UK telecoms providers will have to retain data about telephone calls for one year, under legislation passed by parliament on 25 July.
In a statutory instrument coming into force on 1 October this year, the home secretary, Jacqui Smith, enacted last year's European data retention directive, which told member states to retain traffic and location data on telephone calls to assist in tackling crime. It said countries should set the retention period from six months to two years.
For fixed-line telephony, the data to be retained includes the information appearing on full telephone bills: the name and address of the subscriber, which numbers were dialled and when, and how long calls lasted.
For mobile telephones, it also includes the International Mobile Subscriber Identity and the International Mobile Equipment Identity of the handset the approximate location of users when calls are made, derived from the network base station or cell employed and for pre-paid anonymous services, the time, date and cell identity of first use. It does not cover the content of calls.
Communications companies often retain such data for several months for business purposes, such as to answer queries on billing, but holding it for longer exposed them to a legal danger, said Struan Robertson, editor of IT legal news site Out-law.com and a senior associate of UK law firm Pinsent Masons. "As long as the requirement was a voluntary one, there was a risk of a breach of the Data Protection Act. If they were to hold it to comply with the law, there is no breach," he said.
The statutory instrument did not impose retention periods on internet communications. However, the European directive includes a later deadline of 15 March 2009 for this.
Implementing the directive for internet communications may be very difficult, according to responses to the Home Office's consultation, published last month. The Internet Service Providers Association was quoted in the consultation as saying that, "the draft regulations as they stand would not enable implementation of the directive".
This means that from October, details of voice over internet protocol telephone calls will not need to be retained for a year, although those made through fixed and mobile telephone systems will.
This article first appeared on the website of Infosecurity magazine.
Comment on this article: [email protected]