UK Statutory Instrument 2003 United Kingdom

Privacy and Electronic Communications Regulations 2003

What this means for your business

20 obligations
10 penalties
10 guides
Enforced by
ICO, Ofcom
Applies to
United Kingdom
On this page
20 compliance obligations, 10 practical guides across 4 topics
Read full text on legislation.gov.uk

What you must do

20 compliance obligations under this legislation.

Management duties 15

Allow caller ID and location data for emergency calls

Fine up to Ā£17,500,000

If your business provides telephone or electronic communications services, you must make sure that calls to 999 or 112 are never blocked or limited. You cannot stop the callerā€™s number being shown on the receiving line, and you must allow the callerā€™s location data to be processed, even though other calls may be subject to consent rules.

Any Person s.16 ICO When handling a call to the emergency numbers 999 or 112

Coā€‘operate with public electronic communications service providers

If your business provides telecommunications or other electronic communication services, you must obey reasonable requests from the public service provider that supplies the calling or lineā€‘identification facilities. This means responding to and acting on any lawful request they make under regulations 10 and 11.

Trader/Business s.13 ICO When you receive a reasonable request from the provider of the public ā€¦

Delete or anonymise traffic data when no longer needed and retain only for payment disputes

Fine up to Ā£17,500,000

If your business provides public electronic communications services, you must erase or deā€‘identify traffic data as soon as it is no longer needed to send a communication. You may keep the data longer only for billing or interconnection payments, and even then only until any related legal claim is finally settled. Any use of traffic data for marketing requires the subscriberā€™s explicit consent and must stop when they withdraw that consent.

Data Controller s.7 ICO When traffic data is no longer required for transmitting a communication, unless ā€¦

Do not make unsolicited marketing calls for claims management services without consent

You must not use telephone or any public electronic communications service to call people and promote claimsā€‘management services unless the person has previously told you they agree to receive such calls. If you have no consent, you must not place the call yourself or ask anyone else to do it on your behalf.

Any Person Calls for direct marketing of claims management se ICO making unsolicited directā€‘marketing calls about claimsā€‘management services without prior consent

Meet ICO accreditation requirements for bodies monitoring code compliance

If your organisation wants to be accredited by the ICO to monitor compliance with a privacy code of conduct, you must prove you are independent, have the right expertise, and have clear procedures for assessing eligibility, monitoring compliance, handling complaints and publishing those procedures. You must also show there is no conflict of interest and keep those processes upā€‘toā€‘date.

Any Person Accreditation of bodies monitoring compliance with ICO When seeking ICO accreditation to monitor a privacy code of conduct

Only make automated recorded marketing calls with consent and ID

You must not use an autoā€‘dialling system to send recorded directā€‘marketing calls unless the person youā€™re calling has already given you permission to receive such calls. Each call must also show your telephone number or another way for the recipient to contact you. Breaching this rule can lead to ICO enforcement action.

Trader/Business s.19 ICO When you intend to send recorded directā€‘marketing calls using an automated calling ā€¦

Only send fax marketing with consent and respect the fax doā€‘notā€‘call register

You must not fax unsolicited directā€‘marketing messages to anyone who hasnā€™t agreed to receive them, and you must check that the number isnā€™t on the fax ā€˜doā€‘notā€‘callā€™ register. If a recipient later withdraws consent, you must stop sending to that number immediately.

Trader/Business s.20 ICO When you send directā€‘marketing communications by facsimile (fax)

Provide free caller ID blocking option for outgoing calls

If you run a telephone or internet service that can show the callerā€™s number, you must give users an easy way to hide that number when they make a call. The option must be available for each individual call and also as a permanent setting for the whole line, and it must be free of charge.

Trader/Business s.10 ICO When your service includes calling line identification (caller ID) for outgoing calls

Provide free means to block caller ID on incoming calls

Fine up to Ā£17,500,000

If you run a telephone service that can show the number of the person calling, you must give your customers an easy, free way to stop that number being displayed on their incoming calls. You also need to let them reject calls where the caller has deliberately hidden their number, and, where you offer connectedā€‘line ID, give a free way to block that too.

Trader/Business s.11 ICO Only when your service provides calling line identification or connected line identification ā€¦

Provide informed, optā€‘in directory listings and allow data correction/withdrawal

Fine up to Ā£17,500,000

If your business publishes a telephone (or similar) directory that the public can consult, you must tell each individual subscriber why their details are being listed, let them choose which details are shown, and get explicit consent when the directory can be accessed just by a phone number. You must also respect a corporate subscriberā€™s request not to be listed and give every subscriber a free way to check, correct or remove their data at any time.

