uk data retention review
DESCRIPTION
A paper stating the required Data to be retained in light of UK DATA RETENTION Regulations 2014. The objective of this Paper is to help Legislators in MENA Region.The Paper is only covering the kind of Data required with no advanced evaluation for the entire regulations.TRANSCRIPT
UK DATA RETENTION REVIEW
DATA RETENTION AND INVESTIGATORY
POWERS ACT 2014
Prepared by
Amr Eldeeb February 2016
“Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason , the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;”1
1 (10) DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995
on the protection of individuals with regard to the processing of personal data and on the free movement of such
data
INTRODUCTION
This research is in favor to find out the specified DATA that ISPs shall retain, protect & provide
upon request, in light of the data retention regulations in the UK.
SUMMARY
The UK Data Retention Regulations completes the transposition of Directive 2006/24/EC2, on
the retention of data generated or processed in connection with the provision of publicly available
electronic communications services or of public communications networks and amending
Directive 2002/58/EC3. They relate to internet access, internet e-mail and internet telephony, as
well as mobile and fixed line telephony. They revoke, and supersede, the Data Retention (EC
Directive) Regulations 2007 (SI 2007/2199) which transposed the parts of Directive 2006/24/EC
relating to mobile and fixed line telephony.
It took three years to get the final UK Data retention regulations including the very important
milestone of “proper public consultation”4.
However, the European Court of Justice (“ECJ”), in a judgment dated 8 April 2014 in joined cases
C-293/12 Digital Rights Ireland & C-594/12 Seitlinger which, declared the Data Retention
Directive (2006/24/EC) invalid. It noted that limitations to fundamental rights should only apply
2 Directive 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL , of 15 March 2006 3 DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002,
concerning the processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications)
4 The draft Regulations have been subject to a 12-week public consultation exercise, which concluded in October
2008. During this exercise, Home Office officials met with a broad range of public communications providers and
their trade associations, the Association of Chief Police Officers, the intelligence agencies, privacy lobbyists and other
individuals. 54 responses were received. Many responses were from members of the public who were opposed to the
Directive on principle but did not offer suggestions on the wording of the draft Regulations (24 out of 54 responses).
Public communications providers welcomed the Government’s approach subject to five main concerns, which are
addressed below.
First, draft Regulation 5 has been amended to remove a provision, which would have enabled the Secretary of State
to vary the period for data must be retained under the Regulations by notice.
Second, draft Regulation 9 has been amended to ensure that all statistics required to be collected under Directive
2006/24/EC are also required to be collected under the draft Regulations.
Third, draft Regulation 10 has been amended so that the Secretary of State must issue a notice to any public
communications provider required to retain data under the Regulations. Under the amended version of draft Regulation
10, the Secretary of State must issue such a notice to a public communications provider unless the data to which the
Regulations apply are retained in the UK in accordance with the Regulations by another public communications
provider.
Fourth, several responses to the consultation exercise expressed concern about how the draft Regulations ought to be
interpreted in practice. The Government undertakes to establish an “implementation group”. This will develop
guidance to assist in the implementation of the draft Regulations.
Finally, a number of responses queried the meaning of the term “e-mail”. The Government confirms that the term
“email” has the same meaning as “electronic mail” which is defined in the Privacy and Electronic Communications
(EC Directive) Regulations 2003, transposing Directive 2002/58/EC into UK law. Both terms therefore refer to “any
text, voice, sound or image message sent over a public electronic communications network which can be stored in the
network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using
a short message service”.
in so far as is strictly necessary and that EU law must lay down clear and precise rules governing
the scope of limitations and the safeguards for individuals. It held that the Directive did not set out
clear and precise rules regarding the extent of the interference. It highlighted several elements of
the directive, which fell short in this regard. By applying to all traffic data of all users of all means
of electronic communications the Directive entailed an interference with the fundamental rights of
practically the entire European population and did not require a relationship between the data
retained and serious crime or public security. Moreover, no substantive conditions (such as
objective criterion by which the number of persons authorized to access data can be limited) or
procedural conditions (such as review by an administrative authority or a court prior to access)
determined the limits of access and use to the data retained by competent national authorities. Nor
did the Directive determine the period for which data are retained based on objective criteria.
