CHAPTER 7: PRACTICE
Communications data
7.37.
The law relating to communications data is summarised at 6.6-6.8, 6.18-6.21 and
6.95-6.99 above. This section explains how in practice it is obtained, treated and
used.
Retention and Acquisition of communications data
7.38.
Communications data are produced and collected by service providers. Under data
protection legislation, any personal data relating to their customers should be deleted
as soon as it is no longer needed for their business purposes. However, DRIPA 2014
s1(1) grants the Secretary of State the power to issue a data retention notice to a
service provider, requiring them to retain communications data, even if it is not (or was
never) needed by the service provider. Before such a notice is given, the Secretary
of State must take reasonable steps to consult with the service provider.29
7.39.
When an investigating body wishes to secure access to those communications data,
it will either authorise a person within the public authority to access the material or
issue a notice to a service provider.30 An authorisation provides for an individual within
a public authority to obtain communications data. They are granted where a service
provider is not capable of obtaining or disclosing communications data, where there
is a pre-existing agreement in place with the service provider for disclosure or where
it is not yet clear which service provider (if any) holds the data.31 An authorisation is
usually granted to a SPoC: they are most commonly used to access data via an
automated system.32
7.40.
A notice is served on a service provider asking it to disclose specified communications
data.33 Notices are typically served in cases where a service provider has not already
been served with a data retention notice and there is no existing data acquisition
framework. That is most likely to be the case with smaller service providers in the UK
and with the overseas service providers. Overseas service providers often test
whether they wish to comply with a notice by reference to their company practices
and the laws of the jurisdiction in which the data is kept. I return to these issues at
14.58-14.59 and 14.78-14.86 below.
7.41.
Authorisations and notices are valid for a month, but may be renewed.34 They should
be cancelled as soon as they are no longer needed.35
Authorising access to communications data
7.42.
29
30
31
32
33
34
35
The mechanisms by which access to retained communications data may be
authorised were set out at 6.64-6.70 above. For all but local authorities this is an
Retention Code, para 3.9.
Acquisition Code, para 3.2.
Ibid., para 3.35.
Ibid., para 3.35. These are known in the Code as “Secure auditable communications data acquisition
systems”.
Ibid., para 3.43.
Ibid., paras 3.51-57.
Ibid., paras 3.58-64.
133