Data retention laws: Is your data safe in the hands of those who collect and access it?

Data retention laws require telecommunications companies to keep telephone and internet traffic data for a certain period of time, during which it can be accessed by law enforcement and security agencies. For example, in 2015 the Australian Parliament passed the Telecommunications (Interception and Access) Amendment (Data Retention) Act requiring the telecommunications industry to retain a set of metadata for two years, and in 2014 the UK Parliament passed the Data Retention and Investigatory Powers Act.

Much of the concern in regard to data retention laws has centred on what information will be retained (in particular, data or metadata), and who will have access to it and for what purposes. But an equally important issue is this: how safe is our data in the hands of the law enforcement and security agencies who collect and access it?

Against the backdrop of the proposed further strengthening of data retention laws in the UK through the Investigatory Powers Bill, civil liberties organisation Big Brother Watch has published the report Safe in Police hands? How Police Forces suffer 10 data breaches every week and still want more of your data¹.

The report reviews UK police records to find that:

• In the past 5 years there have been 2,315 breaches in police forces, including the following:
  • 869 (38%) instances of inappropriate/unauthorised access to information
  • 877 (38%) instances of inappropriate disclosure of data to third parties.
• 25 cases involved misuse of the Police National Computer.
• 1283 (55%) cases resulted in no disciplinary or formal disciplinary action being taken.
• 297 (13%) cases resulted in either a resignation or dismissal.
• 70 (3%) cases resulted in a criminal conviction or a caution.
• 258 (11%) cases resulted in either a written or verbal warning.

In response, Big Brother Watch is pushing for custodial sentences for serious data breaches, arguing that existing penalties are inadequate. Their recommendations are:

1. The introduction of custodial sentences for serious data breaches.
2. Where a serious breach is uncovered the individual should be given a criminal record.
3. The mandatory reporting of a breach that concerns a member of the public.
4. The removal of Internet Connection Records from the Investigatory Powers Bill.
5. Adoption of the General Data Protection Regulations.

The General Data Protection Regulation is a proposed new data protection arrangement for the EU, which Big Brother Watch argues the UK should still adopt despite its recent decision to leave the EU.

Reference:

Also published on Medium.