The Court also held that the Directive did not set out clear safeguards for the protection of the
retained data. This finding was supported by the Court’s observation that the rules in the Directive
were not tailored to the vast quantity of sensitive data retained and to the risk of unlawful access
to these data. Rather, the Directive allowed providers to have regard to economic considerations
when determining the technical and organizational means to secure these data. Moreover, the
Directive did not specify that the data must be retained within the EU and thus within the control
of national Data Protection Authorities. For these reasons, the Court declared the Directive
invalid5.
In light of such development, the UK Government decided to introduce a secondary legislation to
replace the Data Retention (EC Directive) Regulations 2009 (S.I.2009/859) (“the 2009
Regulations”), while providing additional safeguards. The Act had been taken through Parliament
on a fast-track basis. In order to ensure the new data retention regime is in place before the Summer
Recess, these Regulations will also be subject to an accelerated Parliamentary timetable. In
particular, the Regulations will come into force on the day after they are made. The Government
considers it important to put in place a new regime for data retention as soon as possible. This will
ensure that telecommunications service providers continue to retain data following the European
Court of Justice Judgment.
The replacement Bill was the “Data Retention and Investigatory Powers Act 2014” 17th of July
2014. The act aims, among other things, to respond to the ECJs judgement since the 2009 Regulations
have implemented the Directive in domestic Laws. In addition, this Act ensures that, as the original
legislation intended, any company providing communication services to customers in the United
Kingdom is obliged to comply with requests for communications data and interception warrants
issued by the Secretary of State, irrespective of the location of the company providing the service.
Nevertheless, the Act provides a power for the Secretary of State to issue a data retention notice
on a telecommunications services provider, requiring them to retain certain data types. The data
types are those set out in the Schedule to the 2009 Regulations. No additional categories of data
can be retained. The Act provides that the period for which data can be retained can be set at a
5 See more at: http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130d5cb2de61340ea4b108458a6201a7991e8.e34KaxiLc3eQc40LaxqMbN4Och8Re0?text=&docid=145562&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=768374
maximum period not to exceed 12 months, rather than the fixed 12 months in the 2009 Regulations,
allowing for retention for shorter periods when appropriate. It provides a power to make
regulations setting out further provision on the giving of and contents of notices, safeguards for
retained data, enforcement of requirements relating to retained data and the creation of a code of
practice in order to provide detailed guidelines for data retention and information about the
application of safeguards, and transitional provisions.
By 30 July 2014, In accordance with section 2(5) of the ACT, new draft for Data Retention
Regulations 2014 have been prepared and laid before parliament & approval by resolution of each
House.
IN ACCORDANCE WITH THE AIM OF THIS RESEARCH, WE WILL NOT PROCEED
DEEPLY IN ANY DETAILES REGARDING THE RELATED LAWS AND WILL ONLY LIST
THE DIFINITIONS & DATA TYPES SET OUT IN THE DATA RETENTION AND POWERS
ACT 2014 & THE RELATED DATA RETANTION REGULATIONS 2014.
THE FOLLOWING DATA HAS BEEN COLLECTED, REFORMED AND LISTED IN A WAY
SERVING THE AIM OF THIS RESEARCH.
SECTION (A)
DEFINITIONS
1. Data Retention and Powers and investigatory powers Act 2014 described the definitions
under the title Supplementary;
I. “Communications data” has the meaning given by section 21(4)6 of the Regulation of
Investigatory Powers Act 2000 so far as that meaning applies in relation to
telecommunications services and telecommunication systems;
II. “Functions” includes powers and duties;
III. “Notice” means notice in writing;
IV. “Public telecommunications operator” means a person who;
(a) Controls or provides a public telecommunication system, or
(b) Provides a public telecommunications service;
V. “Public telecommunications service” and “public telecommunication system” have the
meanings given by section 2(1)7 of the Regulation of Investigatory Powers Act 2000;
VI. “Relevant communications data” means communications data of the kind mentioned in
the Schedule to the 2009 Regulations so far as such data is generated or processed in the
United Kingdom by public telecommunications operators in the process of supplying the
telecommunications services concerned;
In accordance with 2(2);
“Relevant communications data” includes (so far as it otherwise falls within the
definition) communications data relating to unsuccessful call attempts that—
(a) in the case of telephony data, is stored in the United Kingdom, or
(b) In the case of internet data, is logged in the United Kingdom, but does not
include data relating to unconnected calls or data revealing the content of a
communication.
