Legal framework for managing the processes around mandatory communications data regime formally enhanced

Secondary legislation (the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2015 (SI 2015/927) and the Retention of Communications Data (Code of Practice) Order 2015 (SI 2015/926)) was enacted at the end of March, bringing into force new codes of practices governing how authorised public bodies within the UK handle communications data.

This announcement follows a recent consultation by the Home Office on its plans to update the codes (see my previous post for further information on the consultation). The codes are seen as necessary to plug a vital anti-terrorism and security-related intelligence capabilities ‘hole’ that was left in the statutory regime governing the UK’s surveillance capabilities after the EU Court of Justice (CJEU) issued its ‘Digital Ireland’ ruling last year that held the EU Data Retention Directive 2006 to be invalid.

Acquisition and disclosure of communications data code of practice

This new code sets out the processes and safeguards governing the acquisition of communications data by “relevant public authorities” (as defined in the Regulation of Investigatory Powers Act 2000), including law enforcement agencies. Superseding the last code of practice prepared in 2007, it is intended to clarify and incorporate best practices around essential procedures, such as obtaining authorisations and giving appropriate notices. In particular, it seeks to make a number of updates to bring the code in line with the current experiences of public agencies involved in acquiring and disclosing communications data.

Retention of communications data code of practice

This updated code sets out how communications data are retained to meet the requirements in the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’) brought in last year to replace the defunct Data Retention (EC Directive) Regulations 2009. Intended for readership by communications service providers who have been issued with a data retention notice under DRIPA, it describes the process surrounding the giving of such notices, the resulting costs incurred by service providers, the security and destruction of retained data, as well as the disclosure and use of data.

Apart from the codes, related secondary legislation set commencement dates for several provisions in the new Counter-Terrorism and Security Act 2015 (CTSA) and DRIPA (discussed previously here). These legislative instruments are the Counter-Terrorism and Security Act 2015 (Commencement No. 1) Regulations 2015 (SI 2015/956) made on 26 March, as well as the Data Retention and Investigatory Powers Act 2014 (Commencement) Order 2015 (SI 2015/929) coming into effect on 13 April.

Of particular note, the former Regulations set commencement dates for various CTSA provisions, including its Part 3 on data retention (consisting of section 21), which will also come into force on 13 April. In terms of the changes to be brought into effect by section 21, these include the definition of “relevant communications data” in section 2(1) of DRIPA being expanded to encompass “relevant internet data”. This expansion will enable the Secretary of State to require the retention of additional information not already caught by the “communications data” definition. This data may be used to identify, or assist in identifying, IP addresses (or other identifiers) of devices and, as such, should facilitate more robust identity decisions to be made regarding the identities of senders or recipients of communications using such devices. For more information on IP address resolution, see here for Home Office guidance on this topic, as well as my post here.

The Data Retention and Investigatory Powers Act 2014 (Commencement) Order 2015 (SI 2015/929) brings section 1(6) of DRIPA and regulations 8(1) and 15(2) and (3) of the Data Retention Regulation 2014 (made under DRIPA) into force on 13 April. In general, they introduce safeguard requirements for data held by telecommunications service providers and its restricted disclosure. Regulation 8(1), in particular, requires that public telecommunications operators put in place adequate security systems governing access to communications data retained. These should include technical and organisational measures.

In summary, the changes tie up some loose ends on outstanding communications data legal provisions within the UK before the upcoming General Election, although – as a reminder – DRIPA is subject to a ‘sunset clause’ meaning that it will automatically be repealed at the end of 2016. The data retention code of practice will also cease to have effect when DRIPA is repealed.

Alison Knight