Friday, 27 June 2014

Odd comment from the ICO

"The resources we use are publicly available; we do not have privileged access to information that is not also available to the general public. Tracing calls is instigated by the police in the event of an allegation of a criminal offence.  As a breach of the PECR is not a criminal offence we do not have the authority to trace calls."


Is it just me, or am I just missing the point or what.

If breaches of a PECR are not a crime, what is the point of the PECR.

But more to the point, the PECR amends the Data Protection Act and allows the ICO to send information notices to anybody they need to requiring information relating to a breach of these regs. So they have means to ask a telco to trace a call or provide details of a subscriber or anything. It even looks like they have powers to get a court order to seize things. Have I mis-read these regulations or something.

Why are the ICO not bothering to use the powers they have?

4 comments:

  1. I'm guessing it is a lack of funding and the chances of success are slim?

    ReplyDelete
  2. This does seem odd to me, as it does not represent my experience of third party information notices; I would not say that the information demanded in the ones I have seen is "in the public domain".

    I wonder if it is but a case of, once an organisation reaches a sufficient size, co-ordinated responses are difficult, and that the person responding here is not involved in enforcement activity. You might see if you could find the address of someone in the ICO's enforcement team, and ask them directly?

    Else you could ask, under FoI, for a copy of a served third party information notice, with the target / A number redacted?

    ReplyDelete
  3. Hmm. They may have the power to request information, but tracing calls comes under RIPA, doesn't it? And RIPA is supposed to only be used for crime and a few other things. if violating PECR is only a civil offence, then RIPA should not be used.

    There may be separate powers to request information, but one of the things that happened at the same time as RIPA was that there was a code of practice promulgated which said that authorities should not use older powers to do the same things that RIPA covers, if RIPA would not allow them:
    See section 1.3 of https://www.gov.uk/government/publications/code-of-practice-for-the-acquisition-and-disclosure-of-communications-data
    That suggests that ofcom is one of the exceptions, but maybe the ICO isn't. Or maybe whoever is handling this is confused by that code of practice.
    (IANAL, etc).

    ReplyDelete
    Replies
    1. "tracing calls comes under RIPA, doesn't it?"

      RIPA has a number of parts, one of which relates to the interception of communications, and another to the acquisition of communications data. There is no reference within RIPA to "tracing calls", but rather the frameworks under which these two types of data can be acquired in support of various activities.

      The ICO has been granted specific powers to acquire data from communications providers to support its activities, being Reg. 31 of PECR:

      "(1) The Information Commissioner may require a communications provider (A) to provide information to the Information Commissioner by serving on A a notice (“a third party information notice”).

      (2) The third party information notice may require A to release information held by A about another person's use of an electronic communications network or an electronic communications service where the Information Commissioner believes that the information requested is relevant information.

      (3) Relevant information is information which the Information Commissioner considers is necessary to investigate the compliance of any person with these Regulations."

      The Regulations post-dated RIPA (RIPA was 2000, the Regulations 2003), and the powers which exist in the Regulations are there to enable the ICO to enforce the Regulations effectively. The ICO *does* use these powers in practice, which, to me, would suggest that it does consider their use as compatible with the wider RIPA framework / code of practice.

      Delete