VII. “Relevant powers” means any powers conferred by virtue of section 1(1) to (6);
VIII. “Relevant requirements or restrictions” means any requirements or restrictions imposed
by virtue of section 1(1) to (6);
IX. “Retention notice” has the meaning given by section 1(1);
X. “Specify” means specify or describe (and “specified” is to be read accordingly);
6 In this Chapter “communications data” means any of the Following; (a) any traffic data comprised in or attached to
a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication
system by means of which it is being or may be transmitted;(b) any information which includes none of the contents
of a communication (apart from any information falling within paragraph (a)) and is about the use made by any
person—(i) of any postal service or telecommunications service; or - (ii) in connection with the provision to or use by
any person of any telecommunications service, of any part of a telecommunication system; (c) any information not
falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by
a person providing a postal service or telecommunications service. 7 “public telecommunications service” means any telecommunications service which is offered or provided to, or
to a substantial section of, the public in any one or more parts of the United Kingdom;
“public telecommunication system” means any such parts of a telecommunication system by means of which any
public telecommunications service is provided as are located in the United Kingdom;
XI. “Telecommunications service”8 and “Telecommunication system”9 have the meanings
given by section 2(1) of the Regulation of Investigatory Powers Act 2000;
XII. “Telecommunications Service Provider” means a person who provides a
telecommunications service;
XIII. “Unsuccessful call attempt” means a communication where a telephone call has been
successfully connected but not answered or there has been a network management
intervention;
XIV. “The 2009 Regulations” means the provisions known as the Data Retention (EC
Directive) Regulations 2009 (S.I. 2009/859).
XV. In subsection (5); Meaning of “telecommunications service”
In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning of interception”
etc.), after subsection (8) insert— “(8A) For the purposes of the definition of
“telecommunications service” in subsection (1), the cases in which a service is to be taken
to consist in the provision of access to, and of facilities for making use of, a
telecommunication system include any case where a service consists in or includes
facilitating the creation, management or storage of communications transmitted, or that
may be transmitted, by means of such a system.”10
2. The Data Retention Regulations 2014 has some special interpretation for part 2 of the
regulations that can be cited as following;
Interpretation of part 2;
I. “The Act” means the Data Retention and Investigatory Powers Act 2014; II. “Cell ID” means the identity or location of the cell from which a mobile telephony call
started or in which it finished;
III. “Service use data” means anything falling within paragraph (b) of the definition of
“communications data” in section 21(4) of the Regulation of Investigatory Powers Act
2000(a) so far as that definition applies in relation to telecommunications services and
telecommunication systems;
IV. “Subscriber data” means anything falling within paragraph (c) of the definition of
“communications data” in section 21(4) of the Regulation of Investigatory Powers Act
2000 so far as that definition applies in relation to telecommunications services and
telecommunication systems;
V. “Telephone service” means calls (including voice, voicemail and conference and data
calls), supplementary services (including call forwarding and call transfer) and messaging
and multimedia services (including short message services, enhanced media services and
multi-media services);
8 “telecommunications service” means any service that consists in the provision of access to, and of facilities for
making use of, any telecommunication system (whether or not one provided by the person providing the service);
and 9 “telecommunication system” means any system (including the apparatus comprised in it) which exists (whether
wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of
communications by any means involving the use of electrical or electro-magnetic energy 10 Subsection 2 (8); For the purposes of this section the cases in which any contents of a communication are to be
taken to be made available to a person while being transmitted shall include any case in which any of the contents of
the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently.
