The Data Retention and Acquisition Regulations 2018
Read (PDF)
These Regulations amend Parts 3 and 4 of the Investigatory Powers Act 2016 (c. 25) (“the Act”), which provide for the retention of communications data by telecommunications and postal operators, and the acquisition of that communications data by public authorities, and bring into force a code of practice in relation to those provisions.
Regulation 2 brings into force a code of practice entitled “Communications Data”, about the exercise of functions conferred by Parts 3 and 4 of the Act. The code of practice comes into force on the day after the day on which these Regulations are made.
The code of practice will be published by the Stationery Office and copies may be obtained from the Stationery Office bookshops or online shop. The code of practice will also be available on the Investigatory Powers Act 2016 codes of practice pages on the gov.uk website.
The amendments to Parts 3 and 4 of the Act are made in response to the judgment of the Court of Justice of the European Union (CJEU) in joined cases C‑203/15 and C‑698/15, setting out safeguards required in order that a communications data retention regime is compliant with EU law.
Part 3 of the Act is not yet in force and the Regulations also amend Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act 2000 (c. 25) (“RIPA”), which currently provides for the acquisition of communications data by public authorities and will be replaced by Part 3 of the Act.
Regulation 3 amends section 22 of RIPA so that access to certain communications data (traffic or location data) may be authorised only for the purpose of the prevention or detection of serious crime. A request for subscriber data may be authorised for the purpose of the prevention or detection of crime or of preventing disorder, as is currently the case for all communications data under RIPA. Three of the statutory purposes for which access to communications data may currently be authorised are also removed by this regulation and by paragraph 2(2) of Schedule 2 to these Regulations.
Regulation 5 amends Part 3 of the Act to provide for independent authorisation of requests by public authorities to access communications data, conferring on the Investigatory Powers Commissioner a new power to authorise communications data requests. The Commissioner, acting through a body of his staff to be known as the Office for Communications Data Authorisations, will be responsible for considering the vast majority of requests to access communications data made by public authorities. A request may be authorised where it is necessary for one or more of the statutory purposes, and proportionate. In relation to the crime purpose, the effect of the amendments is that access to events data may be authorised for the purpose of the prevention or detection of serious crime, but a request solely for entity data may be made for the purpose of the prevention or detection of crime or of preventing disorder.
Regulation 6 amends the power in Part 3 of the Act to authorise requests to access communications data internally within a public authority. The effect of the amendments is that the power will only be exercisable to access communications data in the interests of national security, or of the economic well-being of the UK so far as relevant to national security, or for the purpose of the prevention or detection of serious crime. Where a request is solely for entity data a request may be made for the purpose of the prevention or detection of crime or of preventing disorder.
Regulation 7 amends the Act to permit internal authorisation by a designated senior officer in a public authority (except a local authority) in a case where there is an urgent need to obtain communications data.
Regulation 8 amends Part 4 of the Act to restrict the purposes for which the Secretary State may give a notice to a telecommunications or postal operator requiring the retention of communications data. A notice may be given where it is necessary and proportionate to retain data in the interests of national security or of the economic well-being of the UK so far as relevant to national security, in the interests of public safety, for the purpose of preventing death or injury or to assist investigations into alleged miscarriages of justice. A notice may be given for the purpose of the prevention or detection of serious crime so far as it relates to events data, or for the purpose of the prevention or detection of crime or of preventing disorder so far as it relates to entity data.
Regulation 9 amends the Act to include additional matters which the Secretary of State must take into account before giving a retention notice.
Regulation 10 introduces Schedule 1 to the Regulations which makes further amendments of the Act, in the main consequential on the amendments in regulations 2 to 7. Paragraph 15 removes the requirement for local authority applications to be subject to judicial approval by a magistrate, in light of the new independent authorisation arrangements. Paragraph 21 inserts a definition of serious crime for the purposes of Part 3 of the Act. Paragraph 26 substitutes the Table contained in Part 1 of Schedule 4 to the Act, which sets out which public authorities may acquire communications data, the purposes for which each public authority may do so, the types of data they may obtain and the level of internal authorisation required within that organisation.
Regulation 11 introduces Schedule 2 to the Regulations, which makes consequential amendments of RIPA and the Regulation of Investigatory Powers (Communications Data) Order 2010 (S.I. 2010/480).