Communications data meaning

The Investigatory Powers Act 2016 (IPA 2016) revamped the legal regime regulating covert surveillance by public authorities. IPA 2016 superseded large parts of the framework previously, though not solely, contained in the Regulation of Investigatory Powers Act 2000 (RIPA 2000). See Practice Note: The regulation of intelligence gathering—an introductory guide. This note outlines the offences introduced by IPA 2016. For details of general sentencing limits in a magistrates’ court, see Practice Note: Sentences imposed following conviction—General limits on magistrates’ courts powers to impose custodial sentences following conviction... Section Offence Statutory defence Maximum sentence IPA 2016, s 3 — Unlawful interception: a person, by conduct in the UK, deliberately intercepts a communication during its transmission without lawful authority. Defence: where the individual has the right to control the operation or use of the system, or had that person’s express or implied consent to carry out the interception. Maximum sentence: on summary conviction, a fine; on indictment, up to two years’ imprisonment and/or a...

The Investigatory Powers Act 2016 (IPA 2016) reshapes the statutory regime governing covert surveillance conducted by public authorities, a regime largely, but not entirely, previously contained in the Regulation of Investigatory Powers Act 2000 (RIPA 2000). This Checklist carefully sets out those public authorities that hold the power to apply for authorisation to obtain communications data under IPA 2016, Pt 3, preserving the established focus and scope throughout. Authorisations to secure communications data may only be granted where defined conditions are satisfied, by the Investigatory Powers Commissioner under IPA 2016, s 60A, by designated senior officers under IPA 2016, s 61, or by designated senior officers in urgent circumstances under IPA 2016, s 61A. In operational practice, the Office for Communications Data Authorisations carries out this function on the Commissioner’s behalf. The table below specifies which public authorities may apply to access communications data, the kinds of communications data they are permitted to request, together with the purposes for which such data may be obtained, whether...

This Checklist sets out the obligations for local authorities seeking approval to deploy surveillance powers under the Regulation of Investigatory Powers Act 2000 (RIPA 2000) and the Investigatory Powers Act 2016 (IPA 2016). It should be read alongside Practice Notes: Regulation of investigatory powers under RIPA 2000 and The regulation of intelligence gathering—an introductory guide. RIPA 2000 requirements Under RIPA 2000, the requirements include: advance authorisation for directed surveillance a prohibition on the authority conducting intrusive surveillance authorising the conduct and use of a covert human intelligence source (CHIS) safeguards governing the conduct and use of a CHIS authorisation to acquire communications data obtaining judicial approval for those authorisations Authorisation and judicial approval for the acquisition of communications data are now governed by IPA 2016. See Practice Notes: Surveillance powers of local authorities, The regulation of intelligence gathering—an introductory guide and Acquisition, retention and disclosure of communications data under the Investigatory Powers Act 2016...

This flowchart shows how to handle a data protection incident (including a cyber security incident) in line with the UK General Data Protection Regulation (UK GDPR). It mirrors the UK GDPR’s rules on reporting and recording personal data breaches, alongside the Information Commissioner’s Office (ICO) guidance on breach management. It charts the end-to-end breach lifecycle, offering direction and links to the relevant precedents for each step of the process. See Precedents: Personal data breach plan, Data breach report form—internal and Data breach assessment and action plan, which steer you through every stage of this workflow. Note 1—assemble data breach team The initial action is to bring together your data breach team. Decide who in the organisation is best positioned to respond promptly to the incident and who should support the ensuing enquiry. This typically calls for contributions from specialists across the business, including IT, HR and compliance/legal, and may, in some instances, involve engagement with external stakeholders and suppliers. The Precedent: Personal data breach plan urges you to...

What are the most significant changes introduced by the Act that pension scheme trustees need to prepare for? The most notable reforms in the Act that trustees should be ready for are: Data subject complaints: complaints about the handling of personal data must be acknowledged within 30 days and answered without undue delay. ICO enforcement powers: the Information Commissioner’s Office (ICO) now has authority to compel interviews and require the production of documents to assess compliance. Data subject access requests (DSARs): the Act codifies the ICO’s existing guidance, meaning (i) trustees must apply a ‘reasonable and proportionate’ search standard when responding; and (ii) the ‘stop the clock’ rule pauses the one-month deadline for a response. Automated decision making (ADM): the Act allows reliance on the full set of lawful bases — including ‘legitimate interests’ — when non-special category personal data is used for significant automated decisions about an individual, provided suitable safeguards are in place. ...

For further insight on forthcoming key developments, see Practice Note: Commercial—horizon scanner. For details of earlier developments relevant to commercial law and practice, consult the following Practice Notes: Commercial tracker Commercial tracker 2025 [Archived] Additional updates and commentary are available via our current awareness alerts and highlights. Click ‘Create Alert’ in your ‘Alerts’ tab and refine your personal settings to subscribe. Advertising, marketing and sponsorship Note—several shifts within the consumer protection landscape have influenced the regulation of advertising and marketing in 2025. These are discussed in the section: ‘Consumer protection’ below. What were the key developments in 2025? Advertising less healthy food and drinks In 2025, the much-anticipated framework governing promotion of less healthy food and drink moved from policy design to practical readiness for enforcement. The Health and Care Act 2022 (HCA 2022) received Royal Assent on 28 April 2022, introducing a 9 pm TV watershed for identifiable less healthy products and a restriction on paid‑for advertising...