VI. “Traffic data” means anything falling within paragraph (a) of the definition of
“communications data” in section 21(4) of the Regulation of Investigatory Powers Act
2000 so far as that definition applies in relation to telecommunications services and
telecommunication systems;
VII. “Communications data” in section 21(4) of the Regulation of Investigatory Powers Act
2000 so far as that definition applies in relation to telecommunications services and
telecommunication systems;
VIII. “User ID” means a unique identifier allocated to persons when they subscribe to, or register
with, an internet access service or internet communications service
IX. The Schedule to these Regulations specifies the communications data that is of the kind
mentioned in the Schedule to the 2009 Regulations (b).
SECTION (B)
THE REQUIRED TYPES OF RETAINED DATA
DATA RETENTION REGULATIONS 2014
SCHEDULE
COMMUNICATIONS DATA OF THE KIND MENTIONED IN THE SCHEDULE TO
THE 2009 REGULATIONS
The schedule includes data falling into categories of fixed network (part 1), mobile telephony (part
2), and internet access, internet e-mail or internet telephony (part 3).
PART 1
FIXED NETWORK TELEPHONY
Data necessary to trace and identify the source of a communication
1. — (1) The calling telephone number.
(2) The name and address of the subscriber or registered user of any such telephone.
Data necessary to identify the destination of a communication
2.— (1) The telephone number dialed and, in cases involving supplementary services such as call
forwarding or call transfer, any telephone number to which the call is forwarded or
transferred.
(2) The name and address of the subscriber or registered user of any such telephone.
Data necessary to identify the date, time and duration of a communication
3. The date and time of the start and end of the call.
Data necessary to identify the type of communication
4. The telephone service used.
PART 2
MOBILE TELEPHONY
Data necessary to trace and identify the source of a communication
5. — (1) The calling telephone number.
(2) The name and address of the subscriber or registered user of any such telephone.
Data necessary to identify the destination of a communication
6. — (1) The telephone number dialed and, in cases involving supplementary services such
as call forwarding or call transfer, any telephone number to which the call is forwarded or
transferred.
(2) The name and address of the subscriber or registered user of any such telephone.
Data necessary to identify the date, time and duration of a communication
7. The date and time of the start and end of the call.
Data necessary to identify the type of communication
8. The telephone service used.
Data necessary to identify users’ communication equipment (or what purports to be their
Equipment)
9. — (1) The International Mobile Subscriber Identity (IMSI) and the International Mobile
Equipment Identity (IMEI) of the telephone from which a telephone call is made.
(2) The IMSI and the IMEI of the telephone dialed.
(3) In the case of pre-paid anonymous services, the date and time of the initial activation of
the Service and the cell ID from which the service was activated.
Data necessary to identify the location of mobile communication equipment
10. — (1) The cell ID at the start of the communication.
(2) Data identifying the geographic location of cells by reference to their cell ID
PART 3
INTERNET ACCESS, INTERNET E-MAIL OR INTERNET TELEPHONY
Data necessary to trace and identify the source of a communication
11.— (1) The user ID allocated.
(2) The user ID and telephone number allocated to the communication entering the public
telephone network.
(3) The name and address of the subscriber or registered user to whom an Internet Protocol
(IP) address, user ID or telephone number was allocated at the time of the communication.
Data necessary to identify the destination of a communication
12.— (1) In the case of internet telephony, the user ID or telephone number of the intended
recipient of the call.
(2) In the case of internet e-mail or internet telephony, the name and address of the
subscriber or registered user and the user ID of the intended recipient of the communication.
Data necessary to identify the date, time and duration of a communication
13.— (1) In the case of internet access—
(a) The date and time of the log-in to and log-off from the internet access service, based
on a specified time zone,
(b) The IP address, whether dynamic or static, allocated by the internet access service
provider to the communication, and
(c) The user ID of the subscriber or registered user of the internet access service.
(2) In the case of internet e-mail or internet telephony, the date and time of the log-in to
and log off from the internet e-mail or internet telephony service, based on a specified time
zone.
