‘Snooper’s Charter’ Needs Clarity Over “Strict Requirements”

In response to recent developments of the Investigatory Powers Bill otherwise known as the ‘Snoopers Charter’, Richard Stiennon, Chief Strategy Officer at Blancco Technology Group commented below.

Richard Stiennon, Chief Strategy Officer at Blancco Technology Group:

“On the one hand, I can see why law enforcement officials would be in favour of having access to a year’s worth of data on people’s emails, phone calls and web activities because it could help them solve criminal cases. But at the heart of this legislation is a bigger issue. How long is it acceptable to store user data? And could holding onto data for an extensive period of time leave it vulnerable to data loss/theft?

The reason I ask these questions is because I’ve seen it time and time again – data is collected, tracked, analysed and stored by companies and even government agencies for a long period of time (sometimes several years). And more often than not, there are no established data management, retention and removal policies in place. So unauthorized access to data becomes the norm and on top of that, data is often supposedly ‘deleted’ using methods like quick format, reformatting, dragging files to the Recycle Bin on computers (and emptying it out) and even blanket-using the factory reset on every mobile device operating system (be it Android, iOS, Windows or other OS). So if data is stored for extensive periods of time and the data hasn’t been permanently and completely erased when the time demands it (for example, when a government agency disposes of, recycles or resells old equipment, or a government employee ends their employment), large amounts of data are left exposed and vulnerable to data loss/theft.

With legislation like the Snoopers’ Charter, it should be about finding the right balance between how organizations collect, store and manage user data and how users’ privacy is safeguarded. One should not be made possible at the sacrifice of the other. Until we have greater clarity over what the legislation’s “strict requirements” are and how data management practices are established and enforced, I would have serious reservations about this legislation being adopted.”