Citation and commencement

1.—(1) These Regulations may be cited as the Data Retention (EC Directive) Regulations 2009.

(2) These Regulations come into force on 6^th April 2009.

Interpretation

2.  In these Regulations—

(a)“cell ID” means the identity or location of the cell from which a mobile telephony call started or in which it finished;

(b)“communications data” means traffic data and location data and the related data necessary to identify the subscriber or user;

(c)“the Data Retention Directive” means Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC;

(d)“location data” means data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to—

(i)the latitude, longitude or altitude of the terminal equipment,

(ii)the direction of travel of the user, or

(iii)the time the location information was recorded;

(e)“public communications provider” means—

(i)a provider of a public electronic communications network, or

(ii)a provider of a public electronic communications service;

and “public electronic communications network” and “public electronic communications service” have the meaning given in section 151 of the Communications Act 2003(3);

(f)“telephone service” means calls (including voice, voicemail and conference and data calls), supplementary services (including call forwarding and call transfer) and messaging and multi-media services (including short message services, enhanced media services and multi-media services);

(g)“traffic data” means data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication;

(h)“user ID” means a unique identifier allocated to persons when they subscribe to or register with an internet access service or internet communications service.

Communications data to which these Regulations apply

3.  These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned.

Obligation to retain communications data

4.—(1) It is the duty of a public communications provider to retain the communications data specified in the following provisions of the Schedule to these Regulations—

(a)Part 1 (fixed network telephony);

(b)Part 2 (mobile telephony);

(c)Part 3 (internet access, internet e-mail or internet telephony).

(2) The obligation extends to data relating to unsuccessful call attempts that—

(a)in the case of telephony data, are stored in the United Kingdom, or

(b)in the case of internet data, are logged in the United Kingdom.

(3) An “unsuccessful call attempt” means a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention.

(4) The obligation does not extend to unconnected calls.

(5) No data revealing the content of a communication is to be retained in pursuance of these Regulations.

The retention period

5.  The data specified in the Schedule to these Regulations must be retained by the public communications provider for a period of 12 months from the date of the communication in question.

Data protection and data security

6.—(1) Public communications providers must observe the following principles with respect to data retained in accordance with these Regulations—

(a)the retained data must be of the same quality and subject to the same security and protection as those data on the public electronic communications network;

(b)the data must be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

(c)the data must be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only;

(d)except in the case of data lawfully accessed and preserved, the data retained solely in accordance with these Regulations must be destroyed at the end of the retention period.

(2) It is the duty of the Information Commissioner, as the Supervisory Authority designated for the purposes of Article 9 of the Data Retention Directive, to monitor the application of the provisions of these Regulations with respect to the security of stored data.

(3) As regards the destruction of data at the end of the retention period—

(a)the duty of a public communications provider is to delete the data in such a way as to make access to the data impossible; and

(b)it is sufficient for a public communications provider to make arrangements for the operation of so deleting data to take place at such monthly or shorter intervals as appear to the provider to be convenient.

Access to retained data

7.  Access to data retained in accordance with these Regulations may be obtained only—

(a)in specific cases, and

(b)in circumstances in which disclosure of the data is permitted or required by law.

Storage requirements for retained data

8.  The data retained in pursuance of these Regulations must be retained in such a way that it can be transmitted without undue delay in response to requests.

Statistics

9.—(1) A public communications provider must provide the Secretary of State, as soon as practicable after 31st March in any year, with the following information in respect of the period of twelve months ending with that date.

(2) The information required is—

(a)the number of occasions when data retained in accordance with these Regulations have been disclosed in response to a request;

(b)the time elapsed between the date on which the data were retained and the date on which transmission of the data was requested;

(c)the number of occasions when a request for lawfully disclosable data retained in accordance with these Regulations could not be met.

(3) The Secretary of State may, by notice given in writing to a public communications provider, vary the date specified in paragraph (1).

(4) The notice may contain such transitional provision as appears to the Secretary of State to be necessary in consequence of the variation.

Data retained by another communications provider

10.—(1) These Regulations do not apply to a public communications provider unless the provider is given a notice in writing by the Secretary of State in accordance with this regulation.

(2) The Secretary of State must give a written notice to a public communications provider under paragraph (1) unless the communications data concerned are retained in the United Kingdom in accordance with these Regulations by another public communications provider.

(3) Any such notice must specify—

(a)the public communications provider, or category of public communications providers, to whom it is given, and

(b)the extent to which, and the date from which, the provisions of these Regulations are to apply.

(4) The notice must be given or published in a manner the Secretary of State considers appropriate for bringing it to the attention of the public communications provider, or the category of providers, to whom it given.

(5) It is the duty of a public communications provider to whom a notice is given under this regulation to comply with it.

(6) That duty is enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988(4), or for any other appropriate relief.

