2. In this Part—
“the Act” means the Data Retention and Investigatory Powers Act 2014;
“cell ID” means the identity or location of the cell from which a mobile telephony call started or in which it finished;
“service use data” means anything falling within paragraph (b) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000(1) so far as that definition applies in relation to telecommunications services and telecommunication systems;
“subscriber data” means anything falling within paragraph (c) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000 so far as that definition applies in relation to telecommunications services and telecommunication systems;
“telephone service” means calls (including voice, voicemail and conference and data calls), supplementary services (including call forwarding and call transfer) and messaging and multi-media services (including short message services, enhanced media services and multi-media services);
“traffic data” means anything falling within paragraph (a) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000 so far as that definition applies in relation to telecommunications services and telecommunication systems;
“user ID” means a unique identifier allocated to persons when they subscribe to, or register with, an internet access service or internet communications service.
3. The Schedule to these Regulations specifies the communications data that is of the kind mentioned in the Schedule to the 2009 Regulations(2).
4.—(1) A retention notice must specify—
(a)the public telecommunications operator (or description of operators) to whom it relates,
(b)the relevant communications data which is to be retained,
(c)the period or periods for which the data is to be retained,
(d)any other requirements, or any restrictions, in relation to the retention of the data.
(2) A retention notice must not require any data to be retained for more than 12 months beginning with—
(a)in the case of traffic data or service use data, the day of the communication concerned, and
(b)in the case of subscriber data, the day on which the person concerned leaves the telecommunications service concerned or (if earlier) the day on which the data is changed.
(3) A retention notice which relates to data already in existence when the notice comes into force imposes a requirement to retain the data for only so much of a period of retention as occurs on or after the coming into force of the notice.
(4) A retention notice comes into force when the notice is given to the operator (or description of operators) concerned or (if later) at the time or times specified for this purpose in the notice.
(5) A retention notice is given to an operator (or description of operators) by giving or publishing it in such manner as the Secretary of State considers appropriate for bringing it to the attention of the operator (or description of operators) to whom it relates.
5.—(1) Before giving a retention notice, the Secretary of State must, among other matters, take into account—
(a)the likely benefits of the notice,
(b)the likely number of users (if known) of any telecommunications service to which the notice relates,
(c)the technical feasibility of complying with the notice,
(d)the likely cost of complying with the notice, and
(e)any other impact of the notice on the public telecommunications operator (or description of operators) to whom it relates.
(2) Before giving such a notice, the Secretary of State must take reasonable steps to consult any operator to whom it relates.
6. The Secretary of State must keep a retention notice under review.
7.—(1) A public telecommunications operator who retains communications data by virtue of section 1 of the Act must—
(a)secure that the data is of the same integrity and subject to at least the same security and protection as the data on any system from which it is derived,
(b)secure, by appropriate technical and organisational measures, that the data can be accessed only by specially authorised personnel, and
(c)protect, by appropriate technical and organisational measures, the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access or disclosure.
(2) A public telecommunications operator who retains communications data by virtue of section 1 of the Act must destroy the data if the retention of the data ceases to be authorised by virtue of that section and is not otherwise authorised by law.
(3) The requirement in paragraph (2) to destroy the data is a requirement to delete the data in such a way as to make access to the data impossible.
(4) It is sufficient for the operator to make arrangements for the deletion of the data to take place at such monthly or shorter intervals as appear to the operator to be practicable.
8.—(1) A public telecommunications operator must put in place adequate security systems (including technical and organisational measures) governing access to communications data retained by virtue of section 1 of the Act in order to protect against any disclosure of a kind which does not fall within section 1(6)(a) of the Act.
(2) A public telecommunications operator who retains communications data by virtue of section 1 of the Act must retain the data in such a way that it can be transmitted without undue delay in response to requests.
9. The Information Commissioner must audit compliance with requirements or restrictions imposed by this Part in relation to the integrity, security or destruction of data retained by virtue of section 1 of the Act.
10.—(1) The following provisions of the Regulation of Investigatory Powers Act 2000 have effect as if the following amendments were made to them.
(2) Section 71(2)(3) (issue and revision of codes of practice: powers and duties in respect of which code of practice must be issued) has effect as if—
(a)for “subsection (10)” there were substituted “subsections (10) and (11)”,
(b)the word “and” at the end of paragraph (b) were omitted, and
(c)after paragraph (c) there were inserted—
“(d)section 1(1) to (6) of the Data Retention and Investigatory Powers Act 2014.”
(3) Section 71 has effect as if, after subsection (10), there were inserted—
“(11) The reference in subsection (2) to powers and duties conferred or imposed by or under section 1(1) to (6) of the Data Retention and Investigatory Powers Act 2014 does not include a reference to any such powers and duties which are conferred or imposed on the Secretary of State.”
