Citation and commencement

1.  These Regulations may be cited as the Data Retention (EC Directive) Regulations 2007 and shall come into force on 1^st October 2007.

Interpretation

2.  In these Regulations—

(a)‘cell ID’ means the identity or location label of the cell from which a mobile telephony call was made or received;

(b)‘data’ means traffic data and location data, as defined in paragraph (g), and the related data necessary to identify the subscriber and the registered user;

(c)‘personal data’ has the meaning given in section 1 of the Data Protection Act 1998(3);

(d)‘public communications provider’ means:

(i)a provider of a public electronic communications network; or

(ii)a provider of a public electronic communications service;

(e)‘public electronic communications network’ and ‘public electronic communications service’ have the meaning given in section 151 of the Communications Act 2003(4);

(f)‘telephone service’ means calls (including voice, voicemail and conference and data calls), supplementary services (including call forwarding and call transfer) and messaging and multi-media services (including short message services, enhanced media services and multi-media services);

(g)‘traffic data’ and ‘location data’ have the meaning given in regulation 2 of the Privacy and Electronic Communications (EC Directive) Regulations 2003(5);

(h)‘unsuccessful call attempt’ means a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention.

Application

3.—(1) Subject to paragraph (2), these Regulations shall apply to all public communications providers.

(2) These Regulations shall not apply, except where written notice has been given by the Secretary of State, to a public communications provider whose data are retained in the United Kingdom in accordance with these Regulations by another public communications provider.

(3) If only a part of that data is so retained by another public communications provider, these Regulations apply to the public communications provider only with respect to the data not so retained.

(4) A written notice must be given or published in such a manner as the Secretary of State considers appropriate for bringing it to the attention of the public communications provider or the category of providers to whom it applies and must specify the extent to which and the date from which these Regulations are to apply.

Obligation to retain data

4.—(1) Subject to paragraphs (4) and (5), the data specified in regulation 5 must be retained to the extent that those data are generated or processed by a public communications provider in the process of supplying the communications services concerned.

(2) The data specified in regulation 5 are to be retained by the public communications provider for a period of 12 months from the date of the communication.

(3) The duty to retain data under paragraph (1) includes the retention of the data specified in regulation 5 relating to an unsuccessful call attempt where those data are generated or processed, and stored, in the United Kingdom by a public communications provider in the process of supplying the communication services concerned.

(4) These Regulations do not require data relating to unconnected calls to be retained.

(5) These Regulations do not require data derived from Internet access, Internet e-mail or Internet telephony to be retained.

Data to be retained

5.—(1) The following data concerning fixed network telephony and mobile telephony generated in the United Kingdom must be retained in accordance with regulation 4(1):

(a)the telephone number from which the telephone call was made and the name and address of the subscriber and registered user of that telephone;

(b)the telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred, and the name and address of the subscriber and registered user of such telephone;

(c)the date and time of the start and end of the call; and

(d)the telephone service used.

(2) The following data concerning mobile telephony must be retained in accordance with regulation 4(1):

(a)the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made;

(b)the IMSI and the IMEI of the telephone dialled;

(c)in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated;

(d)the cell ID at the start of the communication; and

(e)data identifying the geographic location of cells by reference to their cell ID.

Data security

6.  The following data security principles shall apply with respect to data retained in accordance with regulation 4(1):

(a)the retained data shall be of the same quality and subject to the same security and protection as those data on the public electronic communications network;

(b)the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

(c)the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only; and

(d)in the case of data retained solely in accordance with regulation 4(1), the data shall be destroyed by the public communications provider at the end of the period of retention.

Storage requirements for retained data

7.  The data specified in regulation 5 shall be retained in accordance with regulation 4(1) in such a way that the data retained can be transmitted without undue delay in response to requests.

Supervisory authority

8.  The Information Commissioner (6), as the Supervisory Authority designated for the purposes of Article 9 of Directive 2006/24/EC(7) shall monitor the application of these Regulations with respect to the security of stored data.

Statistics

9.—(1) A public communications provider shall, as soon as practicable after 31^st March in any year, provide the Secretary of State with the statistical information to which paragraph (2) applies in respect of the period of 12 months ending on that date.

(2) The statistical information to which this paragraph applies is—

(a)The number of occasions when data have been disclosed in response to a request;

(b)The number of occasions when a request for lawfully disclosable data could not be met.

(3) The Secretary of State may, by notice given in writing to the public communications provider, vary the date specified in paragraph (1), with such transitional arrangements as may be necessary in consequence of the variation.

Payment

10.—(1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with these Regulations.

(2) Such reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance.

(3) The Secretary of State may require any public communications provider to comply with any audit that may be reasonably required to monitor any claim for reimbursement pursuant to this regulation.

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations implement Directive 2006/24/EC (“the Directive”) of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

The United Kingdom made a declaration pursuant to Article 15.3 of the Directive that it will postpone application of that Directive to the retention of communications data relating to Internet Access, Internet telephony and Internet e-mail. These Regulations therefore do not implement the Directive with respect to those forms of data.

The Regulations impose a requirement on the providers of public electronic communications services or networks (“providers”), as defined in regulation 2, to retain the categories of data specified in regulation 5. The Regulations apply to those providers as provided for in regulation 3. Regulation 4 makes provision regarding the obligation to retain the data specified in regulation 5.

Such data must be retained for a period of 12 months, in accordance with regulation 4(2). The data must be stored in accordance with the requirements in regulation 7.

Data security is provided for in regulation 6.

Regulation 8 provides that the Information Commissioner as the supervisory authority is responsible for monitoring the application of these Regulations with respect to the security of stored data.

There is a requirement on providers to provide statistics to the Secretary of State in regulation 9.

Regulation 10 provides that the Secretary of State may make arrangements for reimbursing any expenses incurred by providers in complying with the Regulations.