PART 1GENERAL

Citation and commencement

1.—(1) These Regulations may be cited as the Data Retention Regulations 2014.

(2) Subject to paragraph 3, these Regulations come into force on the day after the day on which these Regulations are made.

(3) Regulations 8(1) and 15(2) and (3) come into force on the day on which section 1(6) of the Act comes into force for all purposes.

PART 2THE RETENTION NOTICE REGIME

Interpretation

Interpretation of Part 2

2.  In this Part—

“the Act” means the Data Retention and Investigatory Powers Act 2014;

“cell ID” means the identity or location of the cell from which a mobile telephony call started or in which it finished;

“service use data” means anything falling within paragraph (b) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000(2) so far as that definition applies in relation to telecommunications services and telecommunication systems;

“subscriber data” means anything falling within paragraph (c) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000 so far as that definition applies in relation to telecommunications services and telecommunication systems;

“telephone service” means calls (including voice, voicemail and conference and data calls), supplementary services (including call forwarding and call transfer) and messaging and multi-media services (including short message services, enhanced media services and multi-media services);

“traffic data” means anything falling within paragraph (a) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000 so far as that definition applies in relation to telecommunications services and telecommunication systems;

“user ID” means a unique identifier allocated to persons when they subscribe to, or register with, an internet access service or internet communications service.

Specified data for purposes of definition of “relevant communications data”

3.  The Schedule to these Regulations specifies the communications data that is of the kind mentioned in the Schedule to the 2009 Regulations(3).

Retention notices

Retention notices

4.—(1) A retention notice must specify—

(a)the public telecommunications operator (or description of operators) to whom it relates,

(b)the relevant communications data which is to be retained,

(c)the period or periods for which the data is to be retained,

(d)any other requirements, or any restrictions, in relation to the retention of the data.

(2) A retention notice must not require any data to be retained for more than 12 months beginning with—

(a)in the case of traffic data or service use data, the day of the communication concerned, and

(b)in the case of subscriber data, the day on which the person concerned leaves the telecommunications service concerned or (if earlier) the day on which the data is changed.

(3) A retention notice which relates to data already in existence when the notice comes into force imposes a requirement to retain the data for only so much of a period of retention as occurs on or after the coming into force of the notice.

(4) A retention notice comes into force when the notice is given to the operator (or description of operators) concerned or (if later) at the time or times specified for this purpose in the notice.

(5) A retention notice is given to an operator (or description of operators) by giving or publishing it in such manner as the Secretary of State considers appropriate for bringing it to the attention of the operator (or description of operators) to whom it relates.

Safeguards

Matters to be taken into account before giving retention notices

5.—(1) Before giving a retention notice, the Secretary of State must, among other matters, take into account—

(a)the likely benefits of the notice,

(b)the likely number of users (if known) of any telecommunications service to which the notice relates,

(c)the technical feasibility of complying with the notice,

(d)the likely cost of complying with the notice, and

(e)any other impact of the notice on the public telecommunications operator (or description of operators) to whom it relates.

(2) Before giving such a notice, the Secretary of State must take reasonable steps to consult any operator to whom it relates.

Review of retention notices

6.  The Secretary of State must keep a retention notice under review.

Data integrity and security

7.—(1) A public telecommunications operator who retains communications data by virtue of section 1 of the Act must—

(a)secure that the data is of the same integrity and subject to at least the same security and protection as the data on any system from which it is derived,

(b)secure, by appropriate technical and organisational measures, that the data can be accessed only by specially authorised personnel, and

(c)protect, by appropriate technical and organisational measures, the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access or disclosure.

(2) A public telecommunications operator who retains communications data by virtue of section 1 of the Act must destroy the data if the retention of the data ceases to be authorised by virtue of that section and is not otherwise authorised by law.

(3) The requirement in paragraph (2) to destroy the data is a requirement to delete the data in such a way as to make access to the data impossible.

(4) It is sufficient for the operator to make arrangements for the deletion of the data to take place at such monthly or shorter intervals as appear to the operator to be practicable.

Disclosure of retained data

8.—(1) A public telecommunications operator must put in place adequate security systems (including technical and organisational measures) governing access to communications data retained by virtue of section 1 of the Act in order to protect against any disclosure of a kind which does not fall within section 1(6)(a) of the Act.

