Introduction
Due to legislative and regulatory requirements, Calzada Media Limited is required to record and retain certain details about every communication activity to and from our network. This policy details what records we store (or retain), how we store, where we store them and for how long.
This policy may be revised, without notice, at any time and at the discretion of Calzada Media Limited. Typically, this policy may be amended to reflect any possible legislative or regulatory changes.
If you have any questions about this or any other policy please contact us.
Legal Requirements
As a UK company with all of our servers located within the UK, we are subject to a number of legislative and regulatory requirements that define data retention requirements and their disclosure. These include the Regulation of Investigatory Powers Act 2000, the Communications Act 2003, the Data Retention Regulations 2009, and the Data Retention Regulations 2014.
What data is retained or stored?
Under the Data Retention Regulations 2009, we are required to retain data necessary to:
- Trace and identify the source of a communication
- Identify the destination of a communication
- Identify the date, time and duration of a communication
- Identify the type of communication (i.e. email message, webpage request)
The majority of communication to and from our servers is either email messages or website visits.
For email, we record:
- The address of the sender
- The address of the recipient
- The message subject line
- The message size and number of attachments
- The date and time the message was received by our servers and all subsequent occasions when it is accessed.
- The date, time and IP address of every connection attempt to our servers.
For website traffic, we record:
- The date and time of the request
- The client's IP address
- The requested website address
- Details of the clients web browse (the UserAgent)
- Any Referrer information
What data is not recorded?
We do not record or log the contents of a communication. For example, whilst we record the subject and size of a message, we do not record the message's content (the body).
How is the data used?
We use the data recorded for legal compliance, service provision, diagnostics and statistical purposes.
Some of our products or services are subject to usage limits, for example: maximum number of messages per hour.
In terms of diagnostics, the retained data allows us to trace problems or issues that may have arisen. For example, identifying a persistent spam source.
We perform statistical analysis on the data recorded. The output of this analysis is anonymous and is typically cumulative in nature and we use it to monitor the performance and usage of our systems. For example, by recording the size of email messages we are able to monitor the amount of data passing through our servers.
Where is data stored and for how long?
Initially, the data is stored on the relevant server involved in the communication. As part of our standard maintenance cycle, we archive this data on a monthly basis with the generated archives being stored off-server in a secure location.
We are required to retain data for 12 months from the data of communication. After 12 months the data is deleted.
Who may access retained data?
Within Calzada Media, access to retained data is strictly limited to authorised personnel for specifically defined purposes of legal compliance, diagnostics or technical troubleshooting.
Access by Customers
We may, on an individual case-by-case basis, supply customer specific data to the customer. All requests for such data must be made via the Support Helpdesk by a Senior Responsible Person within the customer organisation. This Senior Responsible Person must be someone whom we have previously been officially notified as having authority to make such requests. All requests are subject to confirmation and approval by Calzada Media and may also be chargeable depending on the scope of the request.
Access by Individuals
Under UK data protection law and regulations, individuals have a Right of Access to information that we may hold about them. To make such a request - technically called a Subject Access Request - please contact us detailing your request in full. We may refuse requests if a restriction applies or we consider them excessive (repetitive queries for the same information).
Third Party Access
Access to data by external or third parties is defined under the Regulation of Investigatory Powers Act 2000. We will only provide access to external or third parties when legally required to do so by defined UK authorities.
Backups
We consider backups to be completely separate from our data retention requirements. We do not allow access to backups unless legally compelled.
Our backups are primarily intended for use by Calzada Media as part of our disaster recovery and resilience policies.
Possible & Future Changes
Following the 2015 General Election, there are indications the Communications Data Bill (sometimes