MyFutureFund The State’s new automatic retirement savings scheme, ‘MyFutureFund’, has attracted significant media attention over the past week. While AE is due to commence within the next few weeks, the principal catalyst is that the Department of Social Protection (the Department) has recently sent letters to various organisations cautioning about the risk of employers ‘hindering’ staff from joining MyFutureFund. Specifically, the Department stated that compulsory enrolment into a company pension scheme, where this is not an explicit contractual term and only modest employer contributions (for example, 1%) are payable, would be treated by the Department as an offence of hindering. These communications have sparked engagement with the Department by employer representative groups and stakeholders across the Irish pensions sector, including the Irish Association of Pension Funds (the IAPF). From that engagement it is evident that employers whose strategy is built on all employees being in exempt employment, and therefore outside the auto-enrolment regime, will need to revisit—swiftly—the practicality and lawfulness of that approach over the coming weeks...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, transforming into the Data (Use and Access) Act 2025 (DUAA 2025) and taking partial effect on that same date. Provisions of DUAA 2025 dealing with issues such as handling data subject access requests, and granting the power to make further regulations, commenced immediately on 19 June 2025. Other elements, relating to notices issued by the Information Commissioner and certain facets of law enforcement processing, began to apply on 19 August 2025 (being two months from the date of Royal Assent). The bulk of DUAA 2025’s measures will only commence once additional regulations, by way of statutory instruments, are made and brought into force. Parts 5 and 6 of DUAA 2025 operate to revise and update areas of UK data protection and ePrivacy law within the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations...

This Practice Note This Practice Note offers a high-level overview of the data protection framework relevant to direct marketing, particularly how such activities may give rise to compliance obligations under the Assimilated Regulation (EU) 2016/679, the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426. It is aimed at commercial organisations in the UK, with further, scenario-specific guidance signposted. The main difficulty in direct marketing is determining what the UK GDPR and PECR 2003 permit and whether consent is needed, which will differ according to the activity undertaken and the audience targeted. This Practice Note reflects the following ICO guidance: Direct marketing guidance Direct marketing using live calls Making live marketing calls about claims management services Making live marketing calls about pension schemes Direct marketing using electronic mail Guide to PECR, cookies and similar technologies Guide to PECR, what counts...

Corporate deals call for a sizeable group of lawyers across multiple disciplines, alongside other expert professional advisers, all required to collaborate closely, frequently against very tight deadlines and schedules. Where property assets feature in the deal, property solicitors and related specialists become a vital and integral element of the overall exercise. This Practice Note explains how a property solicitor can handle correspondence and documentation efficiently within corporate transactions. Before commencing transaction—initial considerations Before the property solicitor begins work on the matter they should confirm at the outset: which party they are representing...

This Agreement is executed on [ date ] Parties 1 [ Name of company ] , a company constituted in [ Scotland ] bearing registered number [ number ] with its registered office at [ address ] (the Company ); and 2 [ Name of employee ] , of [ address ] ( you )...

1 General information Review period [ Insert review period ]; Review date [ Insert date ]; Reviewer(s) [ Insert name(s) ] 2 Data Criteria For the last [ insert period, eg quarter ] and last 12 months, capture totals for: SARs received; ML/TF/PF‑related SARs; SARs to the National Crime Agency (NCA); DSARs needing consent/defence (granted, refused, pending); SARs not sent to the NCA; superSARs; CDD company discrepancy reports; and PEPs added to the central list 3 Review and findings Confirm a refreshed organisation‑wide ML/TF/PF risk assessment in the last year; AML/CTF/counter‑proliferation policies, controls and procedures reviewed, updated and communicated (incl. branches/subsidiaries); SAR and SuperSAR registers current; dates of staff training and record reviews [ Insert date ]. Note any SARs/superSARs needing further review; status of the high‑risk client/matter list (incl. PEPs) and quarterly reviews; CDD discrepancy register; table of high‑risk third countries; patterns/trends, compliance failures (ensure Compliance breaches policy followed), training needs; emerging risks (internal/external); planned new technology and related risks; required remedial actions; and...

1 Definitions and interpretation 1.1 [ Include the following additional definitions in the definitions clause of the Asset purchase agreement (if required) ] Accounts Date • [ specify day and month ] 20[ specify year ]; Business • the undertaking of [ provide a description of the business being acquired ] carried on by the Seller, together with all other activities, including those ancillary, incidental to, or connected with that undertaking, as conducted by the Seller; Buyer • [ provide details ]; Completion • the finalisation of the sale and purchase of the Business through the Parties performing their respective obligations in accordance with clause [ x ]; Completion Date • [ the day on which Completion occurs OR a date no later than the [ third ] Business Day after the date on which the last of the Conditions is satisfied or waived, or the date to which Completion is deferred ] pursuant to clause [ x ]; Data Protection...