The new Policing Bill fails to provide sufficient safeguards around extraction of victims' data.
PI's analysis of the Police, Crime, Sentencing and Courts Bill demonstrates inability of the Bill to sufficiently safeguard individuals' privacy when extracting information from electronic devices.
- the Police, Crime, Sentencing and Courts Bill fails to safeguard individuals' data and privacy rights when the Police collect and analyse their phones
- Relying on the "consent" of victims and witnesses of crime is not appropriate for such far reaching powers
- We are calling for numerous amendments to the Bill, and for a public consultation on the Code of Practice in relation to data extraction
The Police, Crime, Sentencing and Courts (PCSC) Bill is currently being scrutinised by numerous civil society organisations such as Amnesty International UK and Liberty for its damaging impacts on peaceful protests, however it also contains important provisions regarding when, if and how the police and other governmental authorities can extract data from your phones and other electronic devices.
Chapter 3 of the PCSC Bill is a legislative response to the UK's Information Commissioner's Office report published in June 2020, which was highly critical of the Police use of mobile phone extraction technologies.
The ICO produced the report as a result of a PI complaint, after our investigation into the use of mobile phone extraction (MPE) by Police in the UK. In our complaint, we highlighted numerous issues surrounding the use of MPE, including the lack of legal basis, absence of safeguards and independent oversight for this power.
The information accessed by the police not only relates to you, but contains personal data, such as messages or photos, related to family, friends and colleagues. The police may store all of this data indefinitely, and combine it with other information they hold to build up an even more intrusive picture of our lives. The PCSC Bill aims to introduce a new statutory power enabling the police to obtain digital evidence from devices, providing safeguards are followed, and ensuring that only the relevant information is taken. With the revival of this proposed Bill, we find instead that it is particularly scant on these areas. As a result, we are calling for a public consultation on the proposed Code of Practice on obtaining digital evidence.
Our main concerns regarding Chapter 3 of the PCSC Bill:
1. Continued reliance on "consent" of victims and witnesses to hand over their devices
Section 36 of the Bill provides that an authorised person, such as a police officer, can extract data from an electronic device if the user of a device has:
a) voluntarily provided it, and;
b) has agreed to the extraction of data from that device.
In our complaint to the ICO we argued that whilst police forces have often relied on consent from victims and witnesses to take and analyse their phones, this is not appropriate.
First, under data protection legislation, consent needs to be freely given, specific and informed. It is questionable whether consent to the taking of a device can be 'freely given', in light of the inherent power imbalance between an individual and a police officer. The ICO was also concerned in its report that victims and witnesses may be worried that a decision not to consent to the process will impact on the progress of their case. Similar concerns have also been highlighted by Big Brother Watch in relation to victims of rape and sexual assault.
Second, under Data Protection Act 2018, the owner of the device cannot provide consent on behalf of all others whose data is stored on their device, such as family and friends. Finally, the Bill is silent on the ability of the individual to withdraw their consent to gathering and storage of their data at any time. If individual 'voluntarily' provides the device, they should be able to change their mind and request that any extracted data is deleted. However, it appears from the Bill that once initial consent is given to take possession of the phone and extract data from it, there is no way of going back. Considering the problematic nature of consent, we are very concerned that the new statutory measure to collect devices and gather all of the information from them rests on it.
2. The Bill fails to provide that the gathering of data from devices needs to be limited to strict lines of enquiry.
Despite promising to provide sufficient safeguards and ensure that only relevant information is gathered, the new PCSC Bill fails to do so. Section 36(6) and (7) simply provide that if there is a risk of obtaining more information than necessary (which will exist every time a device is taken) the police forces will only need to consider if there are other ways to gather this information and if this would be practical to pursue.
This falls short of providing sufficient safeguards to ensure that police officers and others do not simply grab all the data that is available on the device. The ICO report was also very critical of this aspect and stated that the police cannot seize phones to go on fishing expeditions, but must focus any extraction on clear lines of enquiry.
Further, the ICO report confirmed PI's concerns that the data extracted and processed from the mobile phones was often too excessive. Despite the availability of privacy-enhancing functions in the software tools, police forces simply grabbed more data than necessary in the investigative process. At the moment, the new PCSC Bill fails to address these issues and does not provide sufficient safeguards for individuals' privacy rights. We therefore believe that the PCSC Bill needs to include clear provisions setting out that only the data relating to clear lines of enquiry should be gathered from devices.
3. The definition of 'authorised persons' is too broad.
The list of 'authorised persons' in Schedule 3 of the PCSC Bill who can collect devices is very broad. It not only includes police officers and constables, but also 'employees of Common Council of the City of London', and immigration officers. Including immigration officers is concerning, as the Bill could potentially lead to misuse of their powers enabling immigration officers to gather and analyse all devices from asylum seekers.
As currently drafted, the PCSC Bill can be interpreted to treat all asylum claimants as either witnesses or victims of smuggling to justify the taking of their devices and gathering of all of their data. Again, issues surrounding whether asylum seekers, refugees and other migrants could ever 'voluntarily' hand over the devices and 'agree' to data extraction is questionable. Especially in light of the inherent power imbalance between them and immigration officers, and fears of their claims being rejected if they do not hand over their phones.
We therefore argue that the 'authorised persons' definition must be limited to police officers and constables.
4. Failure to provide for adequate redress mechanisms
Crucially, the PCSC Bill fails to provide any detail of redress that can be pursued if 'authorised persons' have misused their powers under its provisions. The PCSC Bill simply states in section 40 that the Code of Practice will be published, which will outline more details about how the powers can be practically used. However, PCSC Bill in section 40(7) also provides that a failure to act in accordance with the Code does not by itself render the person liable to any criminal or civil proceedings.
The complete silence on redress mechanisms by the PCSC Bill is worrying considering the ICO report stated there were numerous security risks regarding how the police collected and stored the data from victims' and witnesses' mobile phones. The ICO also found that the data obtained from suspects, complaints and witnesses was not always categorised and kept together in bulk, leading to risks of serious compliance failures.
Crucially, the ICO’s investigation also highlighted that there were numerous security concerns regarding unauthorised access and unintentional disclosure of extracted data. The highly sensitive personal data held was not always being encrypted whilst being exported to other digital media. The unencrypted data was variously put on CDs, DVDs and USB drives, and often transported by couriers or other unsecured means. We therefore argue that the PCSC Bill must include what redress procedures and oversight mechanisms will be adopted.
Considering the PCSC Bill fails to address these concerns and safeguard individuals' data and privacy rights, we believe that Chapter 3 of the PCSC Bill must be amended. We are also calling for a public consultation on the relevant Code of Practice.