Information Access Team
Shared Services Directorate
2 Marsham Street, London SW1P 4DF
Switchboard 020 7035 4848
E-mail: [email address] Website: www.homeoffice.gov.uk
Mr Francis Davey
[FOI #14702 email]
By e-mail only
2 February 2010
Dear Mr Davey
Freedom of Information request (our ref. 12754): Internal Review
Following Ian Lister’s e-mail of 7 January 2010, I am writing to give you an
update on the progress of the internal review. I understand Mr Lister wrote
that he aimed to supply you with a response by 29 January 2010.
Please accept my apologies however I require more time to consider your
internal review request and my investigation is stil ongoing.
I aim to complete this investigation by 26 February 2010. Please accept my
apologies again for the delay in response to your request for internal review.
Yours sincerely
Lawrence CW Lui
Information Access Team
Internal review of response to request under the Freedom of Information
(FoI) Act 2000 by Mr Francis Davey (reference 12754)
Responding Unit: Information Access Team
Chronology
Original FoI request:
13 July 2009
Acknowledgement:
26
August
2009
Direct Communications Unit response: 18 September 2009
Request for internal review:
24 September 2009
Subject of request
1. Mr Davey requested the release of the list of dates and addressees of
notices served under Regulation 10 of the Data Retention (EC
Directive) Regulations since 6 April 2009.
The response by the Direct Communications Unit
2. The Direct Communications Unit (DCU) acknowledged that the Home
Office held the information Mr Davy requested. The DCU, however,
informed Mr Davey that the information wil not be released and relied
on the exemptions under sections 31 (law enforcement) and 43
(commercial interest) of the Freedom of Information Act (FoI).
Mr Davey’s request for an internal review
3. Mr Davey requested the decision to be internally reviewed by e-mail
where he wrote:
i)
On the question of s.31 (law enforcement), the information
that I have requested would not reveal the nature of any
particular criminal investigation or law enforcement activity.
Nor do I seek to know the details of the data retention carried
out by public communications providers - their legal
obligations are already a matter of public record.
The only way in which s.31 could be engaged is if the
secretary of state had failed in his duty to send notices under
s.10 to public communications providers who could then be
targeted by criminals in the knowledge that there would be
no general data retention.
That seems to me unlikely, unless there were a serious
failure to comply by the secretary of state. If that were the
case, there would be a very strong public interest in his
failure being made known.
I suggest that the public interest outweighs any prejudice to
s.31 interests.
If you do not accept this argument, I invite you to explain
clearly how you think s.31 interests might be engaged and
the nature of the balancing exercise you have carried out.
Unless I understand the reasons for your decision I wil have
to refer the matter to the Information Commissioner's Office.
i )
Disclosing redacted information
A second ground of review is that you have not disclosed to
me redacted information. I would find it useful to know the
dates on which notices were sent, even without knowing the
names of the addressees. It is inconceivable that knowledge
as to when notices were sent (but not to whom) could
prejudice law enforcement or any commercial interests.
Such redaction would only require the removal of a column
from a spreadsheet which should be technically
straightforward.
Failing that, disclosure of the *number* of notices sent to
date would be of some use and would be a further alternative
if you are not prepared to give me the redacted information.
i i)
Commercial interests (s.41)
I suggest that it is very unlikely that the commercial interests
of any public communications provider could be prejudiced in
any materially significant way. Al public communications
providers may be required to carry out data retention, many
already do even without having been notified by the
secretary of state. There is unlikely to be a significant move
of customers to unnotified providers given that notification
may occur at any time.
Procedural issues
4. Under Section 10(1) of the FoI Act, the DCU should have responded to
Mr Davey’s within twenty days of receipt Mr Davey’s FoI request.
5. Mr Davey made his FoI request on the 13 of July 2009 and sent a
chaser letter on 13 August 2009 after he did not receive a response
from the Home Office.
6. The DCU wrote to Mr Davey on 26 August 2009 and explain that there
wil be a delay in responding to his request and set a target date of 16
September 2009 for the DCU response.
7. The DCU response to Mr Davey’s FoI request was sent on 18
September 2009 with an apology that the deadline set on 16
September 2009 was not met.
8. The internal review has found that DCU did not respond to Mr Davey
within twenty days of receipt of Mr Davey’s request, thus there has
been a procedural breach.
9. Under Section 17 (b) and (c) of the FoI Act, UKBA has to cite the
exemptions they relied on and state why the exemption applies to Mr
Davey’s request.
10. UKBA wrote that they relied on the exemption allowed under Sections
31 and 43 of the FoI Act in their decision to refuse to release the
information to Mr Davey.
11. UKBA did not explain how the exemption applied to Mr Davey’s
request.
12. The internal review has found that although s17(b) was met, S17(c)
was not.
Consideration of the response
13. As part of the internal review the correspondence exchange between
Mr Davey and the DCU was reviewed.
