ISPs, telcos, and responding to the ICO’s “third party information notices”
This blogpost introduces communications providers to the concept of a “third party information notice”, a power afforded to the Information Commissioner’s Office in the UK.
Also known as “TPINs” or “3PINs”, a third party information notice is a legal mandate which the Information Commissioner’s Office can serve on a communications provider, requiring the provider to hand over to the ICO the information set out in the notice.
The ICO also has powers to obtain communications data under the Investigatory Powers Act 2016, but the threshold for obtaining a TPIN is lower, and is not subject to external scrutiny.
Third party information notices are a useful tool in the ICO’s investigative process, and often crop up in the context of investigating unlawful marketing calls or SMS.
The ICO uses TPINs to obtain a range of information, including:
- subscriber checks (who was the subscriber of a number at a given point in time)
- other phone numbers linked with a subscriber
- call data records, about events relating to phone numbers
- related information, such as payment data, or contractual documentation
For example, in the enforcement notice it issued to NWR Limited, the ICO says:
[A]n ICO investigating officer placed a call to the [phone number under investigation] and spoke to a member of staff who introduced the company as ‘Energy Care’ and stated (incorrectly) that it did not have a website. Accordingly a third party information notice was issued to the [telephone] number provider which identified as as reseller of the number.
Responses to to two further third party information notices issued to the reseller revealed that NWRL was the subscriber to the number … as well as providing a list of 25 numbers allocated to NWRL since 2016.
The Commissioner sent a Third-Party Information Notice (“3PIN”) to the Communications Service Provider (“CSP”) … for the CLI in question on 15 July 2020 requesting the identity of the CLI’s subscribers. The response … identified the subscriber as DSL, and provided a list of CLIs allocated to DSL with the respective connection date for those CLIs.
The Commissioner sent a further 3PIN to-on 8 December 2020
to establish the Call Detail Records (“CDR”s) for the CLIs attributed to DSL between 1 January 2020 and 31 July 2020. A response was received that day from- which provided the CDRs. It was apparent from the information provided that during the relevant time there were eight CLIs allocated to DSL which were being used to make calls …
The legal basis for third party information notices is Regulation 31A, The Privacy and Electronic Communications (EC Directive) Regulations 2003.
The Regulation sets out the power available to the ICO, and the requirements which the ICO must meet.
A provider is obliged to provide the requested information in most cases
A communications provider has a legal obligation to respond to a TPIN, with criminal sanctions (see below) for failing to comply.
My experience is that the ICO can be pragmatic, and that it is possible to have a sensible conversation about what is needed. This can be useful since compliance with a notice can take a considerable amount of resource and time, particularly when it covers a long duration, or requires “recursive” activity, in the sense of finding out additional, linked, information, and then providing information related to that newly-discovered information.
There is no mechanism for cost recovery from the ICO for this work.
The legal obligation is not absolute, and there are circumstances in which the obligation falls away. These need to be assessed on a case-by-case basis, and include:
- if the TPIN relates to a communication between lawyer and client in connection with advice given in respect of PECR.
- if the TPIN relates to a communication between a lawyer and client, or lawyer and anyone else, in respect of proceedings under PECR.
- if responding would be inconsistent with another legal requirement (e.g. a statutory obligation of secrecy) or a court order, or if responding would be likely to prejudice the prevention or detection of crime.
- if exemption is necessary for obtaining legal advice, or establishing, exercising, or defending legal rights.
Timescales for responding
A communications provider has a minimum of seven days to provide the requested information but, in practice, outside urgent cases, it is often considerably longer than this – a month or more.
The ICO must set out the deadline for the response in the notice.
There is a right to appeal
A communications provider in receipt of a TPIN can appeal the notice to the to the First-tier Tribunal (Information Rights).
Until the appeal is determined or withdrawn, the communications provider is not obliged to provide the requested information.
Criminal liability, so do pay attention!
If a communications provider fails to comply with a third party information notice, they commit a criminal offence.
They have a defence if they can prove that they exercised all due diligence to comply with the TPIN.
A communications provider also commits a criminal offence if, in purported compliance with a TPIN:
- they make a statement which they know to be materially false; or
- they recklessly make a statement which is materially false.
If responding to the TPIN entails the processing of personal data, a communications provider will need to consider how it can do this in a manner consistent with the GDPR.
Finding a legal basis – necessity to comply with a legal obligation – is likely to be straightforward, but, depending on how the communications provider has met its obligations relating to transparency around its processing activity, compliance with Article 13 could need a little more thinking.
If you are a communications provider which has received a third party information notice, and you need some support in dealing with it, please do get in touch.
We have experience in handling TPINs, as well as court orders and other instruments compelling (or purporting to compel) disclosure of communications data.