CHAPTER 12: CIVIL SOCIETY
Increase safeguards on access to and use of data
12.55. Safeguards are not only necessary when collecting, acquiring or accessing data.
They must also be available, and be robust, at later stages, and in particular as
regards the use of such data, especially as this will be a further intrusion under Article
8 of the ECHR. However, a number of submissions emphasised to me that the
protections currently set out in RIPA ss15, 16, 22 and 23 and the Codes of Practice
are insufficient for this purpose. Possible ways to improve the current position were
set out.
12.56. First, it was argued that safeguards should extend more widely, including to material
accessed under DRIPA 2014, to communications data under RIPA Part I Chapter 2
(as to which there are limited safeguards), and to interception or obtaining of data
outside the RIPA regime.
12.57. Secondly, safeguards must be more explicit and more stringent. Thus submissions
urged:
(a)
clear authorised methods for searching data,67 perhaps including published
terms;
(b)
special authorisation for search terms that are particularly intrusive;
(c)
narrowing the constraints on the use of such data, such that it can only be used
in line with the purposes for which it is collected, or require later authorisation;
(d)
granular and explicit purposes for which it may be used (rather than broad terms
such as “national security”);
(e)
only permitting the authority that accessed the data to then use it, or requiring
further authorisation for it to be transferred;
(f)
the review of data at regular intervals for destruction; and
(g)
robust and clearly defined rules for the destruction of intercepted material,
including time limits.
12.58. Two particular ways of ensuring this have been highlighted. Strict rules on data
minimisation (i.e. the holding of the “minimum” amount of data necessary) could be
implemented, similar to the controls imposed by the FISC in the United States relating
to information concerning United States persons (see Annex 15 to this Report).
Alternatively, the possible utility of ordinary data protection principles being applied
across the board was also emphasised.
12.59. The concerns regarding safeguards on the use of information apply broadly across
investigatory powers, and are not confined to access to data. Thus, it is urged that,
for example, there should be “Chinese walls” between those developing cryptographic
67
See for an example of this, Report of the CTIVD in the Netherlands on the processing of
telecommunications data, (February 2014), p. 15 et seq.
230