The “Protection of Freedoms Bill” has a wholly misleading title; the legislation simply does not do what it says on the tin. The CCTV provisions (see blog of 16/2/2011) have more to do with efficient surveillance rather than privacy protection, and in my last blog (3/3/2011), I reviewed the Information Commissioner’s concerns re the use of personal data in DNA profiling or in vetting.
For completeness, this blog addresses the additional privacy protection afforded by the proposed changes to the Regulation of Investigatory Powers (RIPA) Act. Although welcome, they are really very inconsequential.
This is because, the changes are limited to Local Authorities who hardly use RIPA powers; for other bodies (e.g. those that report to the Home Office), RIPA is left unfettered. In addition, the changes do not stop Local Authorities using RIPA powers; instead of self-authorising their application, Local Authorities have to seek judicial authority to commence using them.
In other words, the changes have little impact on the real privacy issues surrounding RIPA. And the best way to demonstrate this minimal impact is to let the statistics published in the latest Annual Reports of the Surveillance Commissioner and the Interception of Communications Commissioner speak for themselves. (Both these Annual Reports can be downloaded:– see the links in the references below).
The changes with respect to CHIS
In relation to CHIS (the recruitment of Covert Human Intelligence Sources), the Surveillance Commissioner states that “there were 5,320 CHIS recruited by law enforcement agencies during the year” whilst all “other public authorities recruited 229 CHIS” where “just over half of CHIS usage was by government departments”. In other words, in relation to CHIS, Local Authorities have recruited a maximum of 115 CHIS (half of 229), and this represents just over 2% of the total CHIS recruited (there are 5,549 CHIS recruited per year).
In fact the Commissioner reports “the light use of RIPA/RIP(S)A powers by local authorities is even more pronounced in relation to CHIS recruitment. 97% recruited five or fewer and 86% did not use CHIS”. As there are about 440 Local Authorities in total, it follows that if 86% do not use CHIS, then there are only 62 Local Authorities that do use CHIS (i.e. 14% of 440).
If there are 115 CHIS recruited by these 62 Local Authorities, then the Freedom Bill’s requirement to seek judicial authority to use CHIS, is going to happen on average less than twice a year per Authority. Compare this 2 per year statistic with the fact that “5,549 CHIS recruited in total per year”.
The Freedom Bill’s CHIS changes have inconsequential impact on privacy protection because from each local authority’s perspective, they focus on 0.036% of the total number of CHIS recruitment per year.
The changes with respect to Directed Surveillance
In relation to directed surveillance, the Surveillance Commissioner reports that “Law enforcement agencies granted 15,285 directed surveillance authorisations during 2009-2010”. In relation to other public authorities 8,477 directed surveillance authorisations were granted during the year” of which “50% were by government departments”. This means there are a total of 23,762 directed surveillance authorisations per year.
The Surveillance Commissioner also reports that “Generally speaking, local authorities use RIPA/RIP(S)A powers sparingly with over 50% granting five or fewer directed surveillance authorisations during the reporting period. Some 16% granted none at all”. So if we use these figures (and go through the same kind of analysis as for CHIS), then 84% of Local Authorities (i.e. about 378 Local Authorities) use directed surveillance and the maximum number of directed surveillance authorisations by all Local Authorities per year is about 4,240 (half of 8,477).
Although you can argue that 18% of the total number of directed surveillance operations are undertaken by Local Authorities as a whole, this figure is an over simplistic statistic and does not provide a complete picture. For instance, it fails to take into account that there are 378 Authorities undertaking such surveillance.
If you work out the average Local Authority use of RIPA directed surveillance powers (4,240 divided by 378), then you see that each Authority commences 11.2 directed surveillance operations per year (1 per month would be above average). This one per month average for each Authority can then be compared with the 1980 authorisations per month (the total number of 23,762 authorisations per year divided by 12).
From the perspective of each Local Authority, therefore, the Government is legislating with respect to an issue that represents 1 in 1980 (or 0.05%) of the total authorisations per month. This 0.05% figure hardly represents a significant change in the level of privacy protection with directed surveillance.
The changes with respect of Communications Data
No local authority has the power to intercept a telephone call or any other form of communication during the course of its transmission, and the only change in the Freedoms Bill relates to Local Authority collection of communications data. (Communications data are those data that relate to who has called whom, when, for how long and from what location but not the content of that communication).
