[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	United Kingdom Statutory Instruments
You are here: BAILII >> Databases >> United Kingdom Statutory Instruments >> The Data Retention (EC Directive) Regulations 2007 No. 2199 URL: http://www.bailii.org/uk/legis/num_reg/2007/20072199.html

[New search] [Help]

(a) "cell ID" means the identity or location label of the cell from which a mobile telephony call was made or received;

(b) "data" means traffic data and location data, as defined in paragraph (g), and the related data necessary to identify the subscriber and the registered user;

(c) "personal data" has the meaning given in section 1 of the Data Protection Act 1998[3];

(d) "public communications provider" means:


(i) a provider of a public electronic communications network; or

(ii) a provider of a public electronic communications service;



(e) "public electronic communications network" and "public electronic communications service" have the meaning given in section 151 of the Communications Act 2003[4];

(f) "telephone service" means calls (including voice, voicemail and conference and data calls), supplementary services (including call forwarding and call transfer) and messaging and multi-media services (including short message services, enhanced media services and multi-media services);

(g) "traffic data" and "location data" have the meaning given in regulation 2 of the Privacy and Electronic Communications (EC Directive) Regulations 2003[5];

(h) "unsuccessful call attempt" means a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention.

Application
     3. —(1) Subject to paragraph (2), these Regulations shall apply to all public communications providers.

    (2) These Regulations shall not apply, except where written notice has been given by the Secretary of State, to a public communications provider whose data are retained in the United Kingdom in accordance with these Regulations by another public communications provider.

    (3) If only a part of that data is so retained by another public communications provider, these Regulations apply to the public communications provider only with respect to the data not so retained.

    (4) A written notice must be given or published in such a manner as the Secretary of State considers appropriate for bringing it to the attention of the public communications provider or the category of providers to whom it applies and must specify the extent to which and the date from which these Regulations are to apply.

Obligation to retain data
     4. —(1) Subject to paragraphs (4) and (5), the data specified in regulation 5 must be retained to the extent that those data are generated or processed by a public communications provider in the process of supplying the communications services concerned.

    (2) The data specified in regulation 5 are to be retained by the public communications provider for a period of 12 months from the date of the communication.

    (3) The duty to retain data under paragraph (1) includes the retention of the data specified in regulation 5 relating to an unsuccessful call attempt where those data are generated or processed, and stored, in the United Kingdom by a public communications provider in the process of supplying the communication services concerned.

    (4) These Regulations do not require data relating to unconnected calls to be retained.

    (5) These Regulations do not require data derived from Internet access, Internet e-mail or Internet telephony to be retained.

Data to be retained
     5. —(1) The following data concerning fixed network telephony and mobile telephony generated in the United Kingdom must be retained in accordance with regulation 4(1):

(a) the telephone number from which the telephone call was made and the name and address of the subscriber and registered user of that telephone;

(b) the telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred, and the name and address of the subscriber and registered user of such telephone;

(c) the date and time of the start and end of the call; and

(d) the telephone service used.

    (2) The following data concerning mobile telephony must be retained in accordance with regulation 4(1):

(a) the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made;

(b) the IMSI and the IMEI of the telephone dialled;

(c) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated;

(d) the cell ID at the start of the communication; and

(e) data identifying the geographic location of cells by reference to their cell ID.

Data security
     6. The following data security principles shall apply with respect to data retained in accordance with regulation 4(1):

(a) the retained data shall be of the same quality and subject to the same security and protection as those data on the public electronic communications network;

(b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

(c) the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only; and

(d) in the case of data retained solely in accordance with regulation 4(1), the data shall be destroyed by the public communications provider at the end of the period of retention.

Storage requirements for retained data
     7. The data specified in regulation 5 shall be retained in accordance with regulation 4(1) in such a way that the data retained can be transmitted without undue delay in response to requests.

Supervisory authority
     8. The Information Commissioner [6], as the Supervisory Authority designated for the purposes of Article 9 of Directive 2006/24/EC[7] shall monitor the application of these Regulations with respect to the security of stored data.

Statistics
     9. —(1) A public communications provider shall, as soon as practicable after 31^st March in any year, provide the Secretary of State with the statistical information to which paragraph (2) applies in respect of the period of 12 months ending on that date.

    (2) The statistical information to which this paragraph applies is—

(a) The number of occasions when data have been disclosed in response to a request;

(b) The number of occasions when a request for lawfully disclosable data could not be met.

    (3) The Secretary of State may, by notice given in writing to the public communications provider, vary the date specified in paragraph (1), with such transitional arrangements as may be necessary in consequence of the variation.

Payment
     10. —(1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with these Regulations.

    (2) Such reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance.

    (3) The Secretary of State may require any public communications provider to comply with any audit that may be reasonably required to monitor any claim for reimbursement pursuant to this regulation.


Tony McNulty
Minister of State

Home Office
26th July 2007

[2] 1972 c.68.back

[3] 1998 c.29; section 1 was amended by the Freedom of Information Act 2000 (c.36), section 68(1), (2) and (3) and Schedule 8, Part III and by S.I. 2004/3089.back

[4] 2003 c.21.back

[5] S.I. 2003/2426.back

[6] The Information Commissioner is appointed under section 6(1) of the Data Protection Act 1998 (c.29), as substituted by Schedule 2 to the Freedom of Information Act 2000 (c.36).back

[7] OJ No 105, 13.4.2006, p54.back

 © Crown copyright 2007