Keeping Data On Public Internet Use - The Data Retention Directive
EU Legislation has come into force since 6th April 2009, under The Data Retention (EC Directive) Regulations 2009. This has an effect on the wireless sector where certain data is required to be retained and kept for a minimum of 12 months from the date of the communication. The directive was designed to aid Police; Security and Intelligence agencies undertake law enforcement and public safety functions. Previous to this directive, data retention was voluntary, and it became difficult for long running investigations to be supported. The directive ensures a minimum requirement for retention, which would help cases that tended to be those that involved murder, serious sexual offences and terrorism.
Below is an excerpt from The Data Retention (EC Directive) Regulations 2009 document found on the http://www.legislation.gov.uk/uksi/2009/859/contents/made website, which refers specifically to internet access and what is required to be retained.
INTERNET ACCESS, INTERNET EMAIL OR INTERNET TELEPHONY
Data necessary to trace and identify the source of a communication
- The user ID allocated.
- The user ID and telephone number allocated to the communication entering the public telephone network.
- The name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.
Data necessary to identify the destination of a communication
- In the case of internet telephony, the user ID or telephone number of the intended recipient of the call
- In the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication.
Data necessary to identify the date, time and duration of a communication
13. In the case of internet access—
- The date and time of the log-in to and log-off from the internet access service, based on a specified time zone,
- The IP address, whether dynamic or static, allocated by the internet access service provider to the communication, and
- The user ID of the subscriber or registered user of the internet access service.
- In the case of internet e-mail or internet telephony, the date and time of the log-in to and log off from the internet e-mail or internet telephony service, based on a specified time zone.
Data necessary to identify the type of communication
14. In the case of internet e-mail or internet telephony, the internet service used.
Data necessary to identify users’ communication equipment (or what purports to be their equipment)
- In the case of dial-up access, the calling telephone number.
- In any other case, the digital subscriber line (DSL) or other end point of the originator of the communication.
What this means for any business providing public internet services is that any the above needs to be adhered to, and data retained for a period of 12 months. We can assist any business to accomplish this with a number of solutions. Please get in touch with us to discuss any requirements you may have.
The data that is collected can be accessed by certain agencies which are listed below
Access to retained data
The bodies that are able to access retained data in the United Kingdom are listed in the Regulation of Investigatory Powers Act 2000 (RIPA). These are the following:
- Police forces (as defined in section 81(1) of RIPA)
- National Criminal Intelligence Service
- National Crime Squad (now Serious Organised Crime Agency)
- HM Customs and Excise
- Inland Revenue (the latter two have been merged into HM Revenue and Customs)
- Security Service
- Secret Intelligence Service
- Government Communications Headquarters
However, the Regulation of Investigatory Powers Act 2000 (RIPA) also gives the Home Secretary powers to change the list of bodies with access to retained data through secondary legislation. The list of authorised bodies now includes:
- Food Standards Agency
- Local Authorities
- The National Health Service