Data Controller s.18 ICO When you produce or maintain a directory of subscribers that is made ā€¦

Provide name and contact details in all directā€‘marketing calls, faxes and automated messages

If you use a telephone line, automated calling system or fax service to send directā€‘marketing messages, you must include your business name and either a physical address or a freeā€‘phone number in each message. This lets recipients know who is contacting them and how to get back to you.

Trader/Business s.24 ICO When you send directā€‘marketing communications using a public electronic communications service (telephone ā€¦

Secure your public communications service and inform users of risks

Fine up to Ā£17,500,000

If you run a public electronic communications service (for example, an ISP or telephone provider), you must put in place suitable technical and organisational safeguards to keep the service and any personal data safe. If, despite those safeguards, a significant security risk remains, you must tell your customers what the risk is, how they can protect themselves and any likely costs, at no charge.

Data Controller s.5 ICO

Send marketing emails with clear sender identity and optā€‘out address

Fine up to Ā£17,500,000

If you send any directā€‘marketing email, you must show who you are and give recipients a valid address they can use to tell you to stop. You also must not hide the senderā€™s details, must obey the electronicā€‘commerce rules and must not link to websites that break those rules.

Trader/Business s.23 ICO When you transmit or cause transmission of electronic mail for direct marketing

Set up and keep records of procedures for handling data access requests

Fine up to Ā£17,500,000

If you run a communications service, you must have clear internal procedures for dealing with users who ask to see their personal data. You also need to keep records of how many requests you get, why they were made and how you responded, and be ready to hand that information to the ICO whenever they ask.

Data Controller (unknown) ICO when regulations 28 and 29 apply ā€“ i.e. when you receive a ā€¦

Stop automatic call forwarding on subscriber request

If a customer asks you to stop calls that are being automatically forwarded to them because a third party set up the forwarding, you must terminate that forwarding free of charge and without any avoidable delay. You also have to cooperate with any other communications providers to make sure the forwarding is stopped.

Trader/Business s.17 ICO Subscriber requests termination of thirdā€‘partyā€‘initiated automatic call forwarding

Notifications 1

Notify ICO and affected individuals of personal data breaches

Fine up to Ā£17,500,000

If you experience a personal data breach, you must tell the Information Commissioner within 72 hours of finding out about it and give them details of what happened, the impact and what you are doing about it. If the breach is likely to harm your customers or users, you also have to inform them straight away with clear advice on how they can protect themselves. Keep a simple register of each breach so the ICO can check you are complying.

Data Controller Personal data breach ICO A personal data breach occurs

Other requirements 1

Provide public information on lineā€‘identification services

Fine up to Ā£17,500,000

If your business supplies a public electronic communications service that includes caller ID or connected line ID, you must tell customers and the wider public that the service exists and explain the options to block it (as set out in regulations 10 and 11). This information should be readily accessible ā€“ for example on your website, in customerā€‘facing brochures or in callā€‘centre scripts.

Trader/Business s.12 ICO You provide a public electronic communications service that offers calling or connected ā€¦

Payments and fees 1

Provide nonā€‘itemised bills when a subscriber asks

If you run a public electronic communications service (e.g., broadband, phone or TV provider), you must give a customer a bill that does not break down individual charges whenever the customer requests it. The bill can show the total amount only, not a lineā€‘byā€‘line list of services used.

Trader/Business s.9 ICO When a subscriber requests a nonā€‘itemised bill

Policies 1

Do not store or access data on usersā€™ devices without a lawful basis

Fine up to Ā£17,500,000

You must not place cookies, localā€‘storage items or any other information on a subscriberā€™s or userā€™s phone, computer or tablet unless an exemption in Scheduleā€ÆA1 applies (e.g., the user has given consent). In practice this means you need a clear policy and evidence that any deviceā€‘side storage you do is permitted.

Data Controller s.6 ICO

Registration and licensing 1

Notify ICO in writing to optā€‘out of unsolicited marketing calls

If your business does not want to receive coldā€‘calling marketing on any of its telephone lines, you must send a written notification to the ICO (or, before 30ā€ÆDecā€Æ2016, to OFCOM). This tells the regulator to add those numbers to a ā€œdoā€‘notā€‘callā€ register.

