This allows them to take a more informed decision about the necessity and proportionality of the action being undertaken. It is also more efficient for the agency applying for the warrant. |
39a | (a) They may authorise, in the context of a given operation, more than one of (1) interception, (2) intrusive surveillance and (3) property interference. |
39b | (b) They must explain why the conditions for each type of warrant are satisfied, and why it is necessary and proportionate for a combined warrant to be issued. |
40 | Only the Director General of MI5, the Chief of MI6 and the Director of GCHQ, in each case with the approval of the Secretary of State, should be eligible to apply for bulk warrants. | Part 6 provides that only the security and intelligence agencies can apply for a bulk warrant. |
41 | The restrictions in Recommendation 27 should not apply to bulk warrants. | This is reflected in the bulk warrant provisions at Part 6 of the Bill. |
42 | There should be two types of bulk warrant: | |
42a | bulk interception warrants, which would allow content and related communications data to be obtained; and | Clause 106 provides for this. |
42b | bulk communications data warrants, which would allow only communications data to be obtained. | Clause 122 provides for this. |
42c | A bulk interception warrant should never be applied for, approved or authorised in circumstances where a bulk communications data warrant would suffice. | Clause 107 requires the Secretary of State to consider whether it is necessary to acquire content under a bulk interception warrant, or whether it is sufficient to obtain related communications data under that warrant. |
43 | The purposes for which a bulk warrant is sought should be: | This is provided for at clauses 107, 122 and 137 of the Bill. The Secretary of State and Judicial Commissioner must authorise the operational purposes which will govern when material collected in bulk can be selected for examination, at the same time as they authorise its acquisition. |
43a | (a) limited to the permitted statutory purposes (Recommendation 28 above); |
43b | (b) (in lieu of the certificate provided for by RIPA s8(4)(b)), limited to one or more specific operations or mission purposes (e.g. “attack planning by ISIL in Iraq/Syria against the UK”). |
44 | Bulk interception warrants should, in addition, be required to be targeted at the recovery of intercepted material comprising the communications of persons believed to be outside the UK at the time of those communications. It should be determined (if Recommendation 42(b) is adopted) whether an analogous restriction is necessary or desirable in relation to bulk communications data warrants. | Clause 106 specifies that a bulk interception warrant may only be issued where the main purpose is for the interception of overseas related communications. The Bill does not impose an analogous restriction for the acquisition of communications data in bulk. The power to acquire domestic communication data currently allows the security and intelligence agencies to make vital investigative connections in order to understand terrorist networks and to disrupt threats in the UK. The Bill puts this power on a clearer statutory footing and makes it subject to equivalent safeguards to other bulk powers. |
45 | Applications for bulk warrants should contain the following information: a) The specific operation(s) or mission purpose(s) in respect of which they are sought (b) Description of the communications to be intercepted or acquired, details of the CSP(s) and an assessment of the feasibility of the interception or acquisition (c) Description of the conduct to be authorised, or the conduct it is necessary to undertake in order to carry out what is authorised or required by the warrant (d) A statement specifying both the statutory purpose(s) and, as precisely as possible, the operations or mission purposes in relation to which material is sought (e) An explanation, backed by evidence, of why the interception or acquisition is considered to be necessary for one or more of the permitted statutory purposes and for the operations or mission purposes identified (f) An explanation of why any likely intrusion into privacy is proportionate to what is sought to be achieved by that conduct, explaining why less intrusive alternatives have not been or would not be as effective (g) Consideration of any collateral intrusion and why that intrusion is justified in the circumstances (h) Whether the application could result in acquisition of material or data that is privileged or confidential material, and if so what protections it is proposed will be applied (i) In the case of a bulk interception warrant, an explanation of why a bulk communications data warrant would not be an adequate alternative (j) In the case of a bulk communications data warrant, an explanation of why an authorisation would not be an adequate alternative (k) Where an application is urgent, supporting justification (l) Details of the use that it is proposed to make of the data that is recovered, including in relation to possible sharing and use in combination with other datasets. (m) An assurance that all material recovered will be retained no longer than necessary, looked at, used or analysed only for certified purposes and in accordance with the applicable rules, and handled in accordance with the applicable procedures for minimisation, secure holding and destruction. | Clauses 106, 122 and 135 set out the information that must be included in bulk warrant applications. Clauses 111, 125, 140 require bulk warrants to specify the operational purposes for which any intercepted material or related communications data may be selected for examination. Further detail about the contents of warrant applications will be included in codes of practice issued under the Bill. |
46 | 46. When approving a bulk warrant that is sought in whole or in part for the purpose referred to in Recommendation 28(b) above (national security), and when that purpose relates to the defence of the UK and/or the foreign policy of the Government, the Secretary of State should certify: (a) that the warrant is required in the interests of the defence and/or foreign policy of the United Kingdom; and (b) that it is required for the operation(s) and/or mission purpose(s) identified. | The ‘double lock’ authorisation regime applies to all warrants issued under the Bill. This will preserve democratic accountability and introduce a further element of independent verification. |
