Lord Paddick
Main Page: Lord Paddick (Non-affiliated - Life peer)Data Retention and Acquisition Regulations 2018
Lord Paddick Excerpts(5 years, 6 months ago)
Grand CommitteeRead Full debate Read Hansard Text
Baroness Manzoor (Con)
My Lords, the retention of, and access to, communications data is crucial in enabling investigators to obtain intelligence and evidence that can prevent terrorist attacks, disrupt the activities of serious organised crime groups and establish culpability so that offenders can be brought to justice. It is used to investigate crime, keep children safe, locate missing persons, support or disprove alibis and link a suspect to a crime scene.
These regulations introduce additional safeguards in our communications data regime to ensure that it complies with EU law. They also bring into force the code of practice for communications data under the Investigatory Powers Act. We have consulted publicly on the changes to the legislation and the code between November 2017 and January 2018.
The regulations provide for the independent authorisations of communications data requests. Sir Adrian Fulford, the Investigatory Powers Commissioner, is given this power and will delegate this responsibility to a newly appointed body of staff, to be known as the Office for Communications Data Authorisation. The OCDA will report directly to the IPC and will be responsible for considering the vast majority of requests to access communications data made by public authorities. The new body is expected to begin operating in April 2019, with independent authorisation being rolled out across public authorities over the course of 2019. Internal authorisation of requests will continue to be permitted in urgent cases—for example, where there is a threat to life and where requests are made for national security matters which are outside the scope of EU law.
The regulations restrict to serious crime the crime purpose for which events data such as call histories and location information can be retained and acquired. The primary safeguard to ensure that communications data is not acquired for trivial offences is the important test of necessity and proportionality, which must be considered every time an application for communication data is made.
The code of practice provides detailed guidance on how a public authority should consider the seriousness of an offence, including taking into account important factors such as the impact on the victim. In addition to this test, the regulations create a new threshold of serious crime, below which data cannot be acquired. As intended by the European Court, we have carefully considered how serious crime should be defined in the UK in the context of communications data. We propose to use as a starting point the definition which already exists within the IPA for the more intrusive interception and bulk powers, then making some adjustments in relation to communications data while leaving the original definition in place for more intrusive powers.
For communications data, we propose an adjusted definition, which includes offences that attract a sentence of one year rather than referring to offences for which the expected custodial sentence is three years, as in the case for interception. This reflects the less intrusive nature of the communications data, but nevertheless prevents data being acquired in the investigation of trivial offences. We have worked closely with the operational community to consider the importance of obtaining communications data against a range of offences, with a particular focus on cases where it was anticipated that communications data will be an important—or indeed the only—investigative tool. One area highlighted by law enforcement agencies was stalking and harassment offences. These can attract low sentences or fines, but such activity can often escalate into more serious offences, and when the activity takes place online, the ability to obtain communications data is a vital tool. Our proposed definition of serious crime for communications data acquisition also includes offences which involve, as an integral part of the offence, the sending of a communication or breach of a person’s privacy to ensure that all offences related to stalking and harassment are in scope.
The final adjustment of the serious crime definition already existing in the Act is to enable communications data to be obtained for investigations of offences committed by corporate bodies. We consider offences such as corporate manslaughter to be sufficiently serious to warrant the use of communications data in their investigation despite being punishable by fines. The generally less intrusive entity data—such as the name of a subscriber to a service—can still be obtained in relation to the full range of crimes, where it is necessary and proportionate to do so. To ensure that the serious crime restriction can be brought into force on 1 November, the regulations amend the Regulation of Investigatory Powers Act 2000 until Part 3 of the IPA is brought into force early next year. RIPA remains the legal framework for accessing communications data.
The new code of practice provides comprehensive guidance on the data retention and acquisition regime. It is well over 100 pages long, and provides further detail on roles and responsibilities. The code takes account of the changes made in these regulations, particularly the role of the Investigatory Powers Commissioner and the OCDA.
These changes support the important right to privacy and the right of citizens to be protected from crime and terrorism. They ensure that public authorities can continue to access retained communications data in a way that is consistent with EU law and our responsibilities to protect the public. The additional safeguards, the clear requirements set out in the code of practice and the independent oversight provided by the Investigatory Powers Commissioner establish clear limits around the use of these powers, and provide reassurance that communications data is being used only where it is necessary and proportionate to do so. I beg to move.
Lord Paddick (LD)
My Lords, I remind the Committee that I was a police officer for over 30 years, rising to the rank of Deputy Assistant Commissioner in the Metropolitan Police, and—contrary to popular belief—my certificate of service states that my conduct was exemplary. I acknowledge the importance of communications data in the investigation of serious crime as the Minister has outlined. I also welcome, as far as they go, the independent authorisation provisions contained in these regulations.
I should like to give the Committee some background to discussions I have had with Ministers and officials on these regulations. Two weeks ago, at a meeting with the Minister of State for Security and Economic Crime, the Minister of State for Countering Extremism, the Minister for Equalities, and officials, I raised my concerns about the definition of serious crime in these regulations and one other issue. The Minister for Security and Economic Crime and his officials were unable to answer my concerns at that meeting but the Minister promised to find the answers and get back to me. Having heard nothing by yesterday afternoon, I alerted the Government to the fact that, in the absence of any explanation, I would seek to oppose the regulations when they reached the Floor of the House. At 8 pm last night, the Minister of State for Countering Extremism called me because she had been told that I was unhappy with the regulations. I repeated my main concern, as clearly expressed in the meeting with Ministers and officials on 10 October, and she undertook to provide me with a copy of the relevant part of the Minister’s opening speech this afternoon. I received this at 10 am today and I am grateful for the advance sight of the relevant part of the speech. Having reflected for some time on the Minister’s opening remarks, provided to me in advance in writing, I wish to explain to the Committee why I am still not satisfied with the Government’s response.
