Data Protection Act (DPA) Section 28(3) 1984 or Section 29(3) 1998 [temporarily not available]
This form will always be submitted by LEAs to ISPs when requesting information held under the DPA. ISPs are not obliged to disclose information having been issued with a 28(3) form from the 1984 Act or a 29(3) from the 1998 Act which is identical.
The form will request the specific information to be submitted and contain reasons why the information is thought necessary for the purposes of an investigation. Details of case numbers, case names or file numbers should be given to help identify the investigation being made. The form must be signed by a senior ranking officer which is not defined but should mean Inspector or higher.
The information provided under this procedure will typically be data regarding details of the account holder and logging on/off times. It is not valid to provide ongoing tracking or information of the account or any content such as email.
The 28(3)/29(3) form is also referred to on this cuttings page.
This document deals with the issues that arise when an action has occurred on the Internet and one wishes to answer the question "Who did this?" It describes a range of "Best Practice" operational and configuration measures that can be taken by ISPs to minimise unattributable activity by their own customers.
People have a right to privacy when using the Internet. Ensuring that activity on the Internet can be traced back to the person responsible emphatically does not mean that people's activity should be routinely monitored. The only purpose of traceability is to allow misuse, once detected, to be rooted out.
Internet User Privacy Forum Privacy BCP
Regulation of Investigatory Powers Act
Report of The Second Government-Industry Forum on Encryption and Law Enforcement
NCIS NB The Trawler report is no longer available from the NCIS Website. Printed copies can be obtained on request from Gail Kent, PR officer, NCIS.