Data necessary to identify the type of communication
14. In the case of internet e-mail or internet telephony, the internet service used.
Data necessary to identify users’ communication equipment (or what purports to be their
Equipment)
15. — (1) In the case of dial-up access, the calling telephone number.
(2) In any other case, the digital subscriber line (DSL) or other end point of the originator
of the Communication.
SECTION(C) HIGHLIGHTS & COMMENTARY
1. Highlights;
The Act provides powers to create a new mandatory data retention regime to replace
the 2009 Regulations.
Communications data is the context not the content of a communication. It can be
used to demonstrate who was communicating; when; from where; and with whom. It
can include the time and duration of a communication, the number or email address
of the originator and recipient, and sometimes the location of the device from which
the communication was made.
There is no section in any of the reviewed regulations to mention the CONTENT as a
kind of data that has to be retained.
There is major section in the 2009 regulations that has been modified; article 3; These
Regulations apply to communications data if, or to the extent that, the data are
generated or processed IN the United Kingdom by public communications providers
in the process of supplying the communications services concerned.
This article has been MODIFIED & CLARIFIED in ACT 2014 by updating the
Extra-Territorial section in RIPA11.
In accordance with the ECJ judgement, the ACT provides that the period for which
data can be retained can be set at a maximum period not to exceed 12 months, rather
than the fixed 12 months in the 2009 regulations, allowing for retention for shorter
periods when appropriate.
Telecommunications service providers will not be required to retain data, unless they
have been given a Retention Notice by the Secretary of the state.
A notice cannot require the retention of data types other than those described in the
2009 Regulations.12
In accordance with the new “Counter Terrorism and Security ACT 2015”, part 3,
section 21; there have been scheduled modifications for some definitions to be in force
of 31st of December 2016, as following;
11 Subsection number 2, 3, 4, 5, 6, 7, 8, 9 & 10 of the ACT modifying certain sections of RIPA to provide
practicalities for Law Enforcement Agencies IN & OUT UK. 12 2 (3) Regulations under section 1(3) may specify the communications data that is of the kind mentioned in the
Schedule to the 2009 Regulations and, where they do so, the reference in the definition of “relevant communications
data” to communications data of that kind is to be read as a reference to communications data so specified.
21 Retention of relevant internet data
(1) Section 2(1) of the Data Retention and Investigatory Powers Act 2014 (temporary
provision about the retention of relevant communications data subject to safeguards:
definitions) is amended as follows.
(2) In the definition of “relevant communications data”—
(a) For “means communications data” substitute “means—
(a) communications data”;
(b) After “Regulations” insert “, or
(b) relevant internet data not falling within paragraph (a),”
(c) The words from “so far as” to the end of the definition become full-out words
beneath the new paragraphs (a) and (b).
(3) After the definition of “relevant communications data” insert—
““relevant internet data” means communications data which—
(a) relates to an internet access service or an internet communications service,
(b) May be used to identify, or assist in identifying, which internet protocol address,
or other identifier, belongs to the sender or recipient of a communication
(whether or not a person), and
(c) is not data which—
(i) may be used to identify an internet communications service to which a
communication is transmitted through an internet access service for the
purpose of obtaining access to, or running, a computer file or computer
program, and
(ii) is generated or processed by a public telecommunications operator in
the process of Counter-Terrorism and Security Act 2015 (c. 6) Part 3 —
Data retention 15 supplying the internet access service to the sender of
the communication (whether or not a person);”.
(4) In addition—
(a) Before the definition of “communications data” insert—
““communication” has the meaning given by section 81(1) of the
Regulation of Investigatory Powers Act 2000 so far as that meaning applies
in relation to telecommunications services and telecommunication
systems;”;
(b) After the definition of “functions” insert—
““Identifier” means an identifier used to facilitate the transmission of a
communication;”
(c) After the definition of “notice” insert—
““Person” includes an organization and any association or combination of
persons;”
(5) Subsections (1) to (4) are repealed on 31 December 2016.
2. COMMENTARY
The Data retention and investigatory powers ACT 2014 can be described as; The
Necessary Modification that strengthen and clarify, rather than extend, the UK
legislative framework.
