To ask the Secretary of State for the Home Department, what safeguards are in place to ensure that data held under the Investigatory Powers Act 2016 is secure; and what discussions she has had with internet service providers on that matter.
Answered on
19 December 2016
The Government is committed to ensuring sufficient safeguards are in place to keep retained data secure. Communications service providers (CSPs) must comply with the Data Protection Act 1998 and the Privacy and Electronic Communication Regulations 2003. In addition to these general requirements, CSPs required to retain data under the Investigatory Powers Act must put in place appropriate technical and organisational measures to ensure that the data is adequately protected while it is being retained. They will also be required to follow the principles of security, integrity and destruction in the draft Communications Data Code of Practice. Furthermore, the systems the data is retained in are built to meet stringent security requirements. Where appropriate, data is retained in dedicated stores and securely separated from business systems by a firewall. The Act requires the Information Commissioner to audit the security of retained data.
The Government maintain regular engagement with CSPs subject to retention notices and have a strong track record of ensuring the security of retained communications data. There was a considerable amount of engagement with CSPs during the passage of the Investigatory Powers Act, including the previous Home Secretary, other Ministers and officials meeting the operators most likely to be required to retain data. Engagement is ongoing as we implement the Act.