The Interception Commissioner’s Annual Report notes that “During the year ended 31 December, 2009, public authorities as a whole, made 525,130 requests for communications data to Communication Service Providers and Internet Service Providers”(i.e. there are 43, 761 requests per month).
The Commissioner then notes that that “during the period covered by this report 131 local authorities notified me that they had made use of their powers to acquire communications data, and this is slightly more than last year”. The Commissioner records that Local Authorities made “a total of 1,756 requests ... for communications data and the vast majority were for basic subscriber information”. So before we do any analysis, Local Authorities collectively only account for 0.33% of the total number of requests for communications data.
If 131 Local Authorities make 1,756 requests per year, then this works out a Local Authority average of 13.4 per year (i.e. the average Local Authority is making just over 1 request per month – actual figure is 1.1). This figure of 1.1 per month should be compared with the 43,761 requests per month for all of the public sector.
From which we deduce that from the perspective of each Local Authority, the provisions in the Freedom Bill will impact on 0.0025% of the total of number of times communications data are used. In this case, to describe the enhanced privacy protection as “inconsequential” is really a gross overstatement of the improvement in protection.
Concluding comment
In each case, the analysis shows that each Local Authority represents 0.05% or less of the actual RIPA activity; 99.95% of RIPA activity is therefore unaffected. Quite simply, there is no significant change to privacy protection.
One cannot help but conclude that this part of the Freedoms Bill has focused on Local Authorities because it diverts attention from other areas of RIPA. Local Authorities (thanks the Poole Council one suspects – see references) are the new “sitting ducks” for Government rhetoric.
However, two important questions are not being asked – and which should be:
1. Why is it that judicial authority is required by a Local Authority, but not say, the other Government Departments that also infrequently use RIPA powers?
2. Why is it that the use of these powers are to become subject to judicial authority for just Local Authorities, when it would reassure the public that all RIPA powers exercised properly by any public authority, if all authorities were subject to judicial authority? After all, all RIPA powers are very invasive of individual privacy.
When you look at the above (and the conclusions found in my other two blogs on this Bill) there is only one conclusion: the changes represent only a very thin veneer of additional privacy protection. However, be grateful for small mercies but recognise that they are very small indeed.
References
The Annual Report of the Surveillance Commissioner: Download Annual Report_Surveillance Comms.
The Annual Report of the Interception of Communications Commissioner: Download Annual Report_Interception of Comms
Relevant blogs:
1. "ICO evidence identifies data protection concerns over Freedoms Bill", (3rd March 2011), on http://amberhawk.typepad.com/amberhawk/2011/03/ico-evidence-identifies-data-protection-concerns-over-freedoms-bill.html
2. “Protection of Freedoms Bill promotes efficient CCTV surveillance not effective privacy”, (16 Feb, 2011), on http://amberhawk.typepad.com/amberhawk/2011/02/protection-of-freedoms-bill-promotes-efficient-cctv-surveillance-not-effective-privacy.html
3. "Swimming in the surveillance Poole: the real privacy problems with RIPA", (Aug 9, 2010), on http://amberhawk.typepad.com/amberhawk/2010/08/swimming-in-the-surveillance-poole-the-real-privacy-problems-with-ripa.html
Adverts re Data Protection courses
We are also running a Privacy Impact Assessment course and a Data Protection Audit course in London, on 21st and 23rd March (£400 for the day+VAT). Our Spring UPDATE session is on 11th April in London: follow the link for details of speakers and content on our web-site (at £195+VAT for the day it is a real double dip recession busting snip). Details from the Amberhawk website (www.amberhawk.com).
As someone in an Authority that does use RIPA (mainly directed but occasionally CHIS) it is extermely frustrating to know that this focus on public authorities was simply the result of the government scoring cheap points with th e public on the back of a couple of local authorities that used RIPA incorrectly.
It obviously didn't help that the media pushed RIPA to the public by basically saying 'your council thinks you're a terrorist'.
It didn't need a change in legislation to resolve the issue. All it needed was for the Surveillance Commissioner to be a bit more rigorous in its inspection regime.
This may not have a massive impact on privacy compared to the ongoing thousands of applications that are made by other bodies but it will certainly have a negative impact on our ability to pursue violent loan sharks, dangerous fake goods sellers and prolific fly-tippers.
Posted by: Secretgeek | 17/03/2011 at 01:56 PM