(2) A public telecommunications operator who retains communications data by virtue of section 1 of the Act must retain the data in such a way that it can be transmitted without undue delay in response to requests.

Oversight by the Information Commissioner

9.  The Information Commissioner must audit compliance with requirements or restrictions imposed by this Part in relation to the integrity, security or destruction of data retained by virtue of section 1 of the Act.

Code of practice

10.—(1) The following provisions of the Regulation of Investigatory Powers Act 2000 have effect as if the following amendments were made to them.

(2) Section 71(2)(4) (issue and revision of codes of practice: powers and duties in respect of which code of practice must be issued) has effect as if—

(a)for “subsection (10)” there were substituted “subsections (10) and (11)”,

(b)the word “and” at the end of paragraph (b) were omitted, and

(c)after paragraph (c) there were inserted—

“(d)section 1(1) to (6) of the Data Retention and Investigatory Powers Act 2014.”

(3) Section 71 has effect as if, after subsection (10), there were inserted—

“(11) The reference in subsection (2) to powers and duties conferred or imposed by or under section 1(1) to (6) of the Data Retention and Investigatory Powers Act 2014 does not include a reference to any such powers and duties which are conferred or imposed on the Secretary of State.”

(4) Section 72(4) (effect of codes of practice: functions of relevant Commissioners) has effect as if, after paragraph (c), there were inserted—

“(ca)the Information Commissioner carrying out any of the Commissioner’s functions under Part 2 of the Data Retention Regulations 2014,”.

Supplementary and transitional provisions

Variation or revocation of notices

11.—(1) The Secretary of State may vary a retention notice.

(2) The Secretary of State must give or publish notice of the variation in such manner as the Secretary of State considers appropriate for bringing the variation to the attention of the public telecommunications operator (or description of operators) to whom it relates.

(3) A variation comes into force when notice of it is given or published in accordance with paragraph (2) or (if later) at the time or times specified for this purpose in the notice of variation.

(4) Regulations 4(2), 6 and 12(1)(a), and paragraphs (1), (7) and (10) of this regulation, apply in relation to a retention notice as varied as they apply in relation to a retention notice.

(5) Regulation 4(3) applies in relation to a retention notice as varied as it applies in relation to a retention notice but as if the references to the notice coming into force included references to the variation coming into force.

(6) Regulation 5 applies in relation to the making of a variation as it applies in relation to the giving of a retention notice.

(7) The Secretary of State may revoke (whether wholly or in part) a retention notice.

(8) The Secretary of State must give or publish notice of the revocation in such manner as the Secretary of State considers appropriate for bringing the revocation to the attention of the operator (or description of operators) to whom it relates.

(9) A revocation comes into force when notice of it is given or published in accordance with paragraph (8) or (if later) at the time or times provided for in the notice of revocation.

(10) The fact that a retention notice has been revoked in relation to a particular description of communications data and a particular operator (or description of operators) does not prevent the giving of another retention notice in relation to the same description of data and the same operator (or description of operators).

Enforcement of notices and certain other requirements and restrictions

12.—(1) It is the duty of a public telecommunications operator on whom a requirement or restriction is imposed by—

(a)a retention notice,

(b)section 1(6) of the Act, or

(c)regulation 7 or 8,

to comply with the requirement or restriction concerned.

(2) That duty is enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988(5), or for any other appropriate relief.

Reimbursement of expenses of compliance

13.—(1) The Secretary of State may reimburse any expenses incurred by a public telecommunications operator in complying with section 1(1) to (6) of the Act and this Part.

(2) Reimbursement may be conditional on either or both of the following—

(a)the expenses having been notified to the Secretary of State and agreed in advance;

(b)the public telecommunications operator having co-operated with any audit that may be reasonably required for the purpose of monitoring the claim for reimbursement.

Transitional provisions

14.—(1) The 2009 Regulations are revoked (but this is without prejudice to the operation of the definition of “relevant communications data” in section 2(1) of the Act).

