Hi,
On 04.04.2011 07:54, Marcia Hofmann wrote:
To make the FAQ as current and useful as possible, we want to make sure that we know about any legal issues that relay operators in the United States may have experienced over the past few years.
I understand the focus on USA, but wouldn't this be a good opportunity to add legal information about other countries as well?
For example, I was unsure about the legal situation in the UK and data retention, so I was blunt enough to write to the ICO Information Commissioner's Office.
-------- snip -------- Subject: Response from the Information Commissioner's Office Date: Fri, 11 Feb 2011 11:15:36 +0000 From: casework@ico.gsi.gov.uk
Dear Mr Bartl,
Thank you for your emailed enquiry to the Information Commissioners Office (ICO), dated 26 January 2011, regarding Tor exit software.
As I understand it, your enquiry asks for our advice on the legal requirements relating to the retention of personal data in the UK.
The principle requirement regarding the retention of personal data is contained within the Data Protection Act 1998 (DPA98). The DPA98 is specifically concerned with the processing of personal data by organisations (data controllers). Processing includes obtaining, holding, recording, disclosing or using personal data in any way. Personal data is data which relates to and identifies a living individual.
The Fifth Principle of the DPA98 states personal data must not be retained for longer than necessary for the purpose or purposes for processing. Therefore, the DPA98 does not place a mandatory retention period on personal data, or particular categories of personal data, but requires that any data controller retaining personal data must have a justifiable reason for doing so.
For further information, please use the following link:
Principle 5 - Data Protection Guide http://www.ico.gov.uk/for_organisations/data_protection/the_guide/information_standards/principle_5.aspx
As your correspondence identifies, there are other statutory requirements which stipulate minimum retention periods for particular categories of personal data (such as the EU Data Retention Directive). However, the ICO can only consider issues relating specifically to legislation which we oversee (the DPA98, Freedom of Information Act 2000, Privacy and Electronic Communications (EC Directive) Regulations 2003 and Environmental Information Regulations 2004). For further information about the impact of the Data Retention Directive in the UK, you may wish to contact the Department for Business, Innovation and Skills at http://www.bis.gov.uk/
Yours sincerely,
Case Officer First Contact Group *Information Commissioners Office* Tel: 0303 123 1113. Ext 5686. -------- snip --------