Citation and commencement
1. (1) These Regulations may be cited as the Data Retention (EC Directive) Regulations 2009.
(2) These Regulations come into force on 6th April 2009.
2. In these Regulations—
(a)“cell ID” means the identity or location of the cell from which a mobile telephony call started or in which it finished;
(b)“communications data” means traffic data and location data and the related data necessary to identify the subscriber or user;
(c)“the Data Retention Directive” means Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC;
(d)“location data” means data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to—
(i)the latitude, longitude or altitude of the terminal equipment,
(ii)the direction of travel of the user, or
(iii)the time the location information was recorded;
(e)“public communications provider” means—
(i)a provider of a public electronic communications network, or
(ii)a provider of a public electronic communications service;
and “public electronic communications network” and “public electronic communications service” have the meaning given in section 151 of the Communications Act 2003(1);
(f)“telephone service” means calls (including voice, voicemail and conference and data calls), supplementary services (including call forwarding and call transfer) and messaging and multi-media services (including short message services, enhanced media services and multi-media services);
(g)“traffic data” means data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication;
(h)“user ID” means a unique identifier allocated to persons when they subscribe to or register with an internet access service or internet communications service.
Communications data to which these Regulations apply
3. These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned.
Obligation to retain communications data
4. (1) It is the duty of a public communications provider to retain the communications data specified in the following provisions of the Schedule to these Regulations—
(a)Part 1 (fixed network telephony);
(b)Part 2 (mobile telephony);
(c)Part 3 (internet access, internet e-mail or internet telephony).
(2) The obligation extends to data relating to unsuccessful call attempts that—
(a)in the case of telephony data, are stored in the United Kingdom, or
(b)in the case of internet data, are logged in the United Kingdom.
(3) An “unsuccessful call attempt” means a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention.
(4) The obligation does not extend to unconnected calls.
(5) No data revealing the content of a communication is to be retained in pursuance of these Regulations.
The retention period
5. The data specified in the Schedule to these Regulations must be retained by the public communications provider for a period of 12 months from the date of the communication in question.
Data protection and data security
6. (1) Public communications providers must observe the following principles with respect to data retained in accordance with these Regulations—
(a)the retained data must be of the same quality and subject to the same security and protection as those data on the public electronic communications network;
(b)the data must be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;
(c)the data must be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only;
(d)except in the case of data lawfully accessed and preserved, the data retained solely in accordance with these Regulations must be destroyed at the end of the retention period.
(2) It is the duty of the Information Commissioner, as the Supervisory Authority designated for the purposes of Article 9 of the Data Retention Directive, to monitor the application of the provisions of these Regulations with respect to the security of stored data.
(3) As regards the destruction of data at the end of the retention period—
(a)the duty of a public communications provider is to delete the data in such a way as to make access to the data impossible; and
(b)it is sufficient for a public communications provider to make arrangements for the operation of so deleting data to take place at such monthly or shorter intervals as appear to the provider to be convenient.
Access to retained data
7. Access to data retained in accordance with these Regulations may be obtained only—
(a)in specific cases, and
(b)in circumstances in which disclosure of the data is permitted or required by law.
Storage requirements for retained data
8. The data retained in pursuance of these Regulations must be retained in such a way that it can be transmitted without undue delay in response to requests.
9. (1) A public communications provider must provide the Secretary of State, as soon as practicable after 31st March in any year, with the following information in respect of the period of twelve months ending with that date.
(2) The information required is—
(a)the number of occasions when data retained in accordance with these Regulations have been disclosed in response to a request;
(b)the time elapsed between the date on which the data were retained and the date on which transmission of the data was requested;
(c)the number of occasions when a request for lawfully disclosable data retained in accordance with these Regulations could not be met.
(3) The Secretary of State may, by notice given in writing to a public communications provider, vary the date specified in paragraph (1).
(4) The notice may contain such transitional provision as appears to the Secretary of State to be necessary in consequence of the variation.
Data retained by another communications provider
10. (1) These Regulations do not apply to a public communications provider unless the provider is given a notice in writing by the Secretary of State in accordance with this regulation.
(2) The Secretary of State must give a written notice to a public communications provider under paragraph (1) unless the communications data concerned are retained in the United Kingdom in accordance with these Regulations by another public communications provider.
(3) Any such notice must specify—
(a)the public communications provider, or category of public communications providers, to whom it is given, and
(b)the extent to which, and the date from which, the provisions of these Regulations are to apply.
(4) The notice must be given or published in a manner the Secretary of State considers appropriate for bringing it to the attention of the public communications provider, or the category of providers, to whom it given.
(5) It is the duty of a public communications provider to whom a notice is given under this regulation to comply with it.
(6) That duty is enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988(2), or for any other appropriate relief.
Reimbursement of expenses of compliance
11. (1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with the provisions of these Regulations.
(2) Reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance.
(3) The Secretary of State may require a public communications provider to comply with any audit that may be reasonably required to monitor a claim for reimbursement.
12. (1) The Data Retention (EC Directive) Regulations 2007(3), which are superseded by these Regulations, are revoked.
(2) Anything done under or for the purposes of those Regulations that could have been done under or for the purposes of the corresponding provision of these Regulations (if it had been in force at the time) shall be treated on and after these Regulations come into force as if it had been done under or for the purposes of that corresponding provision.
Minister of State