Guidance

Additional guidance to the communications data codes of practice: definition of communications data (accessible)

Published 12 June 2018

Quick reference v.2.0, 24 November 2021

1. Definition of communications data

This document represents current interpretation of the Investigatory Powers Act 2016 (IPA) with regards to telecommunications operators (TOs) and communications data (CD) agreed between the Home Office, Investigatory Powers Commissioner’s Office and Office for Communications Data Authorisations. This document supplements the interpretation set out in the Communications Data Code of Practice, which is due to be updated in 2022. Any discrepancies between this document and the Code of Practice which have an operational impact should be raised with the Home Office Knowledge and Engagement Team and / or Investigatory Powers Unit in the first instance.

(It does not seek to set out a position re postal operators (POs) and CD relating to postal services. Note that some TOs can also be POs).

2. Communications data – summary

The primary consideration as to whether data can be acquired under part 3 of the Investigatory Powers Act is whether it fulfils the definition of communications data. While relevant to the overall question of scope, the identity of the requested company is not determinative. In most cases, a company which generates data which falls within the definition of communications data in the course of its business will fulfil the definition of telecommunications operator by virtue of that fact.

A company (or other entity) which is a telecommunications operator may hold data which is communications data and data which is not. An authorisation under Part 3 is only needed in relation to the acquisition of communications data.

3. Account subscriber or registration data

The IPA covers CD relating to the ‘provision of the (telecommunications) service’ and the ‘use of a telecommunications service or a telecommunication system’. Therefore, the applicant / SPoC needs to explain how the account subscriber data being sought relates to the provision or use of that part of the business that is operating as a TO. One way of thinking about whether data relates to the provision of the telecommunications service is to consider whether the TO would still be able to provide the customer with the telecommunications service or system without this data. If not, or if the telecommunication service would not function in the same way, then the account subscriber data probably does relate to the provision of the service and therefore is CD. Whether the account data relates to the use of the service will be a question of fact. If it does, then it will probably be CD. As a rough guide, where the TO is:

  • exclusively a TO, it is likely that all the registration data will be covered under IPA
  • partially a TO, it is likely that only some of the registration data will be covered under IPA

For example, for an online marketplace which is only in part a TO, the name and email address will be CD. Payment details (bank, card number, account holder, account holder address) will not normally be CD unless payment details are required in order to access the service in the first place.

  • address as part of account registration / subscriber data

    • landline or broadband service where there is an installation of equipment that is part of the system or service at a property – address is CD
    • app, website, etc. (it is irrelevant where the service or system is) – address is not CD
    • billing address where payment is made for the service or system (not for products or goods purchased through the service – see further below) – address is CD
    • delivery address for future delivery of goods that are not related to provision of the telecommunications service itself – not CD
  • a phone number provided at account registration can be CD if it is used to provide or enhance the telecommunications service provided (e.g. redacted)
  • additional profile details, payment details relating to purchase of goods etc (see below) will not be CD
  • a profile photograph or picture will not usually be CD because it does not normally relate to the provision or use of the telecommunications service)

Ask yourself: If the TO didn’t possess that specific data, would the TO still be able to provide the telecommunications service or system part of the business?

If ‘yes’ then it probably is not CD, unless the data also relates to the use of the telecommunications service or system and is not content.

4. Location data

A phone’s cell site data is CD.

Location tracking data from a vehicle tracking device that is derived only from cell site reference data via a SIM card is CD.

The data which indicates the actual location derived from the ‘location service’ within a device is not CD (regardless of the source of that data – it may have been generated by the device’s location service from a mixture of GPS, AGPS, Wi-Fi, IP address) [footnote 1]. This includes locations automatically generated from information input by a user. (We consider that this information is the meaning of the communication and is content and cannot therefore be communication data).

4.1 Examples

Starting and end points of travels booked using this mobile number - not CD.

Map of route taken - not CD.