47 | In such cases, the Judicial Commissioner in determining whether to issue the warrant (Recommendation 48 below) may depart from that certificate only on the basis of the principles applicable in judicial review. | The ‘double lock’ authorisation regime applies to all warrants issued under the Bill. This will preserve democratic accountability and introduce a further element of independent verification. |
48 | A bulk warrant should be issued only if it is established to the satisfaction of a Judicial Commissioner that: (a) its purpose and targets are limited by reference to the factors identified in Recommendations 43 and 44 above; (b) it is necessary for one or more of the permitted statutory purposes; (c) it is necessary for the mission purpose(s) and/or operation(s) identified; (d) in the case of a bulk interception warrant, it is necessary for the warrant to apply to content as well as communications data; (e) the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct; and that (f) the assurances regarding the handling, retention, use and destruction of the intercepted material or acquired data, including in relation to privileged or confidential material, are satisfactory. | The ‘double lock’ authorisation regime applies to all warrants issued under the Bill. This will preserve democratic accountability and introduce a further element of independent verification. |
49 | Recommendations 32-38 above should apply also to bulk warrants, save that any modification to a bulk warrant must be authorised by a Judicial Commissioner. | Part 6 of the Bill includes relevant provisions. |
50 | Public authorities with relevant criminal enforcement powers should in principle be able to acquire communications data. It should not be assumed that the public interest is served by reducing the number of bodies with such powers, unless there are bodies which have no use for them. There should be a mechanism for removing public authorities (or categories of public authorities) which no longer need the powers, and for adding those who need them. | The Government has reviewed the public authorities with communications data powers. 13 public authorities were removed from RIPA last year. Otherwise the list of public authorities included in the Bill that can acquire communications data has been subject to minimal change. Schedule 4 of the Bill lists all public authorities that will have powers under Part 3 of the Bill. |
51 | The issue of which (if any) categories of communications data should be unavailable to certain public authorities should be reviewed, in the light of Recommendation 12 above and any revision of procedures for authorisation and review. (Some examples of the potential value to local authorities of what is currently known as traffic data are at Annex 16 to this report.) | Schedule 4 of the Bill provides that all public authorities should have access to all data reflecting their requirements with the exception of local authorities who are prohibited from acquiring internet connection records. The Bill includes a power to add or remove public authorities. |
52 | The grounds on which communications data may be acquired should remain as set out in RIPA s22(2), subject to any limitation (relating, for example, to the need for crime to exceed a certain threshold of seriousness, which would not necessarily need to be set at the same level as in RIPA s81(2)(b)) that may be required by EU law or the ECHR. | Clause 46 sets out the purposes for which communications data can be acquired in the Bill. They remain the same as in RIPA.
|
53 | Communications data should be acquired only after the grant by a designated person (DP) of an authorisation. Details of the authorisation should be served on a CSP where it appears to the DP that the CSP is or may be in possession of, or capable of obtaining, any communications data. The distinction between an authorisation and a notice (RIPA s22) is unnecessary and should be abandoned. | Clause 46 provides for the substance of this recommendation. Under the provisions in the Bill, a designated senior officer will issue an authorisation. That authorisation authorises engaging in conduct to acquire communications data. Where appropriate, that may include the issue of a notice to a CSP requiring the disclosure of CD. |
54 | The application for an authorisation should set out the matters specified in the Acquisition and Disclosure of Communications Data Code of Practice (March 2015) 3.5-3.6. | Schedule 6 of the Bill provides for statutory Codes of Practice, which will provide further detail about applications. |
55 | An authorisation should be granted only if the DP is satisfied, having taken the advice of the SPoC and considered all the matters specified in the application, that it is necessary and proportionate to do so. | Clauses 46 (authorisations) and 60 (requirement to consult a Single Point of Contact) provide for this. |
56 | DPs should be persons of the requisite rank or position with the requesting public authority or another public authority. The Regulation of Investigatory Powers (Communications Data) Order 2010 should be revised after consultation in the light of: (a) Recommendation 12 above; (b) the comments of IOCCO (December 2014 submission to the Review, 3.3) on the appropriate rank of DPs and the need for consistency across public authorities and in relation to comparable methods of surveillance; and (c) The new functions placed on DPs and summarised at Recommendations 59(b) and 60 below. | Clause 54 with Schedule 4 provide for this. |
57 | DPs should be adequately trained in human rights principles and legislation (including in relation to privileged or confidential material), and may grant authorisations only when and to the extent that it is necessary and proportionate to do so in the specific circumstances. | Schedule 6 provides that a Code of Practice may contain provision about the training of people exercising functions under the Bill. The communications data code, to which regard must be had when exercising functions, must also make provision about privileged or confidential material. The assessment of necessity and proportionality under clause 46 will include the specific circumstances of the case. |