(4) Section 72(4) (effect of codes of practice: functions of relevant Commissioners) has effect as if, after paragraph (c), there were inserted—
“(ca)the Information Commissioner carrying out any of the Commissioner’s functions under Part 2 of the Data Retention Regulations 2014,”.
11.—(1) The Secretary of State may vary a retention notice.
(2) The Secretary of State must give or publish notice of the variation in such manner as the Secretary of State considers appropriate for bringing the variation to the attention of the public telecommunications operator (or description of operators) to whom it relates.
(3) A variation comes into force when notice of it is given or published in accordance with paragraph (2) or (if later) at the time or times specified for this purpose in the notice of variation.
(4) Regulations 4(2), 6 and 12(1)(a), and paragraphs (1), (7) and (10) of this regulation, apply in relation to a retention notice as varied as they apply in relation to a retention notice.
(5) Regulation 4(3) applies in relation to a retention notice as varied as it applies in relation to a retention notice but as if the references to the notice coming into force included references to the variation coming into force.
(6) Regulation 5 applies in relation to the making of a variation as it applies in relation to the giving of a retention notice.
(7) The Secretary of State may revoke (whether wholly or in part) a retention notice.
(8) The Secretary of State must give or publish notice of the revocation in such manner as the Secretary of State considers appropriate for bringing the revocation to the attention of the operator (or description of operators) to whom it relates.
(9) A revocation comes into force when notice of it is given or published in accordance with paragraph (8) or (if later) at the time or times provided for in the notice of revocation.
(10) The fact that a retention notice has been revoked in relation to a particular description of communications data and a particular operator (or description of operators) does not prevent the giving of another retention notice in relation to the same description of data and the same operator (or description of operators).
12.—(1) It is the duty of a public telecommunications operator on whom a requirement or restriction is imposed by—
(a)a retention notice,
(b)section 1(6) of the Act, or
(c)regulation 7 or 8,
to comply with the requirement or restriction concerned.
(2) That duty is enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988(4), or for any other appropriate relief.
13.—(1) The Secretary of State may reimburse any expenses incurred by a public telecommunications operator in complying with section 1(1) to (6) of the Act and this Part.
(2) Reimbursement may be conditional on either or both of the following—
(a)the expenses having been notified to the Secretary of State and agreed in advance;
(b)the public telecommunications operator having co-operated with any audit that may be reasonably required for the purpose of monitoring the claim for reimbursement.
14.—(1) The 2009 Regulations are revoked (but this is without prejudice to the operation of the definition of “relevant communications data” in section 2(1) of the Act).
(2) Paragraph (3) applies in relation to any notice given or published in the approved manner under the 2009 Regulations (and not fully revoked) before the day on which these Regulations come into force (a “pre-commencement notice”) and which—
(a)specifies the extent to which, and the date from which, the 2009 Regulations are to apply to a public telecommunications operator (or a description of operators including that operator), and
(b)relates to data which is not retained in the United Kingdom by another operator.
(3) Sections 1(1) to (6) and 2 of the Act and this Part apply on and after the day on which these Regulations come into force as if the pre-commencement notice were a retention notice which—
(a)is given in accordance with those sections and this Part—
(i)on the day on which these Regulations come into force, or
(ii)if later, on the day which the pre-commencement notice specifies as the day from which the 2009 Regulations are to apply,
(b)requires the retention of relevant communications data except so far as the pre-commencement notice specifies a more limited application for the 2009 Regulations, and
(c)requires the retention of that data for the period of 12 months beginning with the day of the communication concerned.
(4) Paragraph (3) ceases to apply on 1st January 2015 or on any earlier revocation in full of the pre-commencement notice.
(5) The Secretary of State may revoke (whether wholly or in part) a pre-commencement notice.
(6) The fact that a pre-commencement notice has, in relation to a particular description of data and a particular operator (or description of operators), ceased to have effect or been revoked does not prevent the giving of a retention notice in relation to the same description of data and the same operator (or description of operators).
(7) In this regulation—
“the approved manner” means such manner as the Secretary of State considered appropriate for bringing the notice to the attention of the operator concerned (or the description of operators which included the operator),
“pre-commencement notice” has the meaning given by paragraph (2).
2000 c. 23. Section 71 was amended by the Serious Crime Act 2007 (c. 27), section 88, Schedule 12, paragraphs 5 and 25; the Protection of Freedoms Act 2012 (c. 9), section 115(1), Schedule 9, paragraphs 6 and 14, and S.I. 2011/1340 .