Ian, The report to which you refer may be confusing the RIPA with a report issued by the deputy Director General of NCIS in which the dDG asked Government to introduce legislation requiring 'communications service providers' to retain data for up to 7 years - something which is totally unacceptable. The Home Office have just rejected the NCIS proposals. Access to 'communications data' will be regulated by PartII of RIPA when it comes into force this April. All law enforcement agencies (and other bodies authorise under RIPA) will have to submit a 'notice' requiring CSPs to supply comms data - the notice can also require CSP to retain data for one month (extendable for one month again). If a CSP doesn't hold data it can't supply it! I used to be with BT Internet for my sins - BT internet keep comms data for 3years! Why -they couldn't answer this and so I decided to take my custom elsewhere. The DPA obviously plays a role in how long a data controller retains data but I would respectfully suggest that other EU and UK privacy legislation plays a greater role in the context of comms data and especially a proposed privacy directive currently being debated by the EU parliament see: the processing of personal data and the protection of privacy in the electronic communications sector http://europa.eu.int/ISPO/infosoc/telecompolicy/review99/com2000-385en.pdf and Article 29 Working party papers on the same + a report on privacy on the Internet see http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm I hope this has been of some help Pat -----Original Message----- From: Ian Welton [mailto:[log in to unmask]] Sent: 25 January 2001 20:58 To: [log in to unmask] Subject: ISP's retention of Internet e-mail A recent article in Network News 24 January 2001 "ISP'S stage debate over government's frustrating RIP Act" indicates the difficulties and frustrations ISP's are experiencing with complying with that legislation and the retention of e-mails for 7 years. There seems to be a significant data protection implication in this retention. ISP's have for years argued successfully that they do not control the internet users data on their sites. The control of that data, including e-mails rested with the users, not the ISP's. Internet users within the EU have to apply the European data protection directive. That directive requires data controllers (Internet Users in this context) to retain their data for no longer than necessary. The retention of personal e-mails sent by myself, via my ISP, is something I have taken the trouble to find out about in order to ensure compliance with that principle. Workwise I had need to do the same because of subject access and addressing ISP retention periods by encouraging an adjustment of suppliers is an ongoing task. If data is to be retained by ISP's for 7 years, irrespective of the data controllers wishes or requirements, what is the effect of that on control of the data? Does the ISP become the controller, if so why and how? If not how can retention be justified for 7 years? IanW