Home Office: We got data retention wrong

Data retention in the UK is back to square one as the government admits that the secondary legislation it tried to introduce this summer was insufficient to clear up the mess made in primary legislation

The Home Office made a startling admission on Thursday morning that its plans for making ISPs retain details of customer emails and Web surfing have not worked out as it had hoped, and the UK is now "back to square one".

Problems range from incompatibilities -- which the Home Office now appears to accept -- between no less than four different laws, to public concern over how they can access their data, how it can be accessed, and what redress they have when something goes wrong.

Speaking at a seminar for ISPs at Streaming Media Europe, a Home Office official said the government is now "looking to consult in the New Year on what data retention regime the public will be happy with".

The admission follows an embarrassing six months for the Home Office over the issue of data retention. In June, when it issued a voluntary code of practice laying out who can access the retained data and how they can access it, there was uproar over the number of government agencies that would have access to individual's Internet and phone records. These ranged from local authorities, to the NHS, the Postal Services Commission and the Food Standards Agency. The agencies, all of which have some law enforcement authority, were not previously guaranteed access to the records without a court order. A code of practice is demanded by the Anti-Terrorism, Crime and Security Act 2001 (ATCS).

Elizabeth France, the Information Commissioner, later said the Regulation of Investigatory Powers Act (RIPA), which deals with access to the retained data once it has been retained under ATCS, was likely to break the Human Rights Act (HRA). Her stance was later backed up by other European Information Commissioners who said there could be incompatibilities with data protection legislation.

In October, ISP Association (ISPA) general secretary Nicholas Lansmann advised members in a letter that was leaked to The Guardian not to agree to the Home Office voluntary code of practice covering data retention. Among the reasons that Lansmann gave was the fact that a year since the first draft was released, the Home Office has failed to explain how ISPs will be reimbursed for retaining the data, or how they can comply with the code without breaking numerous other laws.

Some ISPs want a mandatory code of conduct so they will not be held liable in cases where different laws conflict. Said one: "Because the code of practice is voluntary, customers will sue us. We need the government to make the code of practice mandatory so the government gets sued when things go wrong and not us."

Ian Walden, head of IT law at Queen Mary College, agreed. "I think ISPs are quite right to say they won't agree to a voluntary code of practice because it exposes them to all kinds of liability," he said.

Speaking to ISPs at Streaming Media Europe on Thursday, Lansmann said the atmosphere finally appears to be changing.

"We are getting very strong signals from the Home Office that occasionally legislation gets passed and sometimes it is not entirely right. I think that is happening now, and it looks like we will eventually have a law that provides clarity and ensures privacy of the citizen."

The Home Office official, who attended the event to reassure ISPs that the government has realised the error of its ways, said "Sometimes we have to admit that we got it a bit wrong, and [this time] we got it a bit wrong."

"Just over a year ago, the Home Office had no plans for data retention. Then along came 11 September and we suddenly changed our plans so that now we do want data retention," said the official.

"It has increasingly become the case that the scheme we have in ATCS will work after a fashion but not in the way we intended," he said. "There are concerns people had that have come to pass, and now we are almost back to square one."

The UK still has no data retention framework in place.

The official said the Home Office has learnt from the mistake it made with the publication of the draft code of practice in June.

"A large part of the problem we had in June was putting something down on paper without explaining to people exactly what it was," he said. "We didn't explain for instance what the Food Standards Agency is, what it does, and why it might need access to data."

"People need to be clear over who can do what and in what circumstances. People thought every Tom Dick and Harry in every Town Hall would be able to access all our data, but we didn't explain why they would not be able to. There are procedures."

The government has to explain who needs access, he added, why they need access, under circumstances people can expect their data to be accessed, and what redress they have when something goes wrong.

Richard Allan, Liberal MP for Sheffield Hallam, said: "We're still in the position where the Home Office is saying we may have a mandatory data retention scheme for many years, or a voluntary data retention scheme for a much lower number of years. We hope to influence that."

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.