techUK Comments on New 'Necessity and Proportionality' Guidance in Updated CoP

19 May 2015 03:41 PM

techUK encouraged by new updated guidance on the Codes of Practice for the acquisition, disclosure and retention of communications data. 

On Friday 15 May the Home Office published new guidance on the procedures that should be followed when communications data is accessed or disclosed under the Regulation of Investigatory Powers Act (RIPA) or retained under Data Retention and Investigatory Powers Act (DRIPA) and the Anti-terrorism, Crime and Security Act (ATCSA).

Mirroring recent recommendations regarding necessity and proportionality that techUK has made in relation to the procedures that should be followed when communications data is accessed or disclosed, the codes of practice now mandate that all applications related to the Acts must:

• Cover specific points in order to be considered necessary
• Include an explanation of how the level of intrusion is justified when taking into consideration the benefit the data will give to an investigation, with confirmation that relevant less intrusive investigations have already been undertaken where possible
• Consider the rights (particularly to privacy and, in relevant cases, freedom of expression) of the individual and a balancing of these rights against the benefit to the investigation
• Take into consideration possible instances of collateral intrusion and possible unintended consequences
  Further training on necessity and proportionality will also be given to all those who participate in investigations related to the acquisition and disclosure of communications data.

Such changes to the guidance are welcome in that they commit those conducting investigations to take extra care in ensuring that all applications regarding the acquisition, disclosure and retention of communications data are justified, necessary and proportionate.

The updated codes of practice do not, however, provide further clarity regarding the definitions of the terms "communications service provider" or "communications data". These ambiguous terms do not fully take in to account the advent of new technologies and the constantly changing nature of the tech sector. The definitions of communications data and the model of data retention described in the Codes are therefore not "future-proof".

Furthermore, techUK has consistently called for the extra-territorial powers contained in DRIPA to include effective oversight and reconcile any potential conflicts of communications data law between countries. The updated codes of practice do not address these points and thereby fail to ensure the smooth application of RIPA overseas.

Whilst techUK is encouraged to see that its recommendations regarding necessity and proportionality have been taken on board, it is important that any future legislation is clear on the types of data that will be covered and also includes a revised and updated framework on extra-territoriality, based on international agreements and in consultation with companies and other stakeholders.

Our members take their legal obligations to support the security services in their vital work to keep the UK and its citizens safe extremely seriously and, in the run up to current legislation ending in 2016, techUK will continue to engage with the Home Office to ensure that future legislation meets such standards.