xmlns:atom="http://www.w3.org/2005/Atom"
28.—(1) Subject to paragraph (2), a telecommunications service provider shall take technical and organisational measures which are appropriate to secure the security of the service he provides.
(2) If necessary, the measures required by paragraph (1) shall be taken by a telecommunications service provider in conjunction with the provider of the relevant telecommunications network who shall comply with any reasonable requests made by the service provider for the purposes hereof.
(3) Where, notwithstanding the taking of measures required hereby, there is a significant risk to the security of the relevant telecommunications network, the telecommunications service provider shall inform the subscribers concerned of–
(a)that risk;
(b)any measures appropriate to afford safeguards against that risk which they themselves might take, and
(c)the costs involved in the taking of such measures.
(4) For the purposes of this regulation, measures shall only be taken to be appropriate if, having regard to–
(a)the state of technological development, and
(b)the cost of implementing the measures,
they are proportionate to the risks against which they would afford safeguards.
(5) For the purposes of this regulation the security of a public telecommunications service or network shall not be taken to be at risk by reason of the intentional disclosure, or possibility of such disclosure, of any matter falling within subsection (1)(a) or (b) of section 45 of the Act of 1984(1) by a telecommunications service or network provider in a case or circumstances in which he would not be guilty of an offence under that section which, for the purposes of this paragraph, shall have effect as if–
(a)the reference in subsection (1) thereof to a person engaged in the running of a public telecommunications system were a reference to such a provider;
(b)for the words “that system”, in both places where they occur in subsection (1)(a) and (b) thereof, there were substituted the words “a public telecommunications system”; and
(c)the reference in subsection (1)(a) thereof to a message were a reference to a communication.
29. At the request of the subscriber concerned, a telecommunications service provider shall only submit to him bills which are not itemised.
30.—(1) The Secretary of State and the Director shall each have a duty, when exercising any function assigned to him by a provision of the Act of 1984 specified in paragraph (2), to have regard to the need to reconcile the rights of subscribers receiving itemised bills with the rights to privacy of calling users and called subscribers, for example by ensuring that sufficient alternative means for the making of calls or methods of paying therefor are available to such users and subscribers.
(2) For the purposes of paragraph (1), the specified provisions of the Act of 1984 are sections 7, 8, 12, 13, 15, 16, 17, 18, 47, 48, 49, and 50.
31. Where calls originally directed to another line are being automatically forwarded to a subscriber’s line as a result of action taken by a third party and the subscriber so requests the relevant telecommunications service provider (“the subscriber’s provider”), that provider shall ensure, without charge, that such forwarding ceases without any avoidable delay, and any other telecommunications service provider and any telecommunications network provider shall comply with any reasonable requests made by the subscriber’s provider for the purposes of this regulation.
32.—(1) Nothing in any of the provisions of these Regulations shall require a telecommunications service or network provider to do, or refrain from doing, anything (including the processing of data) if exemption from the requirement in question is required for the purpose of safeguarding national security.
(2) Subject to paragraph (4), a certificate signed by a Minister of the Crown certifying that exemption from any requirement of these Regulations is or at any time was required for the purpose of safeguarding national security shall be conclusive evidence of that fact.
(3) A certificate under paragraph (2) may identify the circumstances in which it applies by means of a general description and may be expressed to have prospective effect.
(4) Any person directly affected by the issuing of a certificate under paragraph (2) may appeal to the Tribunal against the certificate.
(5) If on an appeal under paragraph (4), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.
(6) Where in any proceedings under or by virtue of these Regulations it is claimed by a telecommunications service or network provider that a certificate under paragraph (2) which identifies the circumstances in which it applies by means of a general description applies in the circumstances in question, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply in those circumstances and, subject to any determination under paragraph (7), the certificate shall be conclusively presumed so to apply.
(7) On any appeal under paragraph (6), the Tribunal may determine that the certificate does not so apply.
(8) In this regulation “the Tribunal” means the Data Protection Tribunal referred to in section 6 of the Data Protection Act 1998 and–
(a)subsections (8), (9), (10) and (12) of section 28 of that Act and Schedule 6 thereto shall apply for the purposes of, and in connection with, this regulation as if any references therein to sub-section (2), (4) or (6) of the said section 28 were, respectively, references to paragraph (2), (4) or (6) of this regulation and
(b)section 58 of that Act shall so apply as if the reference therein to the functions of the Tribunal under that Act included a reference to the functions of the Tribunal under paragraphs (4) to (7) of this regulation.
33. Nothing in any of the provisions of these Regulations shall require a telecommunications service or network provider to do, or refrain from doing, anything (including the processing of data)–
(a)if compliance with the requirement in question–
(i)would be inconsistent with any requirement imposed by or under any enactment, by any rule of law or by the order of a court, or
(ii)would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders; or
(b)if exemption from the requirement in question–
(i)is required for the purposes of, or in connection with, any legal proceedings (including prospective legal proceedings),
(ii)is necessary for the purposes of obtaining legal advice, or
(iii)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
34. The provisions in Schedule 3 shall have effect.
Section 45 was amended by section 11(1) of the Interception of Communications Act 1985 (c. 56).