The Government announced 10 days ago that it would put a law through Parliament that would make compulsory the recording of UK internet usage and the keeping of the information for up to a year.
It has now emerged that Home Office officials have proposed a plan whereby that data would be stored by the Government in a purpose-built database, and not by individual internet service providers (ISPs). The plan has not been approved by ministers and remains just one proposal, according to reports.
‘If the intention is to bring all mobile and internet records together under one system, this would give us serious concerns and may well be a step too far," said Jonathan Bamford, assistant Information Commissioner. "We are not aware of any justification for the state to hold every UK citizen’s phone and internet records."
The Data Retention Directive is an EU law which orders the monitoring and keeping of telecoms records for between six and 24 months to assist police investigations.
The UK has already implemented the Directive as it relates to phone calls but the new law will implement it in relation to internet usage, including email and internet telephony.
Only the facts about a communication – who sent it and who received it, from where to where and at what time – will be recorded, and not the content of the communication. The UK has until 2009 to implement the Directive fully.
The idea has met with some concern in the wake of Government data security breaches and the known challenges of operating any database on such a massive scale. Privacy expert Dr Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW.COM, said that the plan would involve greater central Government power and less independent scrutiny.
"One advantage of a centralised database of telephone and email contacts is that the Government would have control of costs. It would not have to pay the telcos for data retention and all the contentious arguments about retention costs are avoided," he said.
"The downside is the risk of weakened supervision. For example, under the now defunct Interception of Communications Act 1985, the telcos could volunteer communications data to the authorities. This was changed under the Regulation of Investigatory Powers Act (RIPA), so that the telcos were obliged to provide communications data on request by the authorities."
"However, each request under RIPA could be evaluated by the telcos and they were in a position to query excessive requests," Pounder said. "Now, under the Government proposals, this limited independent evaluation of each request would not occur."
The ICO is also worried about the amount of power over the information that the move would give the Government.
"We have real doubts that such a measure can be justified, or is proportionate or desirable," said Bamford. "Such a measure would require wider public discussion. Proper safeguards would be needed to ensure that the data is only used for the proper purpose of detecting crime."
The Government's recent record on keeping personal data private has not been good. HM Revenue and Customs lost 25 million people's personal details in November, while a contractor to the DVLA lost three million drivers' personal details in December. The Army has also lost significant amounts of data from lost or stolen laptops.
The telecommunications database would be one of a number currently planned by the Government. If it becomes policy it will join the ID Card's audit trail database tracking the use of public services, a children's database, a central repository of CCTV images and a database of medical records.
Data protection training: find out about our data protection training courses.
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.