Voluntary Code of Practice on Retention of Communications Data

The Retention of Communications Data (Code of Practice) Order 2003

The Voluntary Code of Practice on Retention of Communications Data is, unambiguously, a voluntary code of practice drawn up between communications companies and the Home Office concerning the retention of communications data. It is derived from Part 11 of the Anti-terrorism, Crime and Security Act 2001; this requires the Secretary of State to lay out a voluntary code of practice for communications companies to sign up for. If it proves ineffective then the Secetary of State has the power in the form of a statutory instrument to make the code compulsory; this has not yet been done, but does raise concerns about how "voluntary" it really is. Its voluntary status is however important; if it became compulsory, then it would be subject to European Union law concerning the right to privacy; by remaining an opt-in code of practice, it is able to circumvent these checks.


The Anti-terrorism, Crime and Security Act 2001 was drawn up in November 2001, partly in response to the heightened awareness of terrorism following the September 11th attacks in America. Part 11 of the bill had the Secretary of State drawn up the Voluntary Code of Practice, with provisions in place to make it mandatory if it was seen to be ineffective as a result of non-adherence. The entire Act has been highly criticised, and since been superseded by the Prevention of Terrorism Act 2005.

In 2006 the European Union issued the controversial Data Retention Directive (formally Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC) stipulating the retention of telecommunications data of the citizens of EU countries for between 6 and 24 months. The Directive has clear parallels with the Code of Practice in the UK, and has been criticised as ineffective and even unconstitutional, violating rights to privacy and data protection, both enshrined under EU law[1]. National implementations of the Directive have been declared unconstitutional and been subsequently struck down in Bulgaria, Romania, Cyprus, Germany and the Czech Republic, amongst others[2]. The Directive forbids the storing of any data directly related to the content of the communication[3].

Retention Details

The categories of data retained, and their respective retainment periods are as follows:

  • Web activity logs - 4 days
  • SMS, EMS, MMS data - 6 months
  • Email data - 6 months
  • ISP data - 6 months
  • Subscriber information - 12 months
  • Telephony data - 12 months
  • Banking data - 7 years
  • Postal data - unknown

More detail on all categories can be found on the Wikipedia page.

The content of communications data is not retained: for example, with emails whilst there will be the data concerning log-ons, who emails are sent from and to, times and dates for all messages sent and received and authentication user names, the emails themselves will not be retained. Retained data can be accessed by those organisations detailed in the Regulation of Investigatory Powers Act 2000 (RIPA). These include HM Customs & Excise, the Police, Security Services, Secret Intelligent Services and Government Communications Headquarters (GCHQ). Additionally the NHS, Local Authorities and the Food Standards Agency have been granted authority by the Home Secetary, who is granted powers in RIPA to alter the list of bodies with access to retained data. To access valid reason is required

Details on telecommunications data retained under Directive 2006/24/EC can be found here.


Concerns have been drawn up in response to the Code of Practice. GreenNet Limited mentions some of these in its response to the government consultation. These include a detrimental impact of the public's "trust and confidence in the UK internet environment"[4], inconsistencies with the Data Protection Act and lack of awareness. There was also criticism of the consultation itself in that it was weighted towards the needs of the government, public authorities and CSPs (Communication Service Providers), rather than those of the individual and user. Given that the consultation led to the uptake of the Code of Practice, the implications of this criticisms are that of a flawed Act created without the individual properly in mind.

Mishandling of Data

Critics have highlighted the fact that the government has a track record of mishandling, misusing[5] and even losing[6] sensitive and confidential data. Such a history of incompetence does not engender optimism in the government's handling on such large quantities of often deeply personal data[7].

Lack of Due Suspicion

Another criticism is that even if the data harvested in blanket retention schemes could be guaranteed secure, to systematically collect such a quantity of personal information - "contacts with physicians, lawyers, workers councils, psychologists, helplines"[8] - is still a massive and unjustifiable invasion of privacy when taking place without due suspicion, and one that can have real negative consequences. This includes the compromising of the freedom of the press (through indirectly exposing their sources), and more generally, damaging "the preconditions of our open and democratic society"[9]. These specific quotes, whilst taken from criticism levelled at EU Directive 2006/24/EC, very much apply to the Code of Practice, as both pursue parallel aims.