Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007

rose to move, That the Grand Committee do report to the House that it has considered the Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007. The noble Lord said: I shall also speak to the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007. These orders, made under Section 71 of the Regulation of Investigatory Powers Act 2000, were laid before Parliament on 14 June. The purpose of the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order is to secure approval of a draft code of practice relating to the acquisition and disclosure of communications data under the 2000 Act, its acquisition by public authorities and its disclosure by communications service providers. Communications data, such as telephone and internet subscriber information, allocation of internet addresses, itemised call records and mobile phone location data, remain a vital tool in the prevention and detection of crime and in safeguarding the public. It is data about who contacted whom and when; it provides evidence of associations between individuals and events in time and place; it can corroborate the testimony of victims and witnesses; it can also provide evidence of innocence. Most importantly, it is not about the content of communications and what was said in telephone calls or written in e-mails. The provisions of Chapter 2 were implemented in January 2004 and brought long overdue regulation to public authorities’ acquisition of communications data. Exercise of the provisions is under the vigilant oversight of the Interception of Communications Commissioner, Sir Paul Kennedy, assisted by a team of inspectors who scrutinise public authorities’ conduct to obtain communications data. A draft code of practice has been in place since these provisions were implemented. It has been extensively revised to take account of actual practice and to address issues on which public authorities and communications service providers have sought guidance or clarification. Sir Paul and his inspectors have contributed significantly to the development of the code of practice, as have respondents to a public consultation on the draft. The code presented to Parliament sets out procedures that ensure proper respect for individuals’ human rights and reflect the reality of operational and investigative work. The application of the code will significantly reduce unnecessarily bureaucratic processes. For example, it makes clear that a senior officer can authorise the obtaining of subscriber information without needing to know which service provider operates the phone number. It also makes clear that it is unnecessary to undertake a subscriber check prior to, or separate from, checking call records; that a single authorisation can cover the acquisition of specific data and the additional data necessary to interpret that; and that, where data is required in an emergency, no special internal paperwork is required but the public authority must collate the evidence of its decision-making from operational logs, which must be available to the commissioner’s inspectors. The code also makes clear, and reflects operational practice over many years that, where the connection of a 999 emergency call is lost and information is needed to provide emergency assistance to the caller within the so-called ““golden hour””, that is outside the arrangements of the Act. The code makes clear that only appropriately trained and accredited investigators who understand the legislation can engage with communications service providers and spare them from ill informed, impractical or unlawful inquiries. The Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order seeks the approval of a draft code of practice relating to the exercise and performance of the powers and duties under Part 3 of the Act to require the disclosure of protected electronic data in an intelligible form or to acquire a key, or a password, to that data. Part 3 gives public authorities no new powers to seize or acquire data, but it does give them powers, to be used only when necessary and appropriate, to require data they possess or are likely to possess to be made intelligible or to require disclosure of the key that will make the data intelligible. These provisions are not in force. It has taken longer than was expected in 2000 for the same technologies that have enabled electronic commerce to develop to be taken up by terrorists and criminals to secure their information and to protect and conceal evidence of unlawful conduct. Equally, encryption tools have remained cumbersome to use properly. That has been exploited by technical facilities such as the National Technical Assistance Centre (NTAC), which processes protected data on behalf of law enforcement and intelligence agencies. However, these tools are becoming easier to use and are being installed in the standard operating systems of consumer devices. The impact of encrypted data on the work of investigators and their ability to work within statutory custody time limits will continue to increase. The Government have made it very clear that these provisions would not enter in force until the time was right and not before Parliament had approved a code of practice. The time is now right. The code of practice addresses issues on which Parliament sought clarification when the primary legislation was considered and debated. It takes account of the comments of respondents to the public consultation. The code makes it clear that the overriding purpose of the provisions is to enable investigators to access lawfully acquired information in an intelligible form, not to access the keys to data. The power to require disclosure of key material can be expected to be used only where a person who is able to put protected information into an intelligible form indicates that they will not exercise that ability either voluntarily or on compulsion. The power is most likely to be exercised in relation to individuals who are the subject of investigation and responsible for protecting information that the authorities have obtained lawfully and believe to be evidence of unlawful conduct or relevant material to the investigation. Once the provisions are in force, it will be an offence knowingly to fail to comply with a disclosure requirement, with a maximum penalty of five years’ imprisonment in national security cases or two years in other cases. We have consulted on whether that five-year penalty should be available in cases relating to possession of indecent images of children. I should report to the Committee that there is support for that, which would require amendment of the primary legislation. We will consider taking that step after assessing how well the provisions are used. When this legislation was debated in Parliament, much concern was expressed that it would criminalise people with poor memories or would reverse the burden of proof in the case of those who claimed to have forgotten or lost keys to their data. The code makes it very clear that, where a person claims not to have had a key to the data, the prosecution must prove the contrary beyond reasonable doubt. If a person claims that they no longer have a key or do not know a key to the data, the prosecution must prove the contrary beyond reasonable doubt. In direct response to concern expressed in public consultation that technical expertise is required to understand and apply this legislation appropriately, the code of practice makes it clear that no public authority may serve on any person a Part 3 notice without the prior written approval of NTAC. In this way, NTAC will have the crucial role of ensuring that the provisions are used appropriately, expertly and with the highest regard for compliance with the requirements and principles of the Act and the code. NTAC will also help to assure the various oversight commissioners of that. Recognising the critical importance of the integrity of information security in the financial services sector, and in response to the concerns expressed by Parliament and the public, the code makes it clear that no requirement to disclose a key to protected information should be imposed on any company or firm authorised by the Financial Services Authority without prior notification to the chief executive of the authority or a person designated by him for that purpose. Finally, as an additional safeguard against abuse, both these codes of practice make it clear that, if an oversight commissioner establishes that an individual has been adversely affected by any wilful or reckless failure by any person within a public authority to comply with the Act, the commissioner shall, subject to the need to safeguard national security, inform the affected individual of the existence of the Investigatory Powers Tribunal, which considers complaints about unauthorised or inappropriate conduct and should enable that person effectively to engage the tribunal. Subject to Parliament’s approval, both codes and the provisions of Part 3 will commence on 1 October. Arrangements for delivering briefings to practitioners and other interested parties on the detail of the new provisions and the codes are being planned. The primary responsibility for any democratic state is to protect its citizens, whether from the threats posed to us all by terrorism or from the threats posed to our most vulnerable citizens by sexual predators. It is right that in so doing the Government strike the right balance between the rights of communities and those of individuals. The guidance in both codes of practice does just that. I beg to move. Moved, That the Grand Committee do report to the House that it has considered the Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007. 19th report from the Statutory Instruments Committee.—(Lord Bassam of Brighton.)