Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« When is it Okay to Make Everyone a Suspect? | Main | Welcome to the Realtime IT Compliance Community »

New Data Retention Requirements in the EU

Are those of you with offices in the EU aware that there is now a new data retention directive to follow?  These to add on top of all the other data retention requirements that exist.  The huge challenge I've found many organizations struggling with is how to deal with conflicting retention requirements. 

I urge you to read this regulation if you have any customers or offices within any of the EU countries.  You'll need to read the entire document to get the full effect, but the following excerpt is of particular interest:

Article 5
Categories of data to be retained
1. Member States shall ensure that the following categories of data are retained under this
Directive:
  (a) data necessary to trace and identify the source of a communication:
   (1) concerning fixed network telephony and mobile telephony:
    (i) the calling telephone number;
    (ii) the name and address of the subscriber or registered user;

   (2) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the user ID(s) allocated;
    (ii) the user ID and telephone number allocated to any communication entering the public telephone network;
    (iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the     communication;
  (b) data necessary to identify the destination of a communication:
   (1) concerning fixed network telephony and mobile telephony:
    (i) the number(s) dialled (the telephone number(s) called), and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which     the call is routed;
    (ii) the name(s) and address(es) of the subscriber(s) or registered user(s);
   (2) concerning Internet e-mail and Internet telephony:
    (i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;
    (ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;
  (c) data necessary to identify the date, time and duration of a communication:
   (1) concerning fixed network telephony and mobile telephony, the date and time of the start and end of the communication;
   (2) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the     Internet access service provider to a communication, and the user ID of the subscriber or registered user;
    (ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;
(d) data necessary to identify the type of communication:
   (1) concerning fixed network telephony and mobile telephony: the telephone service used;
   (2) concerning Internet e-mail and Internet telephony: the Internet service used;
  (e) data necessary to identify users' communication equipment or what purports to be their equipment:
   (1) concerning fixed network telephony, the calling and called telephone numbers;
   (2) concerning mobile telephony:
    (i) the calling and called telephone numbers;
    (ii) the International Mobile Subscriber Identity (IMSI) of the calling party;
    (iii) the International Mobile Equipment Identity (IMEI) of the calling party;
    (iv) the IMSI of the called party;
    (v) the IMEI of the called party;
    (vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated;
   (3) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the calling telephone number for dial-up access;
    (ii) the digital subscriber line (DSL) or other end point of the originator of the communication;
  (f) data necessary to identify the location of mobile communication equipment:
   (1) the location label (Cell ID) at the start of the communication;
   (2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.

2. No data revealing the content of the communication may be retained pursuant to this Directive.

Article 6
Periods of retention
Member States shall ensure that the categories of data specified in Article 5 are retained for periods of not less than six months and not more than two years from the date of the communication.

And the directive continues on with the data protection, data security, and other requirements.

Folks, what are you doing to get your arms around data retention issues?  I see this as a sleeping giant that will emerge sometime soon to surprise and bonk on the head a great many compliance, info sec and privacy officers.  A few forward-looking organizations have established well-defined and effective data retention teams.  Be sure if you have one that you let them know about this new regulation...just in case they have not kept up with the international laws.  If you don't have a dedicated data retention function, then start planning for how you will address the multitude of data retention requirements!

Technorati Tags



 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on February 23, 2006 7:14 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/12

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.