icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Privacy and Electronic Communications (EC Directive) Regulations 2003 [SI 2003 No. 2426] (PECR)Introductory TextRegulation 1 Citation and commencementRegulation 2 InterpretationRegulation 3 Revocation of the Telecommunications (Data Protection and Privacy) Regulations 1999Regulation 4 Relationship between these Regulations and the data protection legislationRegulation 5 Security of public electronic communications servicesRegulation 5A Personal data breachRegulation 5B Personal data breach: auditRegulation 5C Personal data breach: enforcementRegulation 6 Confidentiality of communicationsDraft Regulation 6A Power to provide exceptions to regulation 6(1)Regulation 7 Restrictions on the processing of certain traffic dataRegulation 8 Further provisions relating to the processing of traffic data under regulation 7Regulation 9 Itemised billing and privacyRegulation 10 Prevention of calling line identification - outgoing callsRegulation 11 Prevention of calling or connected line identification - incoming callsRegulation 12 Publication of information for the purposes of regulations 10 and 11Regulation 13 Co-operation of communications providers for the purposes of regulations 10 and 11Regulation 14 Restrictions on the processing of location dataRegulation 15 Tracing of malicious or nuisance callsRegulation 16 Emergency callsRegulation 16A Emergency alertsRegulation 17 Termination of automatic call forwardingRegulation 18 Directories of subscribersRegulation 19 Use of automated calling systemsRegulation 20 Use of facsimile machines for direct marketing purposesRegulation 21 Calls for direct marketing purposesRegulation 21A Calls for direct marketing of claims management servicesRegulation 21B Calls for direct marketing in relation to pension schemesRegulation 22 Use of electronic mail for direct marketing purposesRegulation 23 Use of electronic mail for direct marketing purposes where the identity or address of the sender is concealedRegulation 24 Information to be provided for the purposes of regulations 19, 20 and 21 or 21ARegulation 25 Register to be kept for the purposes of regulation 20Regulation 26 Register to be kept for the purposes of regulation 21Regulation 27 Modification of contractsRegulation 28 National securityRegulation 29 Legal requirements, law enforcement etc.Regulation 29ARegulation 30 Proceedings for compensation for failure to comply with requirements of the RegulationsRegulation 31 Enforcement - extension of Part V of the Data Protection Act 1998Regulation 31A Enforcement: third party information noticesRegulation 31B Enforcement: appealsRegulation 32 Request that the Commissioner exercise his enforcement functionsDraft Regulation 32A Codes of conductDraft Regulation 32B Accreditation of bodies monitoring compliance with codes of conductDraft Regulation 32C Effect of codes of conductRegulation 33 Technical advice to the CommissionerRegulation 34 Amendment to the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000Regulation 35 Amendment to the Electronic Communications (Universal Service) Order 2003Regulation 36 Transitional provisionsRegulation 37 Review of implementationDraft Schedule A1 Storing information in the terminal equipment of a subscriber or userSchedule 1 Modifications for the purposes of these Regulations to Part V and sections 55A to 55E of the Data Protection Act 1998 and Schedules 6 and 9 to that Act as extended by Regulation 31Schedule 2 Transitional provisionsSignatureExplanatory Note
Page Overview
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Coming soon: Any documents - Any document vs Another document at any date
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 4th January 2025
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application
PreviousNext
Version status: In force | Document consolidation status: Updated to reflect all known changes
Version date: 26 May 2011 - onwards
Version 3 of 3

Regulation 5 Security of public electronic communications services

DRAFT Paragraph omitted 113 Commissioner's enforcement powers of the Data (Use and Access) Bill [HL] (updated 17 December 2024)
View:
Current text Draft text as it may be read Compare current vs draft text Whole document current text vs draft text

(1) Subject to paragraph (2), a provider of a public electronic communications service ("the service provider") shall take appropriate technical and organisational measures to safeguard the security of that service.

(1A) The measures referred to in paragraph (1) shall at least -

(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;

(b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and

(c) ensure the implementation of a security policy with respect to the processing of personal data.

(2) If necessary, the measures required by paragraph (1) may be taken by the service provider in conjunction with the provider of the electronic communications network by means of which the service is provided, and that network provider shall comply with any reasonable requests made by the service provider for these purposes.

(3) Where, notwithstanding the taking of measures as required by paragraph (1), there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of -

(a) the nature of that risk;

PreviousNext