Investigatory Powers Act 2016

Part 4 U.K.Retention of communications data

GeneralU.K.

87Powers to require retention of certain dataU.K.

(1)The Secretary of State may, by notice (a “retention notice”) and subject as follows, require a telecommunications operator to retain relevant communications data if—

(a)the Secretary of State considers that the requirement is necessary and proportionate for one or more of the [F1following purposes—

(i)in the interests of national security,

(ii)for the applicable crime purpose (see subsection (10A)),

(iii)in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security,

(iv)in the interests of public safety,

(v)for the purpose of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,

(vi)to assist investigations into alleged miscarriages of justice,]

and

(b)the decision to give the notice has been approved by a Judicial Commissioner.

(2)A retention notice may—

(a)relate to a particular operator or any description of operators,

(b)require the retention of all data or any description of data,

(c)identify the period or periods for which data is to be retained,

(d)contain other requirements, or restrictions, in relation to the retention of data,

(e)make different provision for different purposes,

(f)relate to data whether or not in existence at the time of the giving, or coming into force, of the notice.

(3)A retention notice must not require any data to be retained for more than 12 months beginning with—

(a)in the case of communications data relating to a specific communication, the day of the communication concerned,

(b)in the case of entity data which does not fall within paragraph (a) above but does fall within paragraph (a)(i) of the definition of “communications data” in section 261(5), the day on which the entity concerned ceases to be associated with the telecommunications service concerned or (if earlier) the day on which the data is changed, and

(c)in any other case, the day on which the data is first held by the operator concerned.

(4)A retention notice must not require an operator who controls or provides a telecommunication system (“the system operator”) to retain data which—

(a)relates to the use of a telecommunications service provided by another telecommunications operator in relation to that system,

(b)is (or is capable of being) processed by the system operator as a result of being comprised in, included as part of, attached to or logically associated with a communication transmitted by means of the system as a result of the use mentioned in paragraph (a),

(c)is not needed by the system operator for the functioning of the system in relation to that communication, and

(d)is not retained or used by the system operator for any other lawful purpose,

and which it is reasonably practicable to separate from other data which is subject to the notice.

(5)A retention notice which relates to data already in existence when the notice comes into force imposes a requirement to retain the data for only so much of a period of retention as occurs on or after the coming into force of the notice.

(6)A retention notice comes into force—

(a)when the notice is given to the operator (or description of operators) concerned, or

(b)(if later) at the time or times specified in the notice.

(7)A retention notice is given to an operator (or description of operators) by giving, or publishing, it in such manner as the Secretary of State considers appropriate for bringing it to the attention of the operator (or description of operators) to whom it relates.

(8)A retention notice must specify—

(a)the operator (or description of operators) to whom it relates,

[F2(aa)each telecommunications service (or description of telecommunications service) to which it relates,]

(b)the data which is to be retained,

(c)the period or periods for which the data is to be retained,

(d)any other requirements, or any restrictions, in relation to the retention of the data,

(e)the information required by section 249(7) (the level or levels of contribution in respect of costs incurred as a result of the notice).

(9)The requirements or restrictions mentioned in subsection (8)(d) may, in particular, include—

(a)a requirement to retain the data in such a way that it can be transmitted efficiently and effectively in response to requests,

(b)requirements or restrictions in relation to the obtaining (whether by collection, generation or otherwise), generation or processing of—

(i)data for retention, or

(ii)retained data.

(10)The fact that the data which would be retained under a retention notice relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that the requirement to retain the data is necessary for one or more of the purposes falling within [F3sub-paragraphs (i) to (vi) of subsection (1)(a)].

[F4(10A)In this section, “the applicable crime purpose” means—

(a)to the extent that a retention notice relates to events data, the purpose of preventing or detecting serious crime;

(b)to the extent that a retention notice relates to entity data, the purpose of preventing or detecting crime or of preventing disorder.

(10B)In subsection (10A)(a), “serious crime” means, in addition to crime which falls within paragraph (a) or (b) of the definition of “serious crime” in section 263(1), crime where the offence, or one of the offences, which is or would be constituted by the conduct concerned is—

(a)an offence for which an individual who has reached the age of 18 (or, in relation to Scotland or Northern Ireland, 21) is capable of being sentenced to imprisonment for a term of 12 months or more (disregarding any enactment prohibiting or restricting the imprisonment of individuals who have no previous convictions), or

(b)an offence—

(i)by a person who is not an individual, or

(ii)which involves, as an integral part of it, the sending of a communication or a breach of a person’s privacy.]