In order to balance between the privacy rights & the law enforcement agencies
requirements, It differentiated between two kinds of requests to retain relevant
communications data:
o “A Retention Notice” for the purposes for which communication data may be
obtained.13
o By “Regulations” to make further provisions about the retention of relevant
communications data14.
As mentioned, the context is the targeted data type by these regulations, while the set
of actions to gain access to the content is covered by, but not limited to, chapter 1 of
part one of RIPA15, which can be briefed in;
o In the interests of national security16;
o For the purpose of preventing or detecting crime or of preventing disorder;
o In the interests of the economic well-being of the United Kingdom;
o In the interests of public safety;
o For the purpose of protecting public health;
o For the purpose of assessing or collecting any tax, duty, levy or other
imposition,
o Contribution or charge payable to a government department;
o For the purpose, in an emergency, of preventing death or injury or any
damage to a
o Person’s physical or mental health, or of mitigating any injury or damage to a
o Person’s physical or mental health; or
o For any purpose (not falling within paragraphs (a) to (g)) which is specified
for the Purposes of section 22(2) by an order made by the Secretary of State.
By working in conjunction with other, pre-existing legislation, the ACT &
Regulations ensures the following points are clearly covered:
o A clear and widened set of definitions
o Purposes to which relevant powers may be used
o Which authorities can use the powers
o Authorization of the use of the powers
o Shaping & confirming the extra territorial definition.
13 Purposes set out in section 22(2) of RIPA; (2) It is necessary on grounds falling within this
subsection to obtain communications data if it is necessary— (a) in the interests of national security; (b) for the purpose of preventing or detecting crime or of preventing disorder; (c) in the interests of the economic well-being of the United Kingdom; (d) in the interests of public safety; (e) for the purpose of protecting public health; (f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department; (g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health; or (h) for any purpose (not falling within paragraphs (a) to (g)) which is specified for the purposes of this subsection by an order made by the Secretary of State. 14 Section 1(3), ACT 2014; The Secretary of State may by regulations make further provision about the
Retention of relevant communications data. 15 http://iocco-uk.info/docs/ripa.pdf 16 RIPA, section 22(2)
In regard to legal framework functionality, section 7 has obligated the Secretary of
state to appoint the “independent reviewer of terrorism legislation”17 to review the
regulations and operations of investigatory powers18.
SECTION (D) RECOMMENDATIONS
Data Retention is not a target for itself; it is a part of a larger legal framework to guarantee the
digital wellbeing of the public and national economy as well. Considering it as a threat for
individual’s privacy shall not exist; if the system is trustfully implemented. Thus, Data Protection
Regulations, Directives & Laws, among other legislative & organizational frameworks, are
evolving around the globe to maintain our way of living, not to lessening any of our rights.
In this regard, Common Law and Civil Law traditional legal systems are determined formulating
a complete system to organize the cyber zone. So far, the US & EU have addressed certain key
strategic subjects, while there are certain regions, like the Middle East, in their first stages in this
regard.
In accordance to the subject of this research, we do recommend the following;
Considering it a balanced & sufficient data retention direction, it is recommended
excerpting the Data Retention Regulation Schedule 2014 in national legislations.
Adopting proper & strict Content Retention Policies that guarantees personal privacy in
line with the national procedural laws.
Monitoring the Data Retention policies on a yearly basis.
Assigning a National Data Regulatory Authority.