(2) Paragraph (3) applies in relation to any notice given or published in the approved manner under the 2009 Regulations (and not fully revoked) before the day on which these Regulations come into force (a “pre-commencement notice”) and which—

(a)specifies the extent to which, and the date from which, the 2009 Regulations are to apply to a public telecommunications operator (or a description of operators including that operator), and

(b)relates to data which is not retained in the United Kingdom by another operator.

(3) Sections 1(1) to (6) and 2 of the Act and this Part apply on and after the day on which these Regulations come into force as if the pre-commencement notice were a retention notice which—

(a)is given in accordance with those sections and this Part—

(i)on the day on which these Regulations come into force, or

(ii)if later, on the day which the pre-commencement notice specifies as the day from which the 2009 Regulations are to apply,

(b)requires the retention of relevant communications data except so far as the pre-commencement notice specifies a more limited application for the 2009 Regulations, and

(c)requires the retention of that data for the period of 12 months beginning with the day of the communication concerned.

(4) Paragraph (3) ceases to apply on 1st January 2015 or on any earlier revocation in full of the pre-commencement notice.

(5) The Secretary of State may revoke (whether wholly or in part) a pre-commencement notice.

(6) The fact that a pre-commencement notice has, in relation to a particular description of data and a particular operator (or description of operators), ceased to have effect or been revoked does not prevent the giving of a retention notice in relation to the same description of data and the same operator (or description of operators).

(7) In this regulation—

“the approved manner” means such manner as the Secretary of State considered appropriate for bringing the notice to the attention of the operator concerned (or the description of operators which included the operator),

“pre-commencement notice” has the meaning given by paragraph (2).

PART 3SAFEGUARDS FOR DATA RETAINED VOLUNTARILY

Data subject to code of practice on voluntary retention

15.—(1) This regulation applies in relation to communications data which is retained by telecommunications service providers by virtue of a code of practice under section 102 of the Anti-terrorism, Crime and Security Act 2001(6).

(2) A telecommunications service provider who retains communications data to which this regulation applies must not disclose the data except in accordance with—

(a)Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act 2000 (acquisition and disclosure of communications data), or

(b)a court order or other judicial authorisation or warrant.

(3) A telecommunications service provider must put in place adequate security systems (including technical and organisational measures) governing access to communications data to which this regulation applies in order to protect against any disclosure of a kind which does not fall within paragraph (2).

(4) A telecommunications service provider who retains communications data to which this regulation applies must retain the data in such a way that it can be transmitted without undue delay in response to requests.

(5) Regulation 7 applies in relation to communications data to which this regulation applies which is retained by a telecommunications service provider as it applies in relation to data retained by virtue of section 1 of the Act by a public telecommunications operator but as if the requirement in regulation 7(2) to destroy the data were a requirement to destroy it if the retention of the data ceases to be authorised by law.

(6) The Information Commissioner must audit compliance with requirements or restrictions imposed by this regulation in relation to the integrity, security or destruction of data to which this regulation applies.

(7) The modifications of sections 71 and 72 of the Regulation of Investigatory Powers Act 2000 in regulation 10 are to be read as if—

(a)the references to section 1(1) to (6) of the Data Retention and Investigatory Powers Act 2014 included references to this regulation, and

(b)the reference to Part 2 of these Regulations included a reference to paragraph (6) above.

(8) It is the duty of a telecommunications service provider on whom a requirement or restriction is imposed by this regulation to comply with the requirement or restriction concerned.

(9) That duty is enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or for any other appropriate relief.

(10) The Secretary of State may reimburse any expenses incurred by a telecommunications service provider in complying with this regulation.

(11) Reimbursement may be conditional on either or both of the following—

(a)the expenses having been notified to the Secretary of State and agreed in advance;

(b)the telecommunications service provider having co-operated with any audit that may be reasonably required for the purpose of monitoring the claim for reimbursement.

Regulation 3

SCHEDULECOMMUNICATIONS DATA OF THE KIND MENTIONED IN THE SCHEDULE TO THE 2009 REGULATIONS

PART 1FIXED NETWORK TELEPHONY

Data necessary to trace and identify the source of a communication

1.—(1) The calling telephone number.

(2) The name and address of the subscriber or registered user of any such telephone.

Data necessary to identify the destination of a communication

2.—(1) The telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred.

(2) The name and address of the subscriber or registered user of any such telephone.