58 | As recently stated in the ISC Report, Recommendation HH: “there should always be a clear line of separation within the Agencies between investigative teams who request approval for a particular activity, and those within the Agency who authorise it”. DPs (including in the security and intelligence agencies) should be required by statute to be independent from operations and investigations when granting authorisations related to those operations and investigations, and this requirement should be implemented in a manner consistent with the ECHR and EU law. | Clause 47 provides for the independence of the DSO with exceptions for specified exceptional circumstances (eg, in the interests of national security) and smaller public authorities that have insufficient staff. |
59 | The function of DPs should be: (a) To authorise the acquisition of communications data (Recommendation 55 above); (b) To make references to ISIC on applications for privileged/confidential material and, where appropriate, on novel/contentious applications (Recommendations 68 and 70 below). | Clause 61 provides that requests for communications data for the purpose of identifying or confirming journalistic sources must be approved by a judicial commissioner. The Code of Practice will provide that the IPC must be consulted about novel and contentious requests for communications data. |
60 | In addition, DPs appointed by the nine bodies entitled to intercept communications data should be entitled to authorise minor modifications to specific interception warrants (Recommendation 35 above). | Clause 26 provides that a minor modification can be made by: the Secretary of State; a member of the Scottish Government; a senior official acting on behalf of the Secretary of State or a member of the Scottish Government; or a senior person in a warrant requesting department. |
61 | No authorisation should be granted (save in exceptional circumstances specified in the new law) without the prior opinion of an accredited Single Point of Contact (SPoC). The purpose of the SPoC should be: (a) to ensure that only practical and lawful requirements for communications data are undertaken; and (b) to facilitate the lawful acquisition of communications data, and effective co-operation between a public authority and CSPs. | Clause 60 provides for this. |
62 | The functions of the SPoC should be set out in statute along the lines of the March 2015 Code of Practice on the Acquisition and Disclosure of Communications Data, para 3.22. | Clause 60 sets out the functions of a SPoC. |
63 | SPoCs should not have to be located within the requesting authority. For example, there would be no obstacle to police SPoCs being organised on a regional or national level, as is the National Anti-Fraud Network (NAFN). | Clauses 62 and 64 provides for collaboration agreements between police and other public authorities, which may include the sharing of SPoCs and designated officers between authorities. |
64 | In the case of local authorities, the SPoC function should continue to be compulsorily performed through a SPoC at NAFN. | Clause 58 requires local authorities to be in collaboration agreements. In practice this will mean that they must use the SPoCs at NAFN. |
65 | In the case of the other “minor users”, responsible between them for less than 1% of requests for communications data in 2014, the SPoC function should in future also be compulsorily performed by a SPoC at NAFN, which will need to be resourced for that purpose. | Clauses 62 and 63 provide for voluntary and compulsory collaboration agreements which provide for sharing of SPOC as well as DSO functions. This provides flexibility about who smaller public authorities should collaborate with. |
66 | The requirement in RIPA 2000 ss23A-B of judicial approval by a magistrate or sheriff for local authority requests for communications data should be abandoned. Approvals should be granted, after consultation with NAFN, by a designated person of appropriate seniority within the requesting public authority. | In order to provide reassurance about the use of communications data by local authorities, clause 59 provides for judicial authorisation of local authority applications for communications data. This responsibility will continue to be undertaken by magistrates. |
67 | When the communications data sought relates to a person who is known to be a member of a profession that handles privileged or confidential information (including medical doctors, lawyers, journalists, Members of Parliament or ministers of religion), the new law should provide for the DP to ensure that (1) special consideration is given to the possible consequences for the exercise of rights and freedoms, (2) appropriate arrangements are in place for the use of the data, and (3) the application is flagged for the attention of ISIC inspectors. | Schedule 6 of the Bill requires that the statutory Codes of Practice deal with these issues |
68 | If communications data is sought for the purposes of determining matters that are privileged or confidential such as (for example) (1) the identity or a witness or prospective witness being contacted by a lawyer or (2) the identity of or a journalist’s confidential source, the DP should be obliged either to refuse the request or to refer the matter to ISIC for a Judicial Commissioner to decide whether to authorise the request. | Clause 61 provides for judicial commissioner approval of requests for communications data to identify or confirm journalistic sources. |
69 | A Code of Practice, and/or ISIC guidance, should specify (1) the rare circumstances in which it may be acceptable to seek communications data for such a purpose, and (2) the circumstances in which such requests should be referred to ISIC. | The Bill provides that such decisions must be authorised by a Judicial Commissioner. The communications data Codes of Practice issued under Schedule 6 will provide further detail. |
