CHAPTER 6: POWERS AND SAFEGUARDS
Communications data
6.6.
6.7.
7
8
9
10
11
12
Communications data are data about use made of a telecommunications or postal
service but not the contents of the communications themselves. Unlike intercepted
material, communications data do not necessarily have to be collected when
correspondence is “in the course of its transmission”.7 Communications data are
generally obtained retrospectively from a service provider that retains that information
(such as a mobile phone company), though when intercepted material is collected in
the course of transmission, the related communications data are also collected. RIPA
divides communications data into three categories:
(a)
Traffic data which identifies the person, apparatus, location or address to or
from which a communication is transmitted, and information about a computer
file or program that has been accessed or run in the course of sending or
receiving a communication.8 Traffic data includes such matters as the geodata
(or location data) produced by mobile phones on the move, as they
communicate with base stations (cell-site data) and private WiFi networks,
together with information on servers visited. The applicable Code of Practice
states that website addresses or Uniform Resource Locators [url]s to the first
slash e.g. https://www.google.co.uk are traffic data. On that basis the page
address beyond the first slash, e.g. https://www.google.co.uk/#q=url+meaning,
is content.9 IP addresses are traffic data when they are allocated dynamically
or temporarily to enable a communication to be routed.10
(b)
Service use information relating to the use of a particular telecoms service. It
is usually held by a service provider and records how many times and when a
person made use of that service as well as which services they have used, such
as amounts of data downloaded.11 A simple example is an itemised phone bill.
(c)
Subscriber information is all other information that the service provider holds
about the person that uses the service. It covers the details that a customer
provides to the service provider such as their address, telephone number or
email address, but may include e.g. bank account data and personal information
requested at sign-up.12
The three categories are assumed to be in descending order of intrusiveness, as may
be seen from the (limited) respects in which the law treats them differently. Thus:
RIPA s1(1).
RIPA ss21(4)(a) and 21(6).
Acquisition Code, para 2.20: “traffic data may identify a server or domain name (web site) but not a
web page.” As pointed out by IOCCO there is a degree of ambiguity here, arising out of the absence of
any definition of “content” within RIPA. IOCC Submission to the Review, paras 3.2.6 and 3.2.7.
Ibid. The Acquisition Code provides at 2.26 and fn 42 that dynamic IP addresses may be stored by a
service provider in conjunction with subscriber information, in which case it would need to be treated as
subscriber information, not traffic data.
RIPA ss21(4)(b) and 22(4).
RIPA s21(4)(c).
96