The Counter-Terrorism and Security Act 2015, which received Royal Assent last week, has some network-related provisions among its various powers relating to terrorism. Section 21 adds further “relevant internet data” to the list of information that public telecommunications operators may be required to retain about the use of their networks and systems. Although in Parliament Ministers explained that this extra information was concerned with the allocation and translation of IP addresses – trying to remove gaps in logging that prevent internet activity being linked to a network subscriber – the drafting of the Act itself is very hard to follow. Fortunately, from a Janet perspective, the new requirement is an amendment to last year’s Data Retention and Investigatory Powers Act 2014 (DRIPA), so applies:
- only to “public telecommunications operators” (DRIPA s1(1)) (so not to the majority of Janet-connected organisations), and
- only to data already “generated or processed” by those operators in the course of supplying the telecommunications services (DRIPA s2(1)) (so not requiring collection of new data), and
- only when the operator receives a notice from the Home Office (DRIPA s1(1)).
Any Janet customers who do offer public network access should discuss with their partner Internet Access Provider the arrangements that may be required if such a notice is issued.
Section 26 of the Act creates a general duty on specified authorities to “have due regard to the need to prevent people being drawn into terrorism” (s26(1)). Schedule 6 of the Act lists schools, colleges and universities as “specified authorities”. The Secretary of State may (s29(1)) issue guidance to authorities on how they should comply with this duty; any such guidance must be approved by vote in Parliament (s29(5)). This guidance appears most likely to concentrate on organisational and policy issues, however draft guidance published for consultation before Christmas did include a requirement on schools, colleges and universities to “consider Internet filtering”. However the Government has said that the guidance will be amended following the consultation and comments in Parliament; more recently the Minister has mentioned “a policy on misuse of computer equipment” as an example of a measure that might be required. Since education is devolved matter, the authorities in Scotland, Wales and Northern Ireland may either follow the Westminster approach or provide their own guidance. Jisc will continue to work with bodies representing our customers to ensure that guidance is practical and effective (like, for example, the existing UUK guidance on Safe Campus Communities).