(11)In this Part “relevant communications data” means communications data which may be used to identify, or assist in identifying, any of the following—

(a)the sender or recipient of a communication (whether or not a person),

(b)the time or duration of a communication,

(c)the type, method or pattern, or fact, of communication,

(d)the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted, or

(e)the location of any such system,

and this expression therefore includes, in particular, internet connection records.

SafeguardsU.K.

88Matters to be taken into account before giving retention noticesU.K.

(1)Before giving a retention notice [F5, including in relation to one or more of the purposes mentioned in sub-paragraphs (i) to (vi) of section 87(1)(a) (purposes for which retention of communications data may be required)], the Secretary of State must, among other matters, take into account—

(a)the likely benefits of the notice,

[F6(aa)the telecommunications services to which the retention notice relates,

(ab)the appropriateness of limiting the data to be retained by reference to—

(i)location, or

(ii)descriptions of persons to whom telecommunications services are provided,]

(b)the likely number of users (if known) of any telecommunications service to which the notice relates,

(c)the technical feasibility of complying with the notice,

(d)the likely cost of complying with the notice, and

(e)any other effect of the notice on the telecommunications operator (or description of operators) to whom it relates.

(2)Before giving such a notice, the Secretary of State must take reasonable steps to consult any operator to whom it relates.

Prospective

89Approval of retention notices by Judicial CommissionersU.K.

(1)In deciding whether to approve a decision to give a retention notice, a Judicial Commissioner must review the Secretary of State's conclusions as to whether the requirement to be imposed by the notice to retain relevant communications data is necessary and proportionate for one or more of the purposes falling within [F7sub-paragraphs (i) to (vi) of section 87(1)(a)].

(2)In doing so, the Judicial Commissioner must—

(a)apply the same principles as would be applied by a court on an application for judicial review, and

(b)consider the matters referred to in subsection (1) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).

(3)Where a Judicial Commissioner refuses to approve a decision to give a retention notice, the Judicial Commissioner must give the Secretary of State written reasons for the refusal.

(4)Where a Judicial Commissioner, other than the Investigatory Powers Commissioner, refuses to approve a decision to give a retention notice, the Secretary of State may ask the Investigatory Powers Commissioner to decide whether to approve the decision to give the notice.

90Review by the Secretary of StateU.K.

(1)A telecommunications operator to whom a retention notice is given may, within such period or circumstances as may be provided for by regulations made by the Secretary of State, refer the notice back to the Secretary of State.

(2)Such a reference may be in relation to the whole of a notice or any aspect of it.

(3)In the case of a notice given to a description of operators—

(a)each operator falling within that description may make a reference under subsection (1), but

(b)each such reference may only be in relation to the notice, or aspect of the notice, so far as it applies to that operator.

(4)There is no requirement for an operator who has referred a retention notice under subsection (1) to comply with the notice, so far as referred, until the Secretary of State has reviewed the notice in accordance with subsection (5).

(5)The Secretary of State must review any notice so far as referred to the Secretary of State under subsection (1).

(6)Before deciding the review, the Secretary of State must consult—

(a)the Technical Advisory Board, and

(b)a Judicial Commissioner.

(7)The Board must consider the technical requirements and the financial consequences, for the operator who has made the reference, of the notice so far as referred.

(8)The Commissioner must consider whether the notice so far as referred is proportionate.

(9)The Board and the Commissioner must—

(a)give the operator concerned and the Secretary of State the opportunity to provide evidence, or make representations, to them before reaching their conclusions, and

(b)report their conclusions to—

(i)the operator, and

(ii)the Secretary of State.

(10)The Secretary of State may, after considering the conclusions of the Board and the Commissioner—

(a)vary or revoke the retention notice under section 94, or

(b)give a notice under this section to the operator concerned confirming its effect.

(11)But the Secretary of State may vary the notice, or give a notice under subsection (10)(b) confirming its effect, only if the Secretary of State's decision to do so has been approved by the Investigatory Powers Commissioner.

(12)A report or notice under this section is given to an operator by giving or publishing it in such manner as the Secretary of State considers appropriate for bringing it to the attention of the operator.

(13)The Secretary of State must keep a retention notice under review (whether or not referred under subsection (1)).

Commencement Information

I4S. 90(1)-(12) in force at 1.11.2018 by S.I. 2018/873, reg. 4(a)

I5S. 90(13) in force at 30.12.2016 by S.I. 2016/1233, reg. 2(e)

91Approval of notices following review under section 90U.K.

(1)In deciding whether to approve a decision to vary a retention notice as mentioned in section 90(10)(a), or to give a notice under section 90(10)(b) confirming the effect of a retention notice, the Investigatory Powers Commissioner must review the Secretary of State's conclusions as to whether the requirement to be imposed by the notice as varied or confirmed to retain relevant communications data is necessary and proportionate for one or more of the purposes falling within [F8sub-paragraphs (i) to (vi) of section 87(1)(a)].

