The government and Law Society are making available a bespoke training course to help professionals protect themselves from information breaches and other threats. Ed Vaizey, minister for the digital economy, said: ‘Members of the legal and accountancy professions deal with sensitive client information on a daily basis and can be a target for cyber-attacks.’
Quite so. But it is a shame that the government is failing to grapple with the cybersnake that lies in its own nest and its potential impact on legal privilege. That snake goes by the name of RIPA – the Regulation of Investigatory Powers Act 2000. Much has been written about RIPA recently in the context of its use by the police to obtain, covertly and with no judicial sanction or oversight, details of phone calls to and from the Sun during the Andrew Mitchell ‘Plebgate’ inquiry.
There was also the secret acquisition by Kent Police of phone and billing records to unmask a source linked to the Mail on Sunday in connection with the Chris Huhne and Vicky Pryce speeding points scandal. Suffolk Police also admitted using RIPA to trace a source who told an Ipswich Star reporter about the reopening of a rape investigation, although the newspaper did not publish the story. The Interception of Communications Commissioner’s Office has now announced an inquiry into this use of RIPA. The police say their use of RIPA has been lawful, justified and proportionate.
Lawyers should not be complacent. The Society has long expressed concern about the absence of any explicit protection in RIPA for legal professional privilege. Earlier this year Leigh Day, representing Libyan clients who were kidnapped and ‘rendered’ to Libya in 2004, felt impelled to seek an injunction from the Investigatory Powers Tribunal over concerns that the government was intercepting their communications with their clients.
The government eventually agreed that it would not misuse legally privileged information contained in emails between Leigh Day and its clients, which it routinely intercepts through its mass data interception programmes.
Some believe that, as the acquisition and disclosure of communications data does not reveal content, but rather is about business records, privilege is not engaged or threatened. The fact that a communication took place does not provide what was discussed or considered or advised, and as such does not contain material that may be said to be professionally or legal privileged.
But since the Edward Snowden disclosures, the implications of the usefulness of communications data have become apparent. As a Home Office memo on the human rights aspects of the Data Retention and Investigatory Powers Bill said in July: ‘Communications data is the context not the content of a communication. It can be used to demonstrate who was communicating; when; from where; and with whom. It can include the time and duration of a communication, the number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made.’
As NSA general counsel Stewart Baker said after the Snowden revelations: ‘Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.’ In its oral evidence to the parliamentary Intelligence and Security Committee in October 2012, the Home Office conceded: ‘The distinction between data and content, you can argue, is muddied in the internet world.’
This is data that can reveal who a client is, when and where they were contacted, and even details about what the client did before and after a conversation with their solicitor.
As the Society acknowledged in its recent submission to the investigatory powers review: ‘The ability to mine communications data is now so great that much information about individuals’ activities and lives can be gleaned simply from their traffic; and consequently the distinction between data and content is no longer so important in the determination of legislative interference and safeguards.’
All of which leads to the real possibility of acquisition by state agencies and public authorities of information that has the potential to breach solicitor and client privilege. And it is not just lawyers and journalists. Anyone who communicates in confidence with clients or customers – GPs, MPs, NGOs – is potentially vulnerable.
This acquisition of communications data does not need any judicial or independent sanction. It is self-sanctioned by a range of public bodies, not just the intelligence and security agencies and the police. Further, communications data may be obtained if it is necessary ‘for the purpose of preventing or detecting crime or of preventing disorder’. There is no requirement for an investigation to be into major or serious crime.
The Code of Practice on the Interception of Communications – which deals with content – acknowledges the need for consideration of communications where religious, medical, journalistic or legally privileged material may be involved. The Code on the Acquisition and Disclosure of Communications Data is silent on this.
The government has said it will amend this code, ‘ensuring that where there may be concerns relating to professions that handle privileged information (eg lawyers or journalists), law enforcement should give additional consideration of the level of intrusion’.
The Home Office has pledged to ‘strengthen the relevant code of practice to ensure extra consideration should be given to a communications data request involving those in sensitive professions, such as journalists’. It anticipates that the revised code will be published in draft this autumn and, following public consultation, laid in parliament before Christmas.
This is inadequate. Under RIPA, while codes of practice should be considered, a failure to comply with any provision of a code does not render anyone liable to any criminal or civil proceedings. Professional information needs more than a mention in a code; it should be given proper judicial protection and independent oversight.
RIPA is out of date and needs to be reviewed urgently.
Gillian Phillips is director of editorial legal services at Guardian News & Media Ltd