Parliamentary Question on Data Retention

Joe Costello TD was kind enough to place a Parliamentary Question for us asking the Minister for Justice about the use of his new data retention powers. Unfortunately the answer we received was less than helpful, with the Minister giving the blanket response that “it is not in the public interest” to answer most of the points raised, and conveniently misinterpreting other parts of the question.

The question was as follows:

To ask the Minister for Justice, Equality and Law Reform –
1. the service providers the Garda Commissioner has written to pursuant to Section 63 of the Criminal Justice (Terrorist Offences) Act 2005 instructing them to retain data as defined;

2. if any service provider accessed the data held pursuant to Section 63 of the Criminal Justice (Terrorist Offences) Act 2005;

3. if so, the service providers which have done so and pursuant to which subsection or subsections of Section 64 was it so accessed in each case;

4. the number of times the data retained has been accessed under each subsection of Section 64 and by which service providers;

5. the safeguards he has instructed service providers to put in place to ensure that this data is not improperly accessed; and if he will make a statement on the matter. (numbering added for readability)

The Minister’s response:

Part 7 – sections 61 to 67 – of the Criminal Justice (Terrorist Offences) Act 2005 provides for the retention of telecommunications data by communications service providers for the purposes of the prevention, detection, investigation or prosecution of crime, including terrorist offences, or the safeguarding of the security of the State. It would not be in the public interest to reveal the number or identities of the service providers, if any, which have been requested in writing by the Garda Commissioner to retain, for a period of three years, traffic data or location data or both.

A service provider shall not access any data so retained save in accordance with the conditions set out in paragraphs 64(1)(a) to (e) of the 2005 Act. Inasmuch as retained data may be accessed by the Garda Síochána, it would not be in the public interest to reveal either the number of requests, if any, made to disclose any data so retained or the identities of the service providers to which such requests, if any, have been made.

I do not have – and could not have – information on such matters as it relates to disclosure requests from other legitimate sources, such as in accordance with a court order or at the request and with the consent of the person to whom the data relates.

On safeguards against the misuse of retained data, Part 7 of the 2005 Act extends the duties of the designated judge under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 to the data retention provisions of this Part. In particular, the designated judge shall, inter alia, keep the operation of the provisions of Part 7 under review and ascertain whether the Garda Síochana and the Permanent Defence Forces are complying with its provisions. Moreover, Part 7 of the 2005 Act also extends the duties of the complaints referee under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 to the data retention provisions of this Part. In particular, the complaints referee shall investigate, on foot of a complaint alleging improper disclosure, whether, inter alia, any provision of section 64 was contravened in the disclosure request, if any. (paragraphing added for readability)

So, what were we asking and what did he tell us – in plain English?

Here’s the relevant part of the Act.

1) As you can see, Section 63 gives the Garda Commissioner the power to write to service providers and tell them to hold customer’s data for 3 years. It also says that service providers already holding data, under the previous regime, should behave as though they had been written to. We just wanted to know who those service providers were.

2) And then we wanted to know if the service providers had accessed the info. A broad enough question. So to make sure that we were able to give a positive answer some kind of context we asked…

3) How often it had been accessed, and under which subsection. As you can see, the subsections in Section 64 give the permitted reasons for service providers to access this data. Knowing which subsection was used would tell us what the reason was.

4) Now we want to break down that data into how often each subsection has been invoked to access the data, and which service providers are doing the most accessing of it.

5) And finally, so we can all sleep easy at night, we just want to be reassured that the Minister has taken steps to make sure that the service providers hold this information securely.*

Alas, parts 1 to 4 of the question were met with the assertion that “it would not be in the public interest” to reveal this information. This is a peculiar position for the Minister to take. It is clearly in the public interest that we all be able to oversee the use (or abuse) of these sweeping powers – and the Minister has failed to give a single reason why answering these questions could harm the public interest. Our question only sought numerical and statistical data on accessing these records. We asked for no data which could have prejudiced or influenced an investigation.

But let us imagine that we did know that, for example, the Garda Commissioner had requested some, but not all, service providers to retain data. Then we would have the worst of all worlds – compromising the privacy of a mass of innocent citizens while providing no comprehensive access to data, should it need to be accessed. On the other hand, if it turned out that the Garda Commissioner had made no such requests, then we would have to wonder whether we had been misled when we were told that this legislation was a matter of urgency.

And it is slightly absurd for the Minister to to refuse to identify the requested service providers to an elected representative, in the Dail, when any stooge can, by means of a data protection request, identify whether their own provider has been so requested.**

Meanwhile, the answer to part 5 of the question is conveniently misleading. We asked the Minister about “the safeguards he has instructed service providers to put in place to ensure that this data is not improperly accessed”. Where service providers are being required to store such sensitive information, we might expect that they would be given guidance on security measures, employee training and vetting, technical safeguards, or the like. Instead the Minister’s response talks about the “designated judge” and the “complaints referee”. Both of those officials have a (limited) power to investigate cases where a disclosure request is made by the Gardaí*** and it’s alleged that they have abused their powers. They do not, however, have any power to investigate abuses by service providers.

It appears from his answer, despite its volume of words, that he could have more succinctly replied that he has made no instructions to service providers to put in place safeguards to ensure that this data is not improperly accessed, by themselves or their agents. Which was, after all, what we had asked.

* If A outsources the processing of personal data to B, A is still a “data controller” under the Data Protection Acts and owes the people whose data is processed a duty of care, including an obligation to take “appropriate security measures” against unauthorised access to the data. It’s hard to see why the same principle should not apply where the Minister for Justice has, in effect, outsourced a surveillance regime to the telecommunication companies.

** Note that the Act, in section 64(1)(a), specifically permits a person to make a data protection request in respect of their own retained data.

*** Or the Defence Forces.