Protection of Businesses Act, 1978
R 385
Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act 70 of 2002)Directives in Respect of Different Categories of Telecommunications Service Providers made in terms of The Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act No. 70 of 2002)Schedule B : Directive for Mobile Cellular Operators in terms of Section 30(7)(a) read with Section 30(2) of the Regulation of Interception of Communications Information Act, 2002 (Act No. 70 of 2002)Part 4 : Routing, Provision and Storing of Archived Communication-related information15. Security requirements in respect of archived communication-related information |
| 15.1 | Information on the manner in which storage measures in respect of archived communication-related information are implemented by a MCO shall not be made available to unauthorised persons. |
| 15.2 | Archived communication-related information shall not be made available to unauthorised persons. |
| 15.3 | The MCO shall agree confidentiality on the manner in which storage measures in respect of archived communication-related information are implemented with the manufacturers of his technical systems for the implementation of storage measures. |
| 15.4 | The technical arrangements required within a MCO, to allow implementation of the storage measures in respect of archived communication-related information, shall be realised with due care exercised in operating telecommunication systems, particularly with respect to the following: |
| (a) | The need to protect information on which and how many target identities are or were subject to an archived communication-related direction and the periods in respect of which the directions were applicable. |
| (b) | The restriction to a minimum number of staff engaged in implementation and operation of storing measures in respect of archived communication-related information. |
| (c) | To ensure the clear delimitation of functions and responsibilities and the maintenance of third-party telecommunications privacy, storing facilities in respect of archived communication-related information shall be accessible only by authorised personnel. |
| (d) | Archived communication-related information shall be delivered through a handover interface to the IC or provided to a law enforcement agency. |
| (e) | No access of any form to the handover interface shall be granted to unauthorised persons. |
| (f) | A MCO shall take all necessary measures to protect the handover interface against misuse. |
| (g) | Archived communication-related information shall only be routed to the IC as indicated in the direction when proof of the authority to receive of the IC, and proof of the authority to send of the interface, has been furnished. |
| (h) | Authentication and proof of authentication shall be implemented subject to national laws and regulations. |
| (i) | Where switched lines to the IC are used, such proof shall be furnished for each routing of information. |
| (j) | In certain interception cases applicants may stipulate, at the cost of the IC, the use of additional security devices to protect the routing of archived communication-related information. |
| (k) | MCOs shall ensure that their HI2 (CRI) handover interfaces support the use of encryption, authentication, integrity checking or other confidentiality measures and shall co-operate with applicants or the IC, or a person authorised by them, to implement such measures if required in terms of subparagraph (j), above. |
| (l) | In order to prevent or trace misuse of the technical functions integrated in the telecommunication system enabling the storing, routing and provision of archived communication-related information, any activation or application of these functions in relation to a given target identity shall be fully recorded, including any activation or application caused by faulty or unauthorised input, and the records shall cover all or some of— |
| (i) | the target identities of the target service or target services concerned; |
| (ii) | the beginning and end of the activation or application of the archived communication-related direction; |
| (iii) | the IC to which the archived communication-related information is routed of law enforcement agency to which it is provided; |
| (iv) | an authenticator suitable to identify the operating staff (including date and time of input); and |
| (v) | a reference to the direction. |
| 15.5 | The MCOs shall take reasonable steps to ensure that the records referred to in paragraph 75.4(l) are secure and only accessible to specific authorised staff. |
| 15.6 | The MCO shall take reasonable steps to ensure the integrity of archived communication-related information when it is stored, during transfer thereof to any storage device or media and for the entire storage period set out in paragraph 17. |
| 15.7 | A MCO shall take reasonable steps to ensure the physical,environmental and logical security of all stored archived communication-related information. |
| 15.8 | A MCO shall employ reasonable measures to ensure the availability of archived communication-related information. |