70 | In recognition of the capacity of modern communications data to produce insights of a highly personal nature, where a novel or contentious request for communications data is made, the DP should refer the matter to ISIC for a Judicial Commissioner to decide whether to authorise the request. | A Code of Practice issued under the Bill will provide that Judicial Commissioners’ advice should be sought in where a novel and contentious request for communications data is made. |
71 | A Code of Practice, and/or ISIC guidance, should specify the circumstances in which such requests should be referred to ISIC. |
72 | Safeguards at least equivalent to those in RIPA s15, as elaborated in section 7 of the Interception of Communications draft Code of Practice, should ensure that the domestic disclosure, dissemination, copying, storage and retention of intercepted material is limited to the minimum necessary for the authorised purposes. | Clauses 40-42 provide for safeguards replicating those in sections 15 and 16 of RIPA. The relevant provisions in the draft Interception of Communications Code of Practice under RIPA will be reflected in the new code issued under the Bill. |
73 | Equivalent statutory safeguards should be provided in relation to communications data. In particular, the new law and a Code of Practice issued under it, with the involvement of the Information Commissioner as appropriate, should make provision for: (a) why, how and where data are retained within public authorities; (b) who may access them within the public authority; (c) with whom the data may be shared, and under what conditions; (d) the special rules needed as regards the treatment of data that appear to be privileged or confidential (see Recommendations 67-69 above), and data relating to a victim or a witness; (e) the processing of data for reasons going beyond their acquisition; (f) the use of data in conjunction with other datasets; (g) the processes for determining which data should be destroyed or further retained; and (h) compliance with the Data Protection Act 1998. | Paragraph 3 of Schedule 6 specifically requires the Acquisition of CD Code of Practice to include provision on these matters |
74 | These safeguards should be enforced and backed up by ISIC audits (as currently performed by IOCCO), examining: (a) how the material and/or data were used or analysed; (b) whether they were used for the stated or intended purpose; (c) what actual interference or intrusion resulted, and whether it was proportionate to the aim set out in the original authorisation; (d) whether the conduct became disproportionate to what was foreseen at the point of authorisation, and if so whether the operational team initiated the withdrawal of the authorisation; (e) retention, storage and destruction arrangements; and (f) whether any errors or breaches resulted from the interference or intrusion. | The IPC will oversee all aspects of access to communications data under the Bill |
75 | On the basis that MI5, MI6 and GCHQ each apply the safeguards referred to in Recommendations 72-73 above, they should be permitted to share intercepted material and communications data between them for the purposes of their respective functions. | As now, the security and intelligence agencies will continue to be able to share intercepted material and communications data for the purposes of their respective functions. |
76 | Any receipt of intercepted material or communications data from third countries should be on the basis of clearly-defined safeguards, published save insofar as is necessary for the purposes of national security and monitored by ISIC, including a warrant governing any intercepted material that is sought (ISC Report, Recommendations QQ-TT). | Schedule 6 of the Bill requires that codes of practice issued under the Bill must contain provision about requests to overseas partners for intercepted material or related communications data and the handling of material received. Clause 179 provides for the creation of codes of practice. Existing safeguards are set out in the current Interception Code of Practice. |
77 | Any transfer of intercepted material or communications data to third countries should be on the basis of clearly-defined safeguards, published save insofar as is necessary for the purposes of national security and monitored by ISIC. | Safeguards relating to the disclosure of intercepted material overseas are provided in clauses 40 and 41. Further information about these safeguards will be included in the Interception of Communications Code of Practice. The Bill includes separate provisions which deal with mutual legal assistance (these are set out in clauses 28 and 39 of the Bill). Paragraph 3 of Schedule 6 specifically requires the Acquisition of CD Code of Practice to include provision on these matters |
78 | The new law should make it clear that neither receipt nor transfer as referred to in Recommendations 76-77 above should ever be permitted or practised for the purpose of circumventing safeguards on the use of such material in the UK. | Intercepting agencies will be bound by the obligations at clauses 40 and 41 and by further restrictions set out in codes of practice. Their compliance will be overseen by the Investigatory Powers Commissioner. |
79 | Content that is acquired pursuant to a bulk interception warrant and that relates to a communication involving a person believed to be in the UK should be made available to be read, looked at or listened to only on the basis of a specific interception warrant issued by a Judicial Commissioner (Recommendations 26-38 above): cf. in part ISC Report, Recommendations Q and R. | Clause 119 places a prohibition on selecting intercepted material for examination if any criteria used for the selection of that material refer to an individual known to be in the UK and are aimed at identifying the content of communications sent by or intended for that individual. If the intercepting agencies wish to examine the communications of a person believed to be in the UK that have been collected in bulk, a targeted examination warrant must be sought (provided for in Clause 12). |