Reimbursement of expenses of compliance

11.—(1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with the provisions of these Regulations.

(2) Reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance.

(3) The Secretary of State may require a public communications provider to comply with any audit that may be reasonably required to monitor a claim for reimbursement.

Revocation

12.—(1) The Data Retention (EC Directive) Regulations 2007(5), which are superseded by these Regulations, are revoked.

(2) Anything done under or for the purposes of those Regulations that could have been done under or for the purposes of the corresponding provision of these Regulations (if it had been in force at the time) shall be treated on and after these Regulations come into force as if it had been done under or for the purposes of that corresponding provision.

Regulation 4

SCHEDULECOMMUNICATIONS DATA TO BE RETAINED

PART 1FIXED NETWORK TELEPHONY

Data necessary to trace and identify the source of a communication

1.—(1) The calling telephone number.

(2) The name and address of the subscriber or registered user of any such telephone.

Data necessary to identify the destination of a communication

2.—(1) The telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred.

(2) The name and address of the subscriber or registered user of any such telephone.

Data necessary to identify the date, time and duration of a communication

3.  The date and time of the start and end of the call.

Data necessary to identify the type of communication

4.  The telephone service used.

PART 2MOBILE TELEPHONY

Data necessary to trace and identify the source of a communication

5.—(1) The calling telephone number.

(2) The name and address of the subscriber or registered user of any such telephone.

Data necessary to identify the destination of a communication

6.—(1) The telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred.

(2) The name and address of the subscriber or registered user of any such telephone.

Data necessary to identify the date, time and duration of a communication

7.  The date and time of the start and end of the call.

Data necessary to identify the type of communication

8.  The telephone service used.

Data necessary to identify users’ communication equipment (or what purports to be their equipment)

9.—(1) The International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made.

(2) The IMSI and the IMEI of the telephone dialled.

(3) In the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated.

Data necessary to identify the location of mobile communication equipment

10.—(1) The cell ID at the start of the communication.

(2) Data identifying the geographic location of cells by reference to their cell ID.

PART 3INTERNET ACCESS, INTERNET E-MAIL OR INTERNET TELEPHONY

Data necessary to trace and identify the source of a communication

11.—(1) The user ID allocated.

(2) The user ID and telephone number allocated to the communication entering the public telephone network.

(3) The name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.

Data necessary to identify the destination of a communication

12.—(1) In the case of internet telephony, the user ID or telephone number of the intended recipient of the call.

(2) In the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication.

Data necessary to identify the date, time and duration of a communication

13.—(1) In the case of internet access—

(a)The date and time of the log-in to and log-off from the internet access service, based on a specified time zone,

(b)The IP address, whether dynamic or static, allocated by the internet access service provider to the communication, and

(c)The user ID of the subscriber or registered user of the internet access service.

(2) In the case of internet e-mail or internet telephony, the date and time of the log-in to and log-off from the internet e-mail or internet telephony service, based on a specified time zone.

Data necessary to identify the type of communication

14.  In the case of internet e-mail or internet telephony, the internet service used.

Data necessary to identify users’ communication equipment (or what purports to be their equipment)

15.—(1) In the case of dial-up access, the calling telephone number.

(2) In any other case, the digital subscriber line (DSL) or other end point of the originator of the communication.

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations implement Directive 2006/24/EC (“the Data Retention Directive”) of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

The Data Retention (EC Directive) Regulations 2007 implemented the Data Retention Directive with respect to fixed network and mobile telephony. The United Kingdom made a declaration pursuant to Article 15.3 of the Data Retention Directive that it would postpone application of that Directive to the retention of communications data relating to internet access, internet telephony and internet e-mail. These Regulations implement the Data Retention Directive with respect to those forms of data, and revoke the Data Retention (EC Directive) Regulations 2007 which are superseded by these Regulations.

The Regulations impose a requirement on public communications providers (“providers”), as defined in regulation 2, to retain the categories of communications data specified in the Schedule to the Regulations. The Regulations apply to all providers to whom a written notice has been given by the Secretary of State in accordance with regulation 10. Regulation 4 makes provision regarding the obligation to retain the data specified in the Schedule.

Such data must be retained, in accordance with regulation 5, for a period of 12 months from the date of the communication in question. The data must be stored in accordance with the requirements in regulation 8, and may only be accessed in accordance with regulation 7.

Data protection and data security are provided for in regulation 6. Regulation 6(2) provides that the Information Commissioner, as the designated Supervisory Authority for the purposes of Article 9 of the Data Retention Directive, is responsible for monitoring the application of these Regulations with respect to the security of stored data.

There is a requirement on providers to provide statistics to the Secretary of State in regulation 9.

Regulation 11 provides that the Secretary of State may make arrangements for reimbursing any expenses incurred by providers in complying with the Regulations.