CHAPTER 14: EXPLANATIONS
do the “heavy lifting” at the access stage: 6.53-6.54 above. (In that regard, I
recommend a tightening of the s16 safeguard: 14.89 and Recommendation 79 below.)
14.77. Though it is at the access stage that the heavy lifting will still need to be done, I am
unwilling to see a reduced level of protection at the collection stage for persons
within the UK, and so recommend that the internal/external safeguard on targeting
not be removed, but rather made clearer so as to focus on the location of individuals
rather than communications. Recommendation 44 proposes that bulk interception
warrants should be required to be targeted at the recovery of intercepted material
comprising the communications of persons believed to be outside the UK at the time
of those communications. I have left open the question of whether any equivalent
limitation is necessary or desirable in relation to bulk communications data warrants,
which as noted at 14.73 above have the potential to be used for a variety of purposes
which (at least in outline) should inform any parliamentary debate on the subject.
Authorisations
14.78. As to the acquisition of communications data otherwise than in bulk, my
recommendations build on the existing scheme of DPs assisted by SPoCs, which is
considered by all who have looked at it to provide robust and effective preauthorisation scrutiny, as well as a measure of independence.62 SPoCs should be
provided for in statute (Recommendation 62).
14.79. Two matters that currently depend on the distinction between subscriber information,
service use information and traffic data (which I have recommended should be
reviewed: Recommendation 12) are the categories of communications data (if any)
that should not be available to certain public authorities, and the rank or position
required of a DP. For that and for other reasons, each should be reviewed
(Recommendations 51 and 56).
14.80. DPs within the security and intelligence agencies are not currently required to be
independent from the investigation in which communications data is requested: they
may indeed be the line manager of the analyst who seeks access to the data. The
IOCC has recently reported that the selection procedure is undertaken “carefully and
conscientiously”, but also raised the question of whether might need to be some preauthorisation or authentication process (or alternatively, enhanced audit).63 The ISC,
reporting on the same day, made a recommendation for independent authorisation
which I have echoed in my own Recommendation 58.
14.81. Recommendation 58 would of course have to be implemented in a manner consistent
with ECHR and EU law (including, should it be applicable in this context, the
requirement of prior review referred to at 5.68(f) above). A manageable solution
needs to be sought, based on an understanding of how bulk data is actually used (as
to which, see 14.43 above), including by running very high volumes of requests before
62
63
The IOCC in his most recent report referred to the SPoC process as “a stringent safeguard”, and after
an exhaustive investigation did not find “significant institutional overuse” of communications data
powers by police forces and law enforcement agencies: IOCC Report, March 2015, 7.46 and 7.94.
IOCC Report, March 2015, 6.38-6.39.
277