CHAPTER 15: RECOMMENDATIONS
Full consideration should be given to alternative means of achieving those purposes,
including existing powers, and to the categories of data that should be required to be
retained, which should be minimally intrusive. If a sufficiently compelling operational
case has been made out, a rigorous assessment should then be conducted of the
lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be
retained. No detailed proposal should be put forward until that exercise has been
performed.
16.
The rules regarding retention of data by CSPs should comply (to the extent that it
may be applicable) with EU law as contained e.g. in Joined Cases C-293/12 and C594/12 Digital Rights Ireland and with the ECHR, particularly as regards:
(a)
limits on the data whose retention may be required;
(b)
ensuring that retention periods are no longer than necessary;
(c)
ensuring the protection and security of data and their destruction when the
retention period ends; and
(d)
the location in which data are stored.
17.
To the extent that a requirement is placed on CSPs that may result in them retaining
partial or complete web logs or equivalent, the circumstances in which access may
be sought by public authorities and the conditions on which access should be granted
should be the subject of guidance in a Code of Practice and/or from ISIC, and
sufficient records should be kept to allow ISIC to verify through regular audit and
inspection that requests have been properly authorised.
18.
There should be no question of progressing proposals for the compulsory retention
of third party data before such time as a compelling operational case may have been
made, there has been full consultation with CSPs and the various legal and technical
issues have been fully bottomed out. None of those conditions is currently satisfied.
Bulk collection
19.
The capability of the security and intelligence agencies to collect and analyse
intercepted material in bulk should be maintained, subject to rulings of the courts, but
used only subject to the safeguards in Recommendations 40-49 and 72-80 below,
and only in cases where it is necessary to achieve an objective that cannot be
achieved by the new and less extensive power in Recommendation 42(b) below.
INTERCEPTION AND ACQUISITION OF DATA
Types of warrant and authorisation
20.
In relation to interception and the acquisition of communications data, the following
types of compulsory warrant and authorisation should be available:
(a)
For the interception of communications in the course of transmission,
288