Calculated tracking data where a GPS transponder signals have been combined with the less accurate cell site data to give a precise location – not CD.

5. Payment data and banking services

Payment data is a subset of account data. An IPA authority is only needed for payment data (bank, card number, account holder, account holder address) relating to the provision of a telecommunications service or the use of the telecommunications service or system. A payment relating to a non-telecommunications service (e.g. a betting service) or a real-world service (for example a taxi) will not be CD. If the payment is for multiple services, so it covers the telecommunications service, but also some additional benefits (which might be real-world), then the payment data will be CD. Although payment data for non-telecommunications services and real world services is not CD, the transaction or communication between the service provider and the customer can still generate CD by way of events data – time, IP address, MAC address etc, for which a CD authorisation is required.

Online banking – CD can be generated when transactions are undertaken, but the content of the banking transaction is not CD (to whom money paid, amount etc.).

Ask yourself: Has this payment been made at least in part for the telecommunications service provided by the TO?

6. Marketplaces and other online services: additional examples

The following are not CD (but the transaction, the communication with the website or app may generate events data which can be authorised as CD):

  • details of payments and transactions (e.g. the monetary amount of, method of payment etc.) for the purchase of goods through the marketplace; for placing a bet – not CD
  • payment that is required to be able to download particular videos/music/games either to keep permanently, or for a limited period after which they expire – not CD because the payment is in exchange for taking possession of the file, rather than for a communications service

The following are CD (and in addition the transactions will generate events data):

  • details of payment for an online gaming service and payment for an extra premium online gaming session – is CD because the payment is made to establish a communications service (the gaming session itself or the enhancements to it)
  • details of payment for a streaming video / music service, including free downloads to devices to enjoy another time; and details of payment to be able to stream a particular video / music in a limited time – is CD because the payment is made in exchange for providing a communications service (the stream, the right to download at any time, etc)

In the context of payment data relating to products that are purely online, it is helpful to consider whether the payment is being made in relation to a “good” (i.e. a specific data file) or a “service” (e.g. the right to stream audio / video, a gaming session, a service which algorithmically connects two profiles with each other).

7. Telecommunications operators – summary

The definition of TOs is intentionally broad and the codes of practice will, in due course, no longer make a distinction between a “traditional” or “non-traditional TO”. TOs may provide applications, websites, some interface with the internet that facilitates electronic signals being sent between persons or things. The TO operation may be a small or a large part of their overall operations.

TOs include any website owner. The provision of the website is a telecommunications service by itself – it need not include any chat function. A website is also hosted on part of a telecommunications system – i.e. a server. For the avoidance of doubt specific examples are included in the list below. This list is not exhaustive.

  • providers of public telephony services (e.g. redacted)
  • internet service providers (e.g.redacted)
  • the provider of any app that interfaces with the Internet (for the same reason)
  • webmail providers (e.g. redacted)
  • online marketplaces (e.g. redacted)
  • streaming platforms (e.g. redacted)
  • social media platforms (e.g. redacted)
  • online dating sites (e.g. redacted)
  • online gaming companies and platforms (e.g. redacted)
  • online betting and casinos (e.g. redacted)
  • taxi companies (e.g. redacted)
  • providers of telecommunications services to SIMs embedded in vehicles (e.g. redacted)
  • food delivery services (e.g. redacted)
  • video conferencing and VoIP providers (voice-over internet protocol) – (e.g. redacted)
  • cloud providers (redacted)
  • instant messaging apps (redacted)
  • banks (redacted)
  • online payment processors (redacted)
  • top up services (e.g. redacted)
  • government departments and public sector organisations (e.g. redacted), subject to Crown immunity. (Note: a TO does not need a CD authorisation to exploit / query its own CD, but one public authority may require a CD authorisation if it is asking another public authority for CD that the second public authority is holding as a result of its operation as a TO).
  1. This does not imply that IP addresses and Wi-Fi factors themselves such as SSID/BSSID are not CD (they usually will be)