80 | The new law should in addition provide for appropriately rigorous and rights-compliant procedures for the purposes of authorising access to: | |
80a | (a) content that is acquired pursuant to a bulk warrant and that does not relate to a communication involving a person believed to be in the UK; and | This is provided for by clauses 117-119. |
80b | (b) (if Recommendation 42(b) is adopted), communications data that are obtained pursuant to a bulk warrant. | Safeguards for communications data obtained under a bulk acquisition warrant are set out in clauses 131-132. Safeguards for related communications data obtained under a bulk interception warrant are set out in clause 117-119. This includes additional provisions as related communications data obtained via interception is subject to an evidential bar. |
81 | The bar in RIPA s17 on using intercepted material as evidence in legal proceedings (recently endorsed after lengthy consideration in Cm 8989) did not form part of this Review. Consideration should however be given to adding to the list of exceptions in RIPA s18, without prejudice to any other possible additions, proceedings before (1) the Parole Commissioners for Northern Ireland and (2) the Sentence Review Commissioners in Northern Ireland. | Paragraph 13 of schedule 3 provides for this. |
82 | The Interception of Communications Commissioner’s Office (IOCCO), the Office of Surveillance Commissioners (OSC) and the Intelligence Services Commissioner (ISCommr) (the current Commissioners) should be replaced by a new Independent Surveillance and Intelligence Commission (ISIC). | Part 8 of the Bill provides for these functions to be subsumed by the Investigatory Powers Commissioner. |
83 | It should be the duty of every relevant person to disclose or provide to ISIC all such documents and information as ISIC may require for carrying out its functions, as is the case for the current Commissioners under RIPAs s58 and 60 and the Police Act 1997 s107(5)(a). | Clause 175 provides for this. |
84 | ISIC (through its Judicial Commissioners: see Recommendations 106-107 below) should be granted powers: | |
84a | (a) to issue and renew warrants (Recommendation 22 above); | The ‘double lock’ authorisation regime applies to all warrants issued under the Bill. This will preserve democratic accountability and introduce a further element of independent verification. |
84b | (b) to make major modifications to specific interception warrants and combined warrants (Recommendations 34 and 39 above); |
84c | (c) to make modifications to bulk warrants (Recommendation 49 above); |
84d | (d) to cancel warrants that it has issued (Recommendations 36, 39 and 49 above); |
84e | (e) to authorise applications for communications data referred to it by public authorities pursuant to Recommendations 68 (privileged and confidential material) and 70 (novel and contentious) above; and | Judicial Commissioners will have the power to authorise requests for communications data to identify journalistic sources (clause 61). Codes of Practice will specify circumstances in which public authorities must seek advice in novel and contentious cases. |
84f | (f) to issue guidance (cf. the OSC’s Procedures and Guidance of December 2014) to public authorities in relation to issues arising in relation to applications for warrants and the grant of authorisations, which would supplement the new law and any codes of practice issued under it and which should be published where the constraints of national security permit. | Clause 172 provides for this. |
85 | The functions referred to in Recommendation 84 above should only be performed by Judicial Commissioners who hold or have held high judicial office (High Court or above), subject to the possibility of delegating certain functions to persons who hold or have held judicial office at least at the level of Circuit Judge. As currently with the OSC, the judicial authorisation function should be independent from and in no sense subordinate to the other functions of ISIC. | Clause 169 provides for this. Judicial Commissioners will be required to hold or have held high judicial office. |
86 | Judicial Commissioners should use their power where appropriate to request further clarification, information or documents from the requesting public authority, and/or to consult standing counsel on any point of legal difficulty. Public authorities should have a right of appeal to the Chief Judicial Commissioner (Recommendation 33(b) above). | Clause 19(5) provides for public authorities to appeal a decision of a Judicial Commissioner to the Investigatory Powers Commissioner. Judicial Commissioners will be able to seek any further factual clarifications that they feel necessary and may use some of their increased resources to appoint legal counsel. |
87 | ISIC (through its Judicial Commissioners) should also take over from the OSC its equivalent functions (in relation to public authorities other than the security and intelligence agencies) in relation to intrusive surveillance, property interference and undercover officers under RIPA Part II, RIP(S)A and the Police Act 1997. | Clauses 178, 169 and 173 provide for this. |
88 | ISIC should be resourced so as to enable it to provide a prompt, efficient and reliable warrantry service in all jurisdictions of the United Kingdom. | Clause 176 provides for this by dealing with funding for the Investigatory Powers Commissioner. |
89 | The existing audit and inspection functions of the current Commissioners should be transferred to the ISIC, including:
(a) all those set out in RIPA Parts I-III, RIP(S)A and the Police Act 1997, to the extent that they are consistent with the arrangements in the new law;
(b) the audit of the use by security and intelligence agencies of their holdings of Bulk Personal Datasets (cf. ISC Report, Recommendations X and Y); and
(c) the recently granted power to oversee the operation of directions under Telecommunications Act 1984 s94 (IOCCO Report, March 2015, section 10), to the extent that such power may survive the introduction of the new law. | Clauses 178, 169 and 173 provide for this. |
