CHAPTER 6: POWERS AND SAFEGUARDS
IPT. The Tribunal has already held that the s8(4) framework is “in accordance with
the law,” in the sense that it the manner in which it operates is sufficiently
foreseeable.59 However, the Tribunal is yet to rule on the proportionality of the
methods deployed to carry out bulk interception under s8(4).
RIPA access to communications data retained by service providers
6.60.
Communications data are collected and held by service providers. They already hold
data on their customers (subscriber information) and will generate service use
information and traffic data depending on their business model. That information is
necessary in order to enable communications to be routed successfully and also for
billing and marketing purposes. RIPA Part I Chapter 2 sets out the framework under
which public authorities may seek access to the data held by the service providers.
6.61.
Service providers may be required to retain data for up to a year on receipt of a notice
from the Home Secretary, issued under DRIPA 2014 s1. The Retention Code provides
at para 3.3 that companies with larger customer bases are more likely to receive a
notice. Other service providers are not compelled to retain data, but all service
providers are obliged to hand over data to a public authority when they receive a
request.60 Those data which might be required to be retained are set out in the
Schedule to the Data Retention Regulations.61 Companies that have received a notice
may be asked to retain data including:
(a)
the sender or recipient of a communication (whether or not a person);
(b)
the time or duration of a communication;
(c)
the type, method, pattern or fact of a communication;
(d)
the telecommunications system (or any part of it) from, to or through which, or by
means of which, a communication is or may be transmitted; and
(e)
the location of any such system.62
6.62.
A voluntary code of practice, drawn up under the Anti-Terrorism Crime and Security
Act 2001 [ATCSA 2001], permits service providers to retain other data not required
under DRIPA 2014, such as phone cell data and the times at which emails are sent
and received.63
6.63.
CTSA 2015 provided for the first time that service providers should generate and retain
data that they did not need for their own business purposes. Section 21 provides that
service providers may be required to retain data necessary to resolve IP addresses to
an individual or device. In brief, that information enables public authorities authorised
to acquire communications data to confirm which device was accessing particular
59
60
61
62
63
Liberty IPT Case, judgment of 5 December 2014.
RIPA s22(3A).
SI 2042/2014.
Retention Code, para 2.14.
Retention of Communications Data under Part 11: Anti-Terrorism, Crime & Security Act 2001: Voluntary
Code of Practice.
110