TL;DR
- The Investigatory Powers Act 2016 (IPA) authorises the Home Secretary to require operators to retain “communications data” — records about calls and messages, not their content — for up to twelve months.
- Retained data categories include who you called or messaged, when and for how long, and the cell IDs of towers your phone was connected to at the time.
- Designated public authorities including police forces, intelligence agencies, and some other bodies can apply for access to retained data; GCHQ, MI5, and MI6 can apply under bulk powers.
- The Investigatory Powers Commissioner’s Office (IPCO), an independent judicial body, oversees the authorisation regime and publishes annual transparency reports.
- You can request to see data held about you by your mobile operator by submitting a Subject Access Request under UK GDPR and the Data Protection Act 2018, free of charge.
The legal framework: the Investigatory Powers Act 2016
The Investigatory Powers Act 2016, sometimes referred to informally as the Snoopers’ Charter, consolidated and extended the powers previously spread across multiple statutes including the Regulation of Investigatory Powers Act 2000 and the Data Retention and Investigatory Powers Act 2014. Part 4 of the IPA grants the Secretary of State the power to issue a data retention notice to a telecommunications operator, requiring that operator to retain specified categories of communications data for a period not exceeding twelve months from the date of collection. The definition of “telecommunications operator” is broad and covers mobile network operators providing connectivity services in the UK.
The Investigatory Powers (Retention and Disclosure of Communications Data) Regulations 2018 specify the technical and operational requirements that accompany a retention notice. Operators must store the retained data securely, ensure it is accessible to authorised public authorities on request, and protect it against unauthorised access or accidental loss. The IPA is subject to ongoing legal scrutiny: the Court of Justice of the European Union ruled against analogous EU regimes before Brexit, and domestic courts have also considered the proportionality of general retention obligations. The current regime reflects amendments introduced in part to respond to earlier judicial findings.
What categories of data are retained
A critical distinction in the IPA regime is between communications data and the content of communications. Content — the actual words spoken in a phone call or the text of a message — is subject to a separate and more demanding authorisation regime (interception warrants). Communications data, by contrast, is data about communications: the who, when, where, and how long, but not the what. For mobile networks, the categories of communications data that can be subject to a retention notice include the subscriber information associated with a number or device (name, address, account details), the identifiers of devices used (IMEI numbers, SIM identifiers), records of calls made and received including the numbers involved and the duration, records of SMS and MMS message transmission (sender, recipient, time, but not message text), and the network access records showing which cell IDs and network infrastructure nodes the device was connected to at the time of each communication.
Operators also hold data for their own operational and billing purposes beyond what retention notices require. Billing records showing data usage volumes, roaming connections, and payment history are kept for commercial and regulatory reasons, typically governed by the operator’s own retention policies and their obligations under Ofcom’s general conditions of entitlement. The IPA regime concerns the law enforcement and intelligence access layer; ordinary commercial data retention is separately governed by UK GDPR and the operator’s privacy notice, which must be published and kept current under the UK GDPR transparency principle.
| Data category | Examples | Content included? | Max retention (IPA) |
|---|---|---|---|
| Subscriber data | Name, address, payment method linked to account | No | 12 months from last access/modification |
| Device identifiers | IMEI, IMSI, SIM ICCID | No | 12 months |
| Telephony records | Called/calling number, call start time, duration | No (voice content excluded) | 12 months |
| Messaging records | SMS/MMS sender, recipient, timestamp | No (message text excluded) | 12 months |
| Network access records | Cell ID at time of each call or message; data session start/end | No | 12 months |
Who can access retained data and how
Chapter 2 of Part 3 of the IPA establishes the regime for obtaining communications data from operators. Designated public authorities — a list that includes police forces, the National Crime Agency, HMRC, the Serious Fraud Office, the Financial Conduct Authority, the Competition and Markets Authority, and others as specified in Schedule 4 to the Act — can obtain communications data by making an application authorised by a designated senior officer within the authority or, in more serious cases, by applying to the Investigatory Powers Commissioner for judicial authorisation (the “double-lock” system introduced to address proportionality concerns). The authorised purpose must fall within one of the grounds specified in the Act, which include preventing or detecting serious crime, protecting national security, or safeguarding life.
The intelligence agencies — GCHQ, MI5, and the Secret Intelligence Service — have access to additional powers under the IPA including bulk acquisition warrants, which can compel operators to hand over specified types of communications data relating to large numbers of subscribers simultaneously, rather than requiring case-by-case individual applications. These bulk powers are subject to a double-lock authorisation requiring both ministerial approval and judicial sign-off by an Investigatory Powers Commissioner. IPCO publishes annual transparency reports setting out aggregate figures for the number of notices issued and applications approved, enabling a degree of public oversight of the regime.