90 | ISIC should have the power to review compliance with the terms of any warrant, authorisation or guidance that may have been issued by the Judicial Commissioners. Where error is found, an Inspector should be able to recommend that the warrant in question be reviewed by a Judicial Commissioner with a view to its possible modification or cancellation. | The Investigatory Powers Commissioner will be able to review all activity relating to the use of investigatory powers covered by warrants (Clause 169). If a serious error is found then the Investigatory Powers Commissioner may refer the matter to the Investigatory Powers Tribunal as per clause 171. |
91 | In addition, ISIC should have the power to inspect: (a) The exercise by DPs of all the functions summarised in Recommendations 59 and 60 above (b) The treatment by public authorities of privileged and confidential material (c) The retention, storage, processing and destruction of all communications data acquired by public authorities (not just, as currently for IOCCO, communications data only when it is related to intercepted material) (d) The use of such data, including in combination with other datasets (cf. ISC Report, Recommendation Y) (e) The use by public authorities of open-source intelligence (OSINT) (f) The sharing of intercepted material and communications data within the UK Government (g) The receipt of intercepted material and communications data from, and the transfer of such material and data to, foreign governments (Recommendations 76-78 above). | Clause 169 provides for this. |
92 | Additional gaps in the arrangements relating to IOCCO’s current activities (explained in IOCCO’s submission of December 2014 to this Review) should be filled when ISIC is constituted. In particular: | |
92a | (a) Express provision should be made for error reporting, and for a procedure for arriving at and keeping under review the definition of an error where interception is concerned. | Clause 171 provides for this. |
92b | (b) There should be a statutory requirement for ISIC to review the giving of notices by the Secretary of State (currently under DRIPA 2014 s1) requiring the retention of specific communications data by a CSP. | Clause 169 provides for this. |
92c | (c) ISIC should have the power to report on refusals by service providers (including overseas service providers, given the extraterritorial effect of the law) to intercept communications or disclose communications data when a lawful request is made of them. | Clause 174 provides for the Investigatory Powers Commissioner to report upon any matter relating to investigatory powers in their annual or other reports. |
92d | (d) There should be statutory provision for oversight of the operation of powers for interception and/or obtaining communications data other than in the new law, to the extent that such powers survive, including the power to access stored data by order of the court under PACE s9. | Clause 169 provides for the Investigatory Powers Commissioner to be able to review all covert activity relating to the use of investigatory powers under the Bill, but not court orders. |
93 | Though strictly outside the scope of this Review, it would also be appropriate to review the existing powers of the OSC and of the ISCommr so as to identify any other gaps that should be filled when constituting the ISIC. | The Investigatory Powers Commissioner will be able to review all activity relating to the use of investigatory powers (Clause 169). |
94 | ISIC (like IOCCO before it) should have the capacity to inspect the work of analysts, investigators, SPoCs and DPs on live cases as well as on cases that are closed. | The Investigatory Powers Commissioner will be able to review all covert activity relating to the use of investigatory powers (Clause 169). |
95 | ISIC should have the power to report on, to issue guidance on and to participate in the preparation of Codes of Practice any activity which it has the power to inspect. | The Investigatory Powers Commissioner may issue a report on any area or subject relating to the work of the Investigatory Powers Commissioner that they feel is necessary (clause 174(5)). He or she may also provide assistance and guidance to public authorities and others as per clause 172(2). |
96 | 96. ISIC should inherit the intelligence oversight functions of the ISCommr, including: | Clauses 178,169 and 173 provide for this. |
96a | (a) oversight of the Consolidated Guidance to Intelligence Officers and Service Personnel; and | Clauses 178,169 and 173 provide for this. |
96b | (b) keeping under review the activities of the Agencies or others engaging in intelligence activity, as directed by the Prime Minister under RIPA s59A. | Clause 170 provides for this. |
97 | Consideration could be given to granting ISIC a more general supervisory power over the activities of the Agencies, but subject to Recommendation 118 (no duplication of functions and resources). | The Investigatory Powers Commissioner will be able to review all activity relating to the use of investigatory powers (Clause 169) as well as the existing functions of the Intelligence Services Commissioner. |
98 | ISIC should be subject to the same obligation as the current Commissioners (RIPA s68(2)) to provide assistance to the IPT, and should be kept informed of proceedings relevant to its functions (as by RIPA s68(3)). | This is provided for in clause 172(1). |
99 | ISIC should further be given the power, on its own initiative or at the suggestion of a public authority or CSP, and subject to a duty not to disclose anything that would be damaging to national security or prejudice ongoing operations, to: (a) and (b) in any case in which in the opinion of ISIC it is possible that the scale or nature of the error might entitle the subject of the error to compensation. | |
99a | (a) inform a subject of an error on the part of a public authority or CSP; and | The Investigatory Powers Commissioner will be able to inform a subject of an error (clause 171(1)) Subject to meeting the conditions included in clause 171(2) that are that the error is sufficiently serious and the IPT judge that the impact on the individual is such that it is in the public interest for the individual to be informed. |
99b | (b) inform the subject of his right to lodge an application to the IPT. | Clause 171(8)(a) provides for this. |