In the Investigatory Powers Act 2016—the Act of Parliament under which these regulations are being made—“serious crime” is defined as offences for which the expected custodial sentence is three years for a person over 18 with no previous convictions. In other legislation currently before the House—for example, the Counter-Terrorism and Border Security Bill—the definition of serious crime is the same as in the Investigatory Powers Act 2016. An expected custodial sentence of three years’ imprisonment for a person without any previous convictions is not, as I understand it, a maximum sentence of three years’ imprisonment. Taking shoplifting as an example, the maximum sentence for theft is 10 years in prison but someone stealing a can of beans from Tesco could not be expected to be sent to prison for three years for such an offence. Can the Minister explain exactly what “expected custodial sentence” means in practice? Can she give some examples of the types of offences that would fall within this category?
However, these regulations not only lower the bar to 12 months’ imprisonment or more, down from three years, but—the Minister will correct me if I have this wrong—defining serious crime as an offence that someone is capable of being sentenced for must mean that the maximum sentence is 12 months or more, which is a much lower threshold than the definition in the Act. Furthermore, it disregards any enactment prohibiting or restricting the imprisonment of individuals who have no previous convictions, as opposed to the Act, which has regard to such restrictions. If I am right, this shows that this is a much lower standard for defining serious crime than is contained in the Act itself.
The Minister talked in her introduction about preventing data being acquired in the investigation of trivial offences. The CJEU judgment on this matter, which has prompted these regulations, talks about the objective of fighting serious crime, not the prohibition on using communications data to investigate trivial crime. There is a significant difference between serious crime and trivial crime. My view is that the Government have stretched the definition of serious crime beyond credible limits, to an extent that is not compliant with the CJEU judgment in this matter.
However, the regulations go further still, to include any offence committed by a body corporate and any offence,
“which involves, as an integral part of it, the sending of a communication or a breach of a person’s privacy”.
Clearly, “any offence” does not differentiate between a serious offence and any other type of offence. The CJEU explicitly stated that the use of communications data must be restricted to the investigation of serious crime but these regulations define any crime as being serious if it is committed by a body corporate or involves the sending of a communication or a breach of privacy, when clearly some of these offences will not be serious by any reasonable definition. I am reminded of the Oxford undergraduate who tried to get around college by-laws prohibiting undergraduates from keeping dogs in their rooms by calling his dog “Cat”.
The Minister has explained how the Government arrived at such a position:
“We have worked closely with the operational community to consider the importance of communications data against a range of offences, with a particular focus on cases where it was anticipated that communications data will be an important—or indeed the only—investigative tool”.
Baroness Manzoor
The noble Lord, Lord Rosser, makes a very important point. When I write, I will ensure that the issue of how it will be overseen by the oversight body and how it is dealt with is addressed very clearly. I will write to all noble Lords and I will also place a copy in the Library.
Lord Paddick
In that letter perhaps the Minister will expand further on harassment and stalking offences, which can quickly escalate, to use the expression she used. Of course, if stalking involves fear of violence, or serious alarm or distress—in other words, if it escalates—the maximum sentence is five years and therefore it would be covered anyway by the definition of serious crime as being something with a maximum sentence of 12 months. Therefore, an offence involving communications as an integral part would not be necessary. Perhaps she can clarify that as well when she writes.
Baroness Manzoor
Of course, I will be happy to do that. I shall address the points put by the noble Lord, Lord Rosser. He asked how we will prevent the powers being used for less serious offences, which is essentially the question on which I have been asked to write, but I shall try to give a brief view of our response. The Office for Communications Data Authorisations will receive a full case setting out the need for communications data. It will need to set out why the request is necessary, proportionate and sufficiently serious to warrant the intrusion. The IPA then provides for oversight of this.
The Investigatory Powers Act provides for an Investigatory Powers Commissioner, whose remit includes providing comprehensive oversight of the use of the powers contained within the Act and adherence to the practices and processes, which as noble Lords know are described in the code of practice. The IPC is a member of the senior judiciary and is entirely independent of Her Majesty’s Government or any of the public authorities authorised to use investigatory powers. That is very strong oversight. The IPC is supported by inspectors and others, such as technical experts and legal experts. The IPC and those who work under the authority of the IPC will ensure compliance with the law by inspecting public authorities and investigating any issue which they believe warrants further independent scrutiny. If there were any issue, they would be there in an independent capacity—it is not just somebody locally at the authorities making that decision.
The IPC must report annually on the findings of its audits, inspections and investigations. This report will be laid before Parliament and made available to the public, subject to any necessary redactions made in the public interest. Separately, the Investigatory Powers Act requires that the security, integrity and deletion of retained data by telecommunications operators is overseen by the Information Commissioner, who provides the UK’s data protection oversight function. Just to conclude on that, because the oversight is important, Section 260 of the IPA requires that the Secretary of State must publish a report reviewing the operation of the Act and lay it before Parliament after five years of its passing.
I hope that I have answered most of the questions that noble Lords have put to me. As I said, if there are any issues that I have missed or not grasped as fully as I could have done, I am happy to write to noble Lords and place a copy of the letter in the Library. I am aware that across from me there is greater expertise than I have, but I hope that I have been able to allay any fears and concerns and that noble Lords are assured that we are looking at safeguarding and protecting, as well as ensuring transparency, in this important area.