Your rights: subject access and transparency
Mobile operators are data controllers under UK GDPR and the Data Protection Act 2018. As a data subject, you have the right under Article 15 UK GDPR to submit a Subject Access Request (SAR) to your operator and receive a copy of the personal data they hold about you, along with information about how it is used, for how long it is retained, and who it may be shared with. The operator must respond within one month and cannot charge a fee for a standard SAR. The response will typically cover billing and account data, call and message records held for billing purposes, and the operator’s usage of your data for marketing purposes.
There is an important limitation: under Section 26 and Schedule 2 of the Data Protection Act 2018, operators can withhold information from a SAR response where disclosing it would prejudice the prevention or detection of crime, apprehension of offenders, or national security. In practice, this means an operator will not confirm whether a law enforcement body has requested data about you or what has been disclosed in response. The existence of a data retention notice itself is typically subject to confidentiality obligations. The ICO’s guidance on SARs explains the applicable exemptions and what to do if you believe a response is incomplete.
What this means in practice
Take a fictional example: James, a self-employed contractor based in Manchester, receives a letter from his mobile operator’s data protection team in response to a Subject Access Request he submitted. The response includes twelve months of itemised call records showing the date, time, duration, and destination number of every call he made or received, along with records of SMS messages sent showing recipient numbers and timestamps. It does not include the content of any call or message. The response also covers his account details, payment history, and a summary of how his data is used for internal analytics. The operator notes in the covering letter that certain data may be withheld in circumstances involving law enforcement cooperation, but that no such withholding applies to his specific request. James uses the call records to resolve a billing dispute about roaming charges that appeared in a previous month.
Related Guides
How we verified this
This article draws on the Investigatory Powers Act 2016 as published on legislation.gov.uk, the Investigatory Powers (Retention and Disclosure of Communications Data) Regulations 2018 (SI 2018/484), annual transparency reports published by the Investigatory Powers Commissioner’s Office (IPCO) at ipco.org.uk, ICO guidance on Subject Access Requests and the law enforcement exemption under the Data Protection Act 2018, and Ofcom’s General Conditions of Entitlement.
Disclaimer: Kaeltripton.com is an independent UK editorial publisher. We are not regulated by Ofcom or the FCA and we do not sell or arrange mobile services, insurance, or financial products. This content is for general information only and is not legal, financial, or technical advice. Rules, prices, and operator policies change. Verify the current position with Ofcom, GOV.UK, the ICO, or your provider before acting. ICO registered ZC135439. Last reviewed: 2026-06-05.
Frequently Asked Questions
What data does my mobile operator keep about me?
Your mobile operator holds several categories of data. For billing and account purposes: your name, address, payment details, and itemised records of calls, messages, and data usage. Under data retention notices issued under the Investigatory Powers Act 2016, operators may also be required to retain communications metadata — records of who you contacted, when, and for how long, plus the cell IDs your phone was connected to — for up to twelve months. The content of calls and messages is not held in this way; content interception requires a separate judicial warrant.
How long does my operator keep my call records?
For billing and dispute-resolution purposes, operators typically retain itemised call and data records for a period specified in their privacy notice, commonly six to twelve months, though this varies by operator. Under a data retention notice issued under the Investigatory Powers Act 2016, communications data must be retained for the period specified in the notice, up to a maximum of twelve months. After expiry of the retention period, the data must be securely deleted. Your operator’s privacy notice, published on their website, should specify their standard retention periods for each data category.
Who can access my mobile data records?
The Investigatory Powers Act 2016 specifies the designated public authorities that can apply for access to communications data, including police forces, the National Crime Agency, HMRC, and the intelligence agencies. Applications must be authorised by a designated officer within the authority, and in more sensitive cases by an Investigatory Powers Commissioner. Civil courts can also order disclosure of records in legal proceedings. Your operator’s own staff with appropriate access roles can view records for account management and billing purposes, governed by their data protection policies.
How do I make a subject access request to my mobile operator?
Under Article 15 of UK GDPR and the Data Protection Act 2018, you have the right to request a copy of all personal data your operator holds about you. Submit a written request (email is sufficient) to your operator’s data protection or privacy team, identifying yourself with enough information for them to locate your account. The operator must respond within one month at no charge. They may withhold some information under the law enforcement exemption in Schedule 2 of the Data Protection Act 2018 but must tell you if an exemption applies, even if they cannot specify why.
Can I see my own call records?
Yes. Your operator will typically include itemised call records in a Subject Access Request response. Many operators also provide access to recent call and data usage records directly through your online account or mobile app, though these may cover a shorter window than the full retention period. If you need records for a specific past period for a legal dispute or other formal purpose, a formal SAR is the appropriate route, as it compels the operator to provide all retained data they hold on you within the statutory one-month timeframe.
Sources
- Investigatory Powers Act 2016 — legislation.gov.uk
- Investigatory Powers (Retention and Disclosure of Communications Data) Regulations 2018 — legislation.gov.uk
- Investigatory Powers Commissioner’s Office (IPCO) — ipco.org.uk
- Your right to access your data (Subject Access) — ICO
- Data Protection Act 2018 — legislation.gov.uk