100 | To the extent that Recommendation 6 is adopted, the powers and functions set out in Recommendations 84-99 above should apply in an equivalent manner to the activities there referred to. | Clause 169 provides for this. |
101 | There should be a report at least once in every year dealing with all aspects of the work of ISIC, and supplemented as may be feasible by more regular statistical releases. | Clause 174 provides for this. |
102 | As an expert, apolitical body with a strong judicial ethos, ISIC should also have the power to carry out inquiries and produce reports into matters falling within its remit, at the request of the Prime Minister or on its own initiative. | The Investigatory Powers Commissioner may look at any issue within their remit of investigatory powers. The Prime Minister has also direct the Commissioner to inspect/ carry out particular inquiries (clause 174). |
103 | The Prime Minister should have the power to redact ISIC’s annual report on narrowly specified grounds (cf. RIPA s58(7)). The Prime Minister should be obliged to lay ISIC’s annual report before Parliament within a certain number of days (or sitting days) of receipt. | Clause 174 provides for this. |
104 | The Chief Commissioner should be a person of unquestioned professional distinction and independence, committed not only to leading the work of ISIC but to accounting publicly and to Parliament for that work, and to building public awareness of ISIC and its role. The Chief Judicial Commissioner should be eligible to serve also as Chief Commissioner, but need not necessarily do so: some possibilities are illustrated in the diagrams at Annexes 17-18 to this Report. | The Investigatory Powers Commissioner will be a powerful, visible new role and will be expected to build public and Parliamentary awareness of his work. |
105 | The Chief Commissioner should be appointed by the Prime Minister. Consideration should be given to allowing the ISC a voice in the appointment or confirmation of the Chief Commissioner. | This is provided for by clause 167. |
106 | Judges entitled to authorise warrants should be known as Judicial Commissioners (or Assistant Judicial Commissioners) so as to emphasise their distinct and independent status. There should be regular dialogue and sharing of experience between the Judicial Commissioners and the inspectorate. | Judicial Commissioners will review Secretary of State decisions to approve investigatory powers warrants on Judicial Review principles. Judicial Commissioners will also have a role to play in determining what should happen to any material that was gathered under an urgent warrant that was later quashed by a Judicial Commissioner. |
107 | Judicial Commissioners could be full-time or (as currently in the OSC) part-time judges on duty according to a rota. They should be capable of providing prompt and efficient service for applications from all parts of the United Kingdom. It will be necessary to provide 24-hour cover (as currently by the Secretary of State) for cases where urgent applications for warrants and authorisations arise out of hours. | The IPC will provide 24-hour cover to deal with urgent authorisations. The Bill also provides an urgency procedure where a Secretary of State issued warrant can take effect without prior Judicial Commissioner approval. |
108 | An inspectorate should be provided for the audit and inspection functions entrusted to ISIC. | The IPC will have a large body of technical inspectors to advise them in their functions. |
109 | ISIC should have staff with the necessary expertise (including technical expertise) and resources in relation to: (a) each power whose operation it audits or inspects (including interception and encryption, communications data, directed and intrusive surveillance, property interference and CHIS/undercover); and (b) each function relating to intercepted material and data (including acquisition, use, storage, retention, dissemination, sharing and destruction). | The IPC will have a large body of technical inspectors, in house legal advisors and communications support. In addition to this the Commissioner will have a budget provision to buy in any additional expertise that they feel is necessary. |
110 | ISIC should have an in-house legal presence and one or more security-cleared standing counsel, appointed on a part-time basis from the independent practising Bar, whose function would be, on request: (a) to give advice on recent developments in the law, (b) to advise ISIC on possible legal vulnerabilities in the arrangements whose operation it reviews; (c) to advise (at the request of the Judicial Commissioners) in relation to applications for warrants or requests for authorisations on proposed communications data authorisations; (d) to assist with the legal aspects of formulating guidance and contributing to Codes of Practice; and (e) by these means to help ISIC ensure that the activities it authorises, audits or reviews are lawful, and that the public authorities it oversees have due warning of legal difficulties. | The IPC will have an in house legal presence and a budget provision to spend on external advisors when they feel there services are necessary. |
111 | 111. Within the necessary constraints of security: (a) ISIC should be public-facing, transparent and open to diverse ideas (including from all sectors of the community in all parts of the UK, from other countries, from international institutions and from young people who have grown up online). (b) It should be willing to draw on expertise from the worlds of intelligence, computer science, technology, academia, law and the NGO sector, and should engage with and support compliance officers and compliance mechanisms within public authorities, DPs and SPoCs. (c) As much as possible of its output (including, within the constraints of national security, any guidance that it may issue) should be published on a user-friendly website. (d) Commissioners and staff should attend and participate in conferences, invite dialogue, assist the conduct of research and be alert to the adoption and dissemination of international best practice. (e) ISIC should make itself accessible to traditional media, and have an active social media presence. | The Government has made clear that it will provide the necessary technical, legal, and communications expertise to enable the IPC to undertake their oversight and authorisation functions effectively. In particular, the Government is keen that the new body more effectively engages the public and Parliament. Exactly how the IPC does this will be a matter for them, given it is an independent body. |
