Data retention directive "invalid"

Andrew Cormack Andrew.Cormack at ja.net
Sat Apr 12 14:46:26 BST 2014 

Some of the purposes ISPs can use traffic data for are listed in Regulation 8 of the Privacy and Electronic Communications Regs (there are others scattered through the Regs):

(a)the management of billing or traffic;
(b)customer enquiries;
(c)the prevention or detection of fraud;
(d)the marketing of electronic communications services [with consent, according to Reg 7]; or
(e)the provision of a value added service [with consent, according to Reg 7].

ISPs that don't keep enough information to deal with complaints of breaches of their own AUPs, e.g. which IP address was allocated to which user, tend to be regarded unfavourably and may ultimately find their (customers') ability to send e-mail etc. to other networks being reduced. LINX produced a Good Practice Guide on Traceability many years ago, which was approved by the then Data Protection Commissioner (yes, *that* many years ago).

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> Sent: 12 April 2014 12:12
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Data retention directive "invalid"
> 
> In article <48CD028A501A45BEB16D41DCEAF60BF2 at MaryPC>, Mary Hawking
> <maryhawking at tigers.demon.co.uk> writes
> >I'm getting a bit confused.
> >I have a Home Office contract with Demon:
> 
> Oh, very good.
> 
> >as far as I know there is no volume restriction.
> >Why does Demon need to keep any traffic data on my use of this service
> -
> 
> Traffic data is where to/from, generally, rather than the quantity.
> 
> Although the ISP I migrated away from this week was definitely
> monitoring my usage of email in case I was a spammer. The volume of
> data
> was unlimited, but I could only send something like 500 emails a day.
> 
> >apart from requirements from the Home Office?
> 
> It's possible Demon might also be monitoring email traffic data (not
> the
> contents) as part of a wider anti-abuse policy, and also to be able to
> answer questions like "why wasn't that email I sent yesterday
> delivered". But I have no recent information about that sort of thing.
> 
> Then there's the difference between "Unlimited", "truly Unlimited" and
> "completely Unlimited - apart from a fair use policy". Sorry, I made
> that last one up.
> 
> >Mary Hawking
> >Retired from NHS on 31.3.13 because of the Health and Social Care Act
> 2012
> >"thinking - independent thinking - is to humans as swimming is to
> cats: we
> >can do it if we really have to."  Mark Earles on Radio 4
> >blog http://maryhawking.wordpress.com/ And Fred!
> >http://primaryhealthinfo.wordpress.com/2013/11/02/freds-saying-you-
> just-dont
> >-get-it/
> >
> >-----Original Message-----
> >From: Roland Perry [mailto:lists at internetpolicyagency.com]
> >Sent: 11 April 2014 13:12
> >To: ukcrypto at chiark.greenend.org.uk
> >Subject: Re: Data retention directive "invalid"
> >
> >In article <5347AC78.8080206 at zen.co.uk>, Peter Fairbrother
> ><zenadsl6186 at zen.co.uk> writes
> >>On 11/04/14 07:52, Roland Perry wrote:
> >>> In article <534705C6.6040306 at zen.co.uk>, Peter Fairbrother
> >>> <zenadsl6186 at zen.co.uk> writes
> >>>> If an ISP has agreements with the Home Office regarding
> distributing
> >>>> data to Police forces etc, I don't think these can be enforced.
> >>>
> >>> Data disclosure is disjoint from retention, and is covered by RIPA.
> It's
> >>> not an agreement, but an obligation (on receipt of the necessary
> >>> paperwork).
> >>
> >>Ah, I wasn't clear - what I meant was if an ISP deletes its data then
> >>any contracts made under the CoP regarding data distribution (eg re
> >>SPOCs, payments etc) would be unenforcable, as the ends of the
> contract
> >>necessarily involve unlawfulness (ie retaining the data).
> >
> >Describing as either "distribution" or a "contract" is wrong.
> >
> >>>> Certainly they cannot be enforced if the CoP is invalid, and
> probably
> >>>> not otherwise if it is only partly disproportionate, which it
> almost
> >>>> certainly is.
> >>>
> >>> I don't think disclosure is conditional on how you happened to have
> the
> >>> data. If the data exists, it can be required to be disclosed.
> >>
> >>There is no penalty under RIPA for failing to distribute the data if
> >>they don't have it.
> >
> >It's not distribution, it's access-on-demand.
> >
> >>And, I don't think they have to distribute the data under RIPA anyway
> -
> >>it would be disproportionate.
> >
> >You've made up this "distribution" thing.
> >
> 
> --
> Roland Perry

More information about the ukcrypto mailing list