(2)In doing so, the Investigatory Powers Commissioner must—

(a)apply the same principles as would be applied by a court on an application for judicial review, and

(b)consider the matters referred to in subsection (1) with a sufficient degree of care as to ensure that the Investigatory Powers Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).

(3)Where the Investigatory Powers Commissioner refuses to approve a decision to vary a retention notice as mentioned in section 90(10)(a), or to give a notice under section 90(10)(b) confirming the effect of a retention notice, the Investigatory Powers Commissioner must give the Secretary of State written reasons for the refusal.

Textual Amendments

Commencement Information

I6S. 91 in force at 1.11.2018 by S.I. 2018/873, reg. 4(a)

92Data integrity and securityU.K.

(1)A telecommunications operator who retains relevant communications data by virtue of this Part must—

(a)secure that the data is of the same integrity, and subject to at least the same security and protection, as the data on any system from which it is derived,

(b)secure, by appropriate technical and organisational measures, that the data can be accessed only by specially authorised personnel, and

(c)protect, by appropriate technical and organisational measures, the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access or disclosure.

(2)A telecommunications operator who retains relevant communications data by virtue of this Part must destroy the data if the retention of the data ceases to be authorised by virtue of this Part and is not otherwise authorised by law.

(3)The destruction of the data may take place at such monthly or shorter intervals as appear to the operator to be practicable.

Commencement Information

I7S. 92 in force at 30.12.2016 by S.I. 2016/1233, reg. 2(f)

93Disclosure of retained dataU.K.

A telecommunications operator must put in place adequate security systems (including technical and organisational measures) governing access to relevant communications data retained by virtue of this Part in order to protect against any unlawful disclosure.

Commencement Information

I8S. 93 in force at 30.12.2016 by S.I. 2016/1233, reg. 2(g)

Variation or revocation of noticesU.K.

94Variation or revocation of noticesU.K.

(1)The Secretary of State may vary a retention notice.

(2)The Secretary of State must give, or publish, notice of the variation in such manner as the Secretary of State considers appropriate for bringing the variation to the attention of the telecommunications operator (or description of operators) to whom it relates.

(3)A variation comes into force—

(a)when notice of it is given or published in accordance with subsection (2), or

(b)(if later) at the time or times specified in the notice of variation.

(4)A retention notice may not be varied so as to require the retention of additional relevant communications data unless—

(a)the Secretary of State considers that the requirement is necessary and proportionate for one or more of the purposes falling within [F9sub-paragraphs (i) to (vi) of section 87(1)(a)], and

(b)subject to subsection (6), the decision to vary the notice has been approved by a Judicial Commissioner.

(5)The fact that additional relevant communications data which would be retained under a retention notice as varied relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that the requirement to retain the data is necessary for one or more of the purposes falling within [F10sub-paragraphs (i) to (vi) of section 87(1)(a)].

(6)Subsection (4)(b) does not apply to a variation to which section 90(11) applies.

(7)Section 87(2) and (5) apply in relation to a retention notice as varied as they apply in relation to a retention notice, but as if the references to the notice coming into force included references to the variation coming into force.

(8)Sections 87(3), (4) and (8), 95 and 97, and subsections (1), (4), (13) and (16) of this section, apply in relation to a retention notice as varied as they apply in relation to a retention notice.

(9)Section 88 applies in relation to the making of a variation as it applies in relation to the giving of a retention notice (and, accordingly, the references to the notice in section 88(1)(a) to (e) are to be read as references to the variation).

(10)Section 89 applies in relation to a decision to vary to which subsection (4)(b) above applies as it applies in relation to a decision to give a retention notice (and, accordingly, the reference in subsection (1) of that section to the requirement to be imposed by the notice is to be read as a reference to the requirement to be imposed by the variation).

(11)Section 90 applies (but only so far as the variation is concerned) in relation to a retention notice as varied (other than one varied as mentioned in subsection (10)(a) of that section) as it applies in relation to a retention notice.

(12)Section 91 applies in relation to a decision under section 90(10) to vary or confirm a variation as it applies in relation to a decision to vary or confirm a retention notice (and, accordingly, the reference in subsection (1) of that section to the requirement to be imposed by the notice as varied or confirmed is to be read as a reference to the requirement to be imposed by the variation as varied or confirmed).

(13)The Secretary of State may revoke (whether wholly or in part) a retention notice.

(14)The Secretary of State must give or publish notice of the revocation in such manner as the Secretary of State considers appropriate for bringing the revocation to the attention of the operator (or description of operators) to whom it relates.