112 | ISIC should be sufficiently resourced to enable it to perform functions which are more extensive than those performed by the almost 40 full-time and part-time current Commissioners and staff. | The IPC will have a large body of technical inspectors, in house legal advisors and communications support. In addition to this the Commissioner will have a budget provision to buy in any additional expertise that they feel is necessary. |
113 | The jurisdiction of the IPT should be expanded (or clarified) to cover circumstances where it is a CSP rather than a public authority which was at fault (for example, by intercepting the wrong communications address and/or disclosing the wrong communications data). | The IPT will continue to scrutinise the activities of public authorities. CSPs are already subject to inspection from the Information Commissioner and can be held accountable for any errors that they make through this route. |
114 | There should be a right of appeal to an appropriate court from rulings of the IPT, on points of law only, permission being required in the normal way from either the IPT or the appellate court (cf. ISC Report, Recommendation LL). | Clause 180 provides for this |
115 | The IPT (which is chaired by a High Court Judge or Lord Justice of Appeal) should be given the same power as the High Court to make a declaration of incompatibility under HRA 1998 s4, particularly (but not exclusively) should Recommendation 114 not be adopted. | The Government is accepting recommendation 114 and believes that this provides a sufficient right of appeal. The Court of Appeal will be able to make a declaration of incompatibility. |
116 | The IPT should have the resources it needs to operate in a practical and expeditious manner. Those resources should be independent of those allocated to ISIC and the ISC, whose conduct may from time to time be in issue before the IPT. | The IPC and IPT will have separate resources and they are independent of one another. |
117 | The IPT should where appropriate require ISIC to provide it with assistance, particularly of an investigative nature, as it has several times required the existing Commissioners to do pursuant to RIPA s68(2). | Clause 172 provides for this. |
118 | There should continue to be a committee of parliamentarians with oversight of the work of the security and intelligence agencies and trusted by them with classified information, not only because parliamentary oversight is desirable in principle but because of the knowledge and understanding that its members bring to parliamentary debates with national security implications, e.g. in relation to terrorism legislation and proscription orders. | The Intelligence and Security Committee of Parliament will continue to fulfil this role. |
119 | The functions of ISIC and the ISC should not overlap. In particular, there should be no duplication of reporting functions or resources between the ISC and ISIC. | A Memorandum of Understanding will be developed to minimise overlap between the two bodies. |
120 | It should be for Parliament to consider whether: (a) to retain the system of Prime Ministerial appointment but require the Chair to be a member of a political party not represented in government; (b) to transfer the ISC’s investigative resource in due course to ISIC; and/or (c) to recast the ISC as a Select Committee (either on its own or merged with the Defence Select Committee) whose members would be elected in the normal way, and to which ISIC would report where necessary in closed session. | The nature and role of the ISC was discussed during the passage of the Justice and Security Act 2013. The Investigatory Powers Bill does not include any further suggestions for reforming the role of the ISC. Should Parliament consider that further changes to the Committee are needed then this may be proposed during the passage of the Bill and the Government will consider. |
121 | It should be recognised that the operation of covert powers is and should remain secret, and that transparency in relation to operational matters is not a realistic goal. | We endorse this observation. |
122 | Public authorities should however be as open as possible (cf. ISC Report, Recommendation BBB). They should consider how they can better inform Parliament and the public about why they need their powers, how they interpret those powers, the broad ways in which those powers are used and why any additional capabilities might be required. They should contribute to any consultations on the new law, so as to ensure that policy-making is informed by the best evidence. | The Investigatory Powers Bill provides more detail than ever before about the powers available to the agencies, how they are authorised, and the safeguards that apply to them. It will be underpinned by detailed statutory Codes of Practice. The Investigatory Powers Commissioner will play a visible, independent role in overseeing the work of the agencies and ensuring there is appropriate transparency and public understanding of how they work. |
123 | The statistics provided by ISIC should be as informative as possible: the proposals put forward by IOCCO in its December 2014 submission to this Review provide a useful starting point. | This will be provided for in a Memorandum of Understanding |
124 | Both ISIC and the IPT should be as open as possible in their work, and should seek actively to make the public aware of their role as a check on the powers of public authorities. | The Government has made clear that it will provide the necessary technical, legal, and communications expertise to enable the IPC and IPT to undertake their functions effectively. Exactly how they engage with the public and Parliament will be a matter for them, given they are independent bodies. |
