Communications (Retention of Data) Act 2011

4.

Data security.

4.— (1) A service provider who retains data under section 3 (1) shall take the following security measures in relation to the retained data:

( a) the data shall be of the same quality and subject to the same security and protection as those data relating to the publicly available electronic communications service or to the public communications network, as the case may be;

( b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

( c) the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by authorised personnel only;

( d) the data, except those that have been accessed and preserved, shall be destroyed by the service provider after—

(i) in the case of the data in the categories specified in Part 1 of Schedule 2 , a period of 2 years and one month, or

(ii) in the case of the data in the categories specified in Part 2 of Schedule 2 , a period of one year and one month.

(2) The Data Protection Commissioner is hereby designated as the national supervisory authority for the purposes of this Act and Directive No. 2006/24/EC of the European Parliament and of the Council.