Report of the Independent Surveillance Review
21
Data Retention
1.56
It is now economically viable for organisations to store data in large volumes for long
periods of time, though rarely are we told for how long. Facebook, for example, will store
data ‘for as long as necessary to provide products and services to you and others’.56 The
long-term availability of such data, and the ability of law-enforcement agencies and SIAs
to combine data sets (such as call histories, airline reservations and passport details),
makes ‘stored data’ a valuable source of both evidence and intelligence. Data retention
by government is considered by some to be more controversial than retention by the
private sector, given that governments have legal and coercive powers over citizens that
the private sector does not.
1.57
There are also concerns that data may be retained for the sake of it, under a general
justification that it might be of value for as yet unknown purposes at a later date; there
is a subsequent risk that it could be held indefinitely and potentially unfairly prejudice
an individual in the future. Such arguments were the basis for Part I, Chapter 1, of the
Protection of Freedoms Act 2012, which required the destruction of DNA samples and
the removal of DNA profiles of certain people in specified circumstances, or those
samples which were collected unlawfully or accidentally.
1.58
The protection of retained data is a major concern for citizens, consumers and businesses.
Polling commissioned by the Information Commissioner’s Office (ICO)57 indicates that 85
per cent of people are concerned about how their personal information is passed or sold
to other organisations, and that 77 per cent of people are concerned about organisations
not keeping their personal details secure. Just 19 per cent of respondents feel existing
laws and organisational practices provide sufficient protection of personal information.
A record number of data complaints were made to the ICO in 2013–14, which issued
£1.97 million in penalties to companies found in breach of data-protection rules.58
1.59
A major concern surrounding data retention is that such data may be lost, damaged
or stolen by nefarious actors. It is important to highlight that, to date, the UK has not
experienced the same scale of private-sector data breaches as can be found in the US.
Nevertheless, while UK examples of private-sector data breaches may be considerably
smaller in scope, they can still have a significant impact. The 2014 Department of Business,
Innovation and Skills’ Information Security Breaches Survey of companies around the UK
found that 81 per cent of respondents had detected at least one breach in the previous
twelve months.59 Public attitudes to the security of government-held data have been
significantly influenced by high-profile media reports over leaks, losses and thefts. In
56. For Facebook’s data usage policy see Facebook, ‘Data Policy’, <https://www.facebook.com/
policy.php>.
57. ICO, ‘Annual Track 2014: Individuals (Topline Findings)’, 2014.
58. ICO, ‘Enforcement’, <https://ico.org.uk/action-weve-taken/enforcement/>.
59. Ciaran Martin, ‘Cyber Security – Sharpening the Focus’, speech given at IA14 Conference,
London, 17 June 2014.