Traffic data means any data which is processed:
- to convey a communication on an electronic communications network; or
- for the billing in respect of that communication (‘billing data’ under the Telecommunications (Data Protection and Privacy) Regulations 1999).
It includes data relating to the routing, duration or time of a communication.
Retention
Data processed to establish communications could potentially contain personal information that should only be stored for limited purposes and retention periods in line with the second and fifth principles of the Data Protection Act 1998. The Regulations provide for the protection of individual and corporate subscribers with regard to the processing of traffic data. If such data is no longer needed to transmit a communication, when the communication is terminated, that data must be erased or dealt with in such a way that
- it is no longer personal data, in the case of an individual subscriber; or
- in the case of a corporate subscriber, it is modified so that it is no longer data that would be personal data in the case of an individual.
Data required by the communications network or service provider to calculate the subscriber’s bill or for interconnection charges can only be retained until the end of the period during which the bill may lawfully be challenged or payment pursued. In terms of contract law, this would normally mean a limitation period of six years plus appeals applied. However, in the Commissioner’s view, this provision merely permits such data to be kept only when circumstances require it, for example, if the bill is challenged during a period when a communications network or service provider would normally retain the data for their own billing purposes. It does not permit the wholesale retention of such traffic data in every case. As mentioned above, the fifth data protection principle states that personal data must not be kept for longer than is necessary for the purpose for which it is processed.
Purposes for processing
Traffic data may be processed only for the restricted purposes outlined in the Regulations.
-
To provide value-added services to the subscriber or user
A value-added service means any service that requires the processing of traffic data or ‘location data’ beyond what is necessary to transmit a communication or the billing of that communication – for example, a service that locates the driver of a broken-down vehicle. There is no restriction on the type of service that can be provided, but such processing may only take place with the prior consent of the subscriber or user.
-
To market the service provider’s own electronic communications services
Under the Regulations, the service provider must get the consent of the subscriber or user before they can market their own electronic communications services. Such marketing does not necessarily have to be carried out over the phone and might include, for example, an analysis of a subscriber’s usage patterns to provide that subscriber with the best tariff available.
Only the communications provider or a person acting under their authority can carry out this processing. The communications provider has ultimate responsibility for complying with the Regulations about processing traffic data, so they should observe the requirements of the seventh data protection principle. The provisions about contracts are particularly relevant – see the seventh data protection principle. Although the Act applies only to processing personal data, there is nothing to stop service providers imposing such contracts for processing traffic data relating to corporate subscribers.
Consent to process for the above purposes
If traffic data is processed for the above purposes, the prior consent of the subscriber or user of the line or account must be obtained. In the case of a corporate subscriber, it is reasonable for the communications provider to accept at face value the assurances of a person giving consent on behalf of the company, unless the communications provider has reasonable grounds to believe otherwise.
The Regulations do not prescribe how service providers should obtain this consent. However, to obtain valid informed consent, the subscriber or user should be given enough clear information for them to have a broad appreciation of how the data is going to be used and the consequences of consenting to such use (see the first principle in the guide to data protection). In light of this, the service provider will not be able to rely on a blanket 'catch all' statement on a bill or a website but must get specific informed consent:
- for each value-added service requested; and
- to market their own electronic communications services.
If, for example, a communications provider offers a value-added service using a third party, then in the interests of transparency the person who will be regarded as responsible for providing that service should get the consent to process for this purpose. Whether this will be the service provider, the third party or both will depend on the circumstances. If the communications provider offers a value-added service jointly with a third party, the user should be made aware of both parties. The point is that the way a service is provided should be consistent with the expectations of the subscriber or user. If the user gives consent to one party to provide a particular service, they should not then be surprised when they are contacted by another party about that service.
The Regulations also specifically require that the subscriber or user is provided with information about the types of traffic data to be processed, and the duration of such processing.
The subscriber or user may withdraw any such consent given to process related traffic data at any time.
General provisions on the processing of traffic data
As well as the above two purposes, the Regulations allow the processing of traffic data by a public communications provider in the course of its business for the following purposes:
- To manage billing or traffic.
- To handle customer enquiries.
- To prevent and detect fraud.
The processing of traffic data must be restricted to what is necessary for these activities and by people acting under proper authority.
Disputes
The Regulations do not prevent providing traffic data to a person who has been given statutory authority to resolve disputes, for example, Ofcom.