Currently the home office has put in place a voluntary code of practice for ISP and telecommunication service providers relating to the retention of data this is comes under the “Retention of communications data under part 11: Anti-Terrorism, Crime & Security Act 2001“
The code provides for the following retention time periods:
- SMS, EMS and MMS: Data retention period 6 months.
- Email: Data retention period 6 months
- ISP: Data retention period 6 months
- Web Activity Logs: Data Retention period 4 days
The following data is required to be stored for the retention times mentioned above:
SMS, EMS and MMS: Calling number, IMEI – Called number, IMEI – Date and time of sending – Delivery receipt – if available – Location data when messages sent and received, in form of lat/long reference.
Email: Log-on (authentication user name, date and time of log-in/log-off, IP address logged-in from) – sent email (authentication user name, from/to/cc email addresses, date and time sent) – received email (authentication user name, from/to email addresses, date and time received)
ISP: Log-on (authentication user name, date and time of log-in/log-off, IP address assigned, Dial-up: CLI and number dialed, Always-on: ADSL end point/MAC address (If available)
Web Activity Logs: Proxy server logs (date/time, IP address used, URL’s visited, services)
The code is quite clear that information stored should on be “Communications Data” only and exclude content of communication.
The Web browsing information to be retained should only be to the extent that only the host machine or domain name is disclosed.
The example the Home Office gives is that if the URL visited was http://www.homeoffice.gov.uk/kbsearch?qt=ripa+traffic=data
then only the domain “www.homeoffice.gov.uk” is to be stored . The reason is that the:
“within a communication, data identifying http://www.homeoffice.gov.uk would be traffic data, whereas data identifying would be content and not subject to retention.”