(15)A revocation comes into force—

(a)when notice of it is given or published in accordance with subsection (14), or

(b)(if later) at the time or times specified in the notice of revocation.

(16)The fact that a retention notice has been revoked in relation to a particular description of communications data and a particular operator (or description of operators) does not prevent the giving of another retention notice in relation to the same description of data and the same operator (or description of operators).

Textual Amendments

Commencement Information

I9S. 94(1)-(3)(4)(a)(5)(7) in force at 30.12.2016 by S.I. 2016/1233, reg. 2(h)

I10S. 94(4)(b)(6)(10)(12) in force at 1.11.2018 by S.I. 2018/873, reg. 4(a)

I11S. 94(8) in force at 30.12.2016 for specified purposes by S.I. 2016/1233, reg. 2(i)

I12S. 94(8)(11) in force at 1.11.2018 in so far as not already in force by S.I. 2018/873, reg. 4(a)

I13S. 94(9)(13)-(16) in force at 30.12.2016 by S.I. 2016/1233, reg. 2(j)

I14S. 94(11) in force at 30.12.2016 for specified purposes by S.I. 2016/1233, reg. 2(j)

EnforcementU.K.

95Enforcement of notices and certain other requirements and restrictionsU.K.

(1)It is the duty of a telecommunications operator on whom a requirement or restriction is imposed by—

(a)a retention notice, or

(b)section 92 or 93,

to comply with the requirement or restriction.

(2)A telecommunications operator, or any person employed or engaged for the purposes of the business of a telecommunications operator, must not disclose the existence or contents of a retention notice to any other person.

(3)The Information Commissioner, or any member of staff of the Information Commissioner, must not disclose the existence or contents of a retention notice to any other person.

(4)Subsections (2) and (3) do not apply to a disclosure made with the permission of the Secretary of State.

(5)The duty under subsection (1) or (2) is enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or for any other appropriate relief.

Commencement Information

I15S. 95 in force at 30.12.2016 by S.I. 2016/1233, reg. 2(k)

Further and supplementary provisionU.K.

96Application of Part 4 to postal operators and postal servicesU.K.

(1)This Part applies to postal operators and postal services as it applies to telecommunications operators and telecommunications services.

(2)In its application by virtue of subsection (1), this Part has effect as if—

(a)any reference to a telecommunications operator were a reference to a postal operator,

(b)any reference to a telecommunications service were a reference to a postal service,

(c)any reference to a telecommunication system were a reference to a postal service,

(d)in section 87(3), for paragraph (b) there were substituted—

(b)in the case of communications data which does not fall within paragraph (a) above but does fall within paragraph (c) of the definition of “communications data” in section 262(3), the day on which the person concerned leaves the postal service concerned or (if earlier) the day on which the data is changed,,

(e)for section 87(4) there were substituted—

(4)A retention notice must not require an operator who provides a postal service (“the network operator”) to retain data which—

(a)relates to the use of a postal service provided by another postal operator in relation to the postal service of the network operator,

(b)is (or is capable of being) processed by the network operator as a result of being comprised in, included as part of, attached to or logically associated with a communication transmitted by means of the postal service of the network operator as a result of the use mentioned in paragraph (a),

(c)is not needed by the network operator for the functioning of the network operator's postal service in relation to that communication, and

(d)is not retained or used by the network operator for any other lawful purpose,

and which it is reasonably practicable to separate from other data which is subject to the notice., F11...

[F12(ea)the reference in section 87(10A)(a) to events data were a reference to anything within paragraph (a) or (b) of the definition of “communications data” in section 262(3),

(eb)the reference in section 87(10A)(b) to entity data were a reference to anything within paragraph (c) of the definition of “communications data” in section 262(3), and]

(f)in section 87(11), the words from “and this expression” to the end were omitted.

97Extra-territorial application of Part 4U.K.

(1)A retention notice, and any requirement or restriction imposed by virtue of a retention notice or by section 92, 93 or 95(1) to (3), may relate to conduct outside the United Kingdom and persons outside the United Kingdom.

(2)But section 95(5), so far as relating to those requirements or restrictions, does not apply to a person outside the United Kingdom.

Commencement Information

I17S. 97 in force at 30.12.2016 by S.I. 2016/1233, reg. 2(l)

98Part 4: interpretationU.K.

(1)In this Part—

  • notice” means notice in writing,

  • relevant communications data” has the meaning given by section 87(11),

  • retention notice” has the meaning given by section 87(1).

(2)See also—

  • section 261 (telecommunications definitions),

  • section 262 (postal definitions),

  • section 263 (general definitions),

  • section 265 (index of defined expressions).

Commencement Information

I18S. 98 in force at 30.12.2016 by S.I. 2016/1233, reg. 2(m)