Data necessary to identify the date, time and duration of a communication

3.  The date and time of the start and end of the call.

Data necessary to identify the type of communication

4.  The telephone service used.

PART 2MOBILE TELEPHONY

Data necessary to trace and identify the source of a communication

5.—(1) The calling telephone number.

(2) The name and address of the subscriber or registered user of any such telephone.

Data necessary to identify the destination of a communication

6.—(1) The telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred.

(2) The name and address of the subscriber or registered user of any such telephone.

Data necessary to identify the date, time and duration of a communication

7.  The date and time of the start and end of the call.

Data necessary to identify the type of communication

8.  The telephone service used.

Data necessary to identify users’ communication equipment (or what purports to be their equipment)

9.—(1) The International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made.

(2) The IMSI and the IMEI of the telephone dialled.

(3) In the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated.

Data necessary to identify the location of mobile communication equipment

10.—(1) The cell ID at the start of the communication.

(2) Data identifying the geographic location of cells by reference to their cell ID.

PART 3INTERNET ACCESS, INTERNET E-MAIL OR INTERNET TELEPHONY

Data necessary to trace and identify the source of a communication

11.—(1) The user ID allocated.

(2) The user ID and telephone number allocated to the communication entering the public telephone network.

(3) The name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.

Data necessary to identify the destination of a communication

12.—(1) In the case of internet telephony, the user ID or telephone number of the intended recipient of the call.

(2) In the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication.

Data necessary to identify the date, time and duration of a communication

13.—(1) In the case of internet access—

(a)the date and time of the log-in to and log-off from the internet access service, based on a specified time zone,

(b)the IP address, whether dynamic or static, allocated by the internet access service provider to the communication, and

(c)the user ID of the subscriber or registered user of the internet access service.

(2) In the case of internet e-mail or internet telephony, the date and time of the log-in to and log-off from the internet e-mail or internet telephony service, based on a specified time zone.

Data necessary to identify the type of communication

14.  In the case of internet e-mail or internet telephony, the internet service used.

Data necessary to identify users’ communication equipment (or what purports to be their equipment)

15.—(1) In the case of dial-up access, the calling telephone number.

(2) In any other case, the digital subscriber line (DSL) or other end point of the originator of the communication.

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations are made under the Data Retention and Investigatory Powers Act 2014 (‘the Act’). Section 1 of the Act contains a power for the Secretary of State to give a notice to a telecommunications operator requiring the retention of communications data of the types specified in the Schedule to these Regulations (which replicates the Schedule to the Data Retention (EC Directive) Regulations 2009). These Regulations make further provision in respect of that retention, and revoke the 2009 Regulations.

Regulation 3 introduces the Schedule of communications data types.

Regulation 4 gives further detail in respect of a retention notice.

Regulation 5 sets out the matters the Secretary of State must take into account before giving a notice, and regulation 6 requires that a notice must be kept under review.

Regulations 7 and 8 contain requirements on telecommunications operators in respect of the security and integrity of retained data, and the permanent deletion of data where there is no longer a requirement to retain.

Regulation 9 provides for oversight by the Information Commissioner of the requirements relating to integrity, security and destruction of retained data.

Regulation 10 makes provision for a statutory code of practice on the retention of data.

Regulation 11 provides for the variation or revocation of retention notices.

Regulation 12 imposes a duty to comply with certain requirements of the Regulations, section 1(6) of the Act (which restricts disclosure of retained data), and a retention notice. The duty is enforceable by civil proceedings by the Secretary of State.

Regulation 13 makes provision for the reimbursement by the Secretary of State of expenses incurred by telecommunications providers in complying with section 1 of the Act and Part 2 of the Regulations.

Regulation 14 revokes the 2009 Regulations and provides for transitional arrangements for data retained under those regulations.

Regulation 15 makes equivalent provision on security, access, expenses and enforcement in respect of data retained under the voluntary code of practice provided for in section 102 of the Anti-terrorism, Crime and Security Act 2001.

An impact assessment of the effect that the Act will have on the costs of business is published with the Explanatory Memorandum alongside the Regulations on www.legislation.gov.uk. No separate assessment has been carried out for these Regulations.