Government Access to Private-Sector Data in the United Kingdom

Abstract

The most plausible means for systematic UK government access to private-sector data is through voluntary agreements with the operators of systems and databases. This was how Internet Service Providers’ communications records were accessed by police before specific statutory provision was made in the Regulation of Investigatory Powers Act 2000 (RIPA). Sections 28-29 of the Data Protection Act 1998 allow such voluntary arrangements for purposes related to national security, law enforcement and taxation. Companies such as Facebook and RIM/BlackBerry have publicly acknowledged that they provide access to specific user data when UK public authorities follow the RIPA procedures, even though they are not legally required to. UK ISPs must retain records about their customers’ Internet sessions and e-mail, although not message contents, under the Data Retention Regulations 2009. The government continues to discuss new legal powers that would require ISPs to store records relating to their customers’ communications on webmail, social media and other sites, which could then be accessed on a semi-automated but particularized basis under RIPA. It is likely that for national security purposes the government’s signals intelligence agency, GCHQ, undertakes large-scale surveillance of Internet data transfers to or from points outside the UK. This can be authorized under RIPA, and telecommunications providers required to facilitate interception under that Act and the Telecommunications Act 1984. Under the UKUSA agreement GCHQ cooperates extremely closely with intelligence agencies in the US, Canada, Australia and New Zealand. It is likely that any access these agencies have to private-sector data will be shared to some extent. However, such activities are highly secret.