14. As mentioned in paragraphs 9 to 12 of this internal review, the DCU
response did not comply with s17(c) of the FoI Act.
15. Considering Mr Davey’s internal review request, paragraphs 3 (i), (i )
and (i i), and the DCU’s obligations under s17(c), DCU was asked to
explain how the exemptions applied to Mr Davey’s request.
16. The DCU explained:
i)
I would like to provide you with additional clarity about the
implementation in the United Kingdom of Directive
2006/24/EC concerning “the retention of data generated or
processed in connection with the provision of publicly
available electronic communications services or of public
communications networks”; commonly known as the EU
Communications Data Retention Directive or EUDRD for
short. The lead Government department for the EUDRD is
the Home Office.
i )
As you wil be aware, the EUDRD became European Law in
March 2006. This required all EU Member States to
transpose the Directive through legislation within three years.
The UK, in common with many other Member States,
implemented the legislation in two stages. The first set of
Regulations “2007 No. 2199 ELECTRONIC
COMMUNICATIONS” related to the retention of fixed and
mobile communications and was implemented by UK
Government in September 2007. The final Regulations “2009
No. 85 Electronic Communications The Data Retention (EC
Directive) Regulations 2009” implemented the directive in
relation to internet or “IP” communications data, and
subsumed. The 2009 regulations became law in April 2009.
i i)
As concluded in the consultation document preceding the
final Regulations “Government Response to the Public
Consultation on the Transposition of Directive 2006/24/EC,”
the Home Office is concerned to ensure recital 13 of the
EUDRD was fully included in plans for implementing the
EUDRD into the UK. Recital 13 directs each Member State
to implement communications data retention in a way that
avoids duplication of stored data. There are a number of
good reasons for this.
a) Firstly, avoiding the storage of communications data by
one company already held by another company, helps
to minimise the number of people who can access the
data to no more than necessary to implement the
Directive.
b) Secondly, minimising the number of companies falling
under the EUDRD Regulations minimises the impact on
businesses. The Government takes seriously the impact
of all Regulations and information requirements on the
private sector, seeks, where possible, to minimise such
impact, and;
c) Thirdly, the costs of communications data retention are
more than justified by the benefits to society through a
better ability to prevent, investigate and prosecute those
involved in criminality and to safeguard public safety.
However, the Government is keen to avoid unnecessary
expenditure.
iv)
This approach does take some coordination and following a
suggestion from the communications industry the Home
Office introduced a Notice system. The aim of the Notice
system was to provide clarity to specific companies that they
had a responsibility for retaining communications data and
what specifically that retained data should be. This Notice
system means that a company is only obligated to retain
data under the EUDRD if they are presented with a Notice
from the Home Office to that effect.
v) Following individual discussions with a number of
companies, the first Notices have been issued. Those
discussions are necessary to help ensure that any difficulties
faced by the communications companies in complying with
the Regulations are communicated to the Home Office. It is
also important to ensure the regulations are effective in
meeting public safety requirements. In the event that two or
more companies are involved in the provision of a service
those discussions also establish the approach to be taken to
comply with the regulations.
vi)
In some cases Notices wil be issued to companies which are
not the main provider of the communications service; this
might be done for a variety of reasons. Therefore, it does not
necessarily follow, that the absence of Notice for a particular
company means that company’s data is not being retained.
vi )
After consultation with national security and law enforcement
agencies, we have determined that releasing the requested
information would be damaging to their current capabilities to
acquire communications data to protect the public. It would
make it more likely that a subject of investigation could
determine which service providers are currently inside the
scope of the retention regime and which are not. This might
change the behaviour of significant number of individuals,
who are subject of investigations, in a way that wil make it
more difficult for the national security and law enforcement
agencies to acquire communications data when necessary
and proportionate in accordance with law.
vi i) Moreover releasing the information would explicitly identify
those service providers currently subject to notices to retain
communications data. During the development of the
legislation we received representations from service
providers arguing that they should not be publicly identified
because of a risk that customers would transfer their
business to services (or companies) not named on a
retention Notice even though data generated by companies
not named in that way would stil be retain by virtue of
arrangements in place in accordance with Recital 13. We
consider that releasing this information could have a
damaging commercial effect.
Advice and assistance
17. No advice or assistance was given to Mr Davey in the DCU response
and this was not applicable in this case.
Conclusion
18. DCU fully complied with S17(b) in their response to Mr Davey, they
have however did not comply with S17(c) in their response in the first
instance.
19. DCU cited the exemptions they relied on in their response to Mr
Davey’s request; however DCU did not explain how the exemptions
applied in this case.
20. The DCU addressed this by their answer in paragraph 16 of this
internal review.
21. The answered supplied by the DCU satisfied the obligation the DCU
has to fulfil under S17(c) of the FoI Act and it also answers the
questions raised by Mr Davey in his internal request.
22. Mr Davey’s complaint is therefore partially upheld.
Information Access Team
Home Office
29 January 2010