17 Subsection 7(8) in this section “the independent reviewer of terrorism legislation” means the person appointed
under section 36(1) of the Terrorism Act 2006 (and “independent reviewer” is to be read accordingly). 18 “The independent reviewer” is a post that already exists under the terrorism ACT 2006 & section 44 of Counter-
Terrorism and Security Act 2015
References
http://searchdatabackup.techtarget.com/definition/data-retention-policy
https://en.wikipedia.org/wiki/Human_Rights_Act_1998
http://www.whatdotheyknow.com/request/26462/response/74338/attach/html/3/009%2010%20T
able.xls.html
http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en
http://www.bbc.co.uk/news/uk-england-11479831
http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130d56f59597a42b44d5ca
e35b70377ca8d80.e34KaxiLc3eQc40LaxqMbN4OchaKe0?text=&docid=169195&pageIndex=0
&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=16562
http://www.statutelaw.gov.uk/content.aspx?LegType=All+Legislation&title=regulation+of+inve
stigatory&searchEnacted=0&extentMatchOnly=0&confersPower=0&blanketAmendment=0&so
rtAlpha=0&TYPE=QS&PageNumber=1&NavFrom=0&parentActiveTextDocId=1757378&Acti
veTextDocId=1757409&filesize=8774
https://en.wikipedia.org/wiki/Defence_Intelligence
https://en.wikipedia.org/wiki/Cabinet_Secretary_for_Justice
https://en.wikipedia.org/wiki/Telephone_tapping
http://www.statutelaw.gov.uk/content.aspx?LegType=All+Legislation&title=Regulation+of+Inv
estigatory+Powers+Act+2000&searchEnacted=0&extentMatchOnly=0&confersPower=0&blank
etAmendment=0&sortAlpha=0&TYPE=QS&PageNumber=1&NavFrom=0&parentActiveTextD
ocId=1757378&activetextdocid=1757416&versionNumber=1
https://en.wikipedia.org/wiki/Ministry_of_Defence_Police
https://en.wikipedia.org/wiki/MI5
https://en.wikipedia.org/wiki/Mass_surveillance_in_the_United_Kingdom
http://searchstorage.techtarget.com/definition/data-retention
http://www.legislation.gov.uk/ukdsi/2009/9780111473894/regulation/3
http://www.legislation.gov.uk/uksi/2009/859/schedule/made
http://www.legislation.gov.uk/uksi/2009/859/regulation/5/made
http://www.legislation.gov.uk/ukpga/2014/27/pdfs/ukpga_20140027_en.pdf
https://en.wikipedia.org/wiki/Office_of_Public_Sector_Information
https://en.wikipedia.org/wiki/Office_of_Public_Sector_Information
https://en.wikipedia.org/wiki/Office_of_Public_Sector_Information
http://www.statutelaw.gov.uk/content.aspx?LegType=All+Legislation&title=regulation+of+inve
stigatory&searchEnacted=0&extentMatchOnly=0&confersPower=0&blanketAmendment=0&so
rtAlpha=0&TYPE=QS&PageNumber=1&NavFrom=0&parentActiveTextDocId=1757378&Acti
veTextDocId=1757385&filesize=11519
http://www.legislation.gov.uk/ukpga/2014/27/pdfs/ukpga_20140027_en.pdf
http://www.legislation.gov.uk/ukia/2014/266/pdfs/ukia_20140266_en.pdf
http://www.theguardian.com/politics/2014/sep/30/theresa-may-tory-government-snoopers-
charter
http://www.theguardian.com/technology/2014/jun/24/british-government-breaking-law-in-
forcing-data-retention-by-companies
https://en.wikipedia.org/wiki/Investigatory_Powers_Tribunal
http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130d5cb2de61340ea4b10
8458a6201a7991e8.e34KaxiLc3eQc40LaxqMbN4Och8Re0?text=&docid=145562&pageIndex=
0&doclang=en&mode=req&dir=&occ=first&part=1&cid=768374
http://www.torbay.gov.uk/index/yourcouncil/accesstoinformation/ripa/covert-cop.pdf
http://www.legislation.gov.uk/ukpga/2015/6/pdfs/ukpga_20150006_en.pdf
http://europeanlawblog.eu/?p=2289
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=EN
http://www.breitbart.com/london/2016/02/14/top-uk-court-rules-gchq-hacking-of-private-
telephones-computers-and-other-electronic-devices-legal/
http://www.walesonline.co.uk/news/politics/tory-mp-accused-welsh-government-10904099
http://www.independent.co.uk/news/uk/politics/gchq-hacking-phones-and-computers-is-legal-
says-top-uk-court-
a6871716.html?utm_content=bufferf5df2&utm_medium=social&utm_source=linkedin.com&ut
m_campaign=buffer