Trader/Business s.26 ICO When you want to stop unsolicited directā€‘marketing calls on a telephone line

Penalties for non-compliance

10 penalties under this legislation.

Significant fine

Allow caller ID and location data for emergency calls

Fine up to Ā£17,500,000

s.16 Penalises: Allow caller ID and location data for emergency ā€¦
Significant fine

Delete or anonymise traffic data when no longer needed and retain only for payment disputes

Fine up to Ā£17,500,000

s.7 Penalises: Delete or anonymise traffic data when no longer ā€¦
Significant fine

Provide free means to block caller ID on incoming calls

Fine up to Ā£17,500,000

s.11 Penalises: Provide free means to block caller ID on ā€¦
Significant fine

Provide informed, optā€‘in directory listings and allow data correction/withdrawal

Fine up to Ā£17,500,000

s.18 Penalises: Provide informed, optā€‘in directory listings and allow data ā€¦
Significant fine

Secure your public communications service and inform users of risks

Fine up to Ā£17,500,000

s.5 Penalises: Secure your public communications service and inform users ā€¦
Significant fine

Send marketing emails with clear sender identity and optā€‘out address

Fine up to Ā£17,500,000

s.23 Penalises: Send marketing emails with clear sender identity and ā€¦
Significant fine

Set up and keep records of procedures for handling data access requests

Fine up to Ā£17,500,000

(unknown) Penalises: Set up and keep records of procedures for ā€¦
Significant fine

Notify ICO and affected individuals of personal data breaches

Fine up to Ā£17,500,000

Personal data breach Penalises: Notify ICO and affected individuals of personal data ā€¦
Significant fine

Provide public information on lineā€‘identification services

Fine up to Ā£17,500,000

s.12 Penalises: Provide public information on lineā€‘identification services
Significant fine

Do not store or access data on usersā€™ devices without a lawful basis

Fine up to Ā£17,500,000

s.6 Penalises: Do not store or access data on usersā€™ ā€¦

Practical guidance

Our guides explain how to comply with the requirements above.

Sections and provisions

51 classified provisions from this legislation.

25 Duties 2 Powers 8 Definitions 5 Exemptions

Duties 25

  • s.5 Security of public electronic communications services and that network provider
  • s.6 Storing information in the terminal equipment of a subscriber or user a person
  • s.7 Restrictions on the processing of certain traffic data Legal proceedings
  • s.9 Itemised billing and privacy
  • s.10 Prevention of calling line identification ā€“ outgoing calls
  • s.11 Prevention of calling or connected line identification ā€“ incoming calls
  • s.12 Publication of information for the purposes of regulations 10 and 11
  • s.13 Co-operation of communications providers for the purposes of regulations 10 and 11 a communications provider
  • s.16 Emergency calls person
  • s.17 Termination of automatic call forwarding other communications provider
  • s.18 Directories of subscribers
  • s.19 Use of automated calling systems A subscriber
  • s.20 Use of facsimile machines for direct marketing purposes A subscriber
  • s.23 Use of electronic mail for direct marketing purposes where the identity or address of the sender is concealed
  • s.24 Information to be provided for the purposes of regulations 19 to 21A the service
  • s.25 Register to be kept for the purposes of regulation 20
  • s.26 Register to be kept for the purposes of regulation 21
  • s.30 Proceedings for compensation for failure to comply with requirements of the Regulations
  • s.32 Request that the Commissioner exercise his enforcement functions
  • s.33 Technical advice to the Commissioner OFCOM
  • ... and 5 more duties

Powers 2

  • Personal data breach: enforcement Personal data breach: enforcement
  • Power to provide exceptions to regulation 6(1) Power to provide exceptions to regulation 6(1)

Definitions 8

  • Schedule 2 Transitional provisions
  • s.4 Relationship between these Regulations and the data protection legislation
  • s.8 Further provisions relating to the processing of traffic data under regulation 7
  • s.15 Tracing of malicious or nuisance calls
  • s.22 Use of electronic mail for direct marketing purposes
  • s.29 Legal requirements, law enforcement etc.
  • Calls for direct marketing in relation to pension Calls for direct marketing in relation to pension schemes
  • Codes of conduct Codes of conduct

Exemptions 5

  • s.14 Restrictions on the processing of location data
  • s.21 Calls for direct marketing purposes
  • s.28 National security
  • Emergency alerts Emergency alerts
  • Storing information in the terminal equipment of a Storing information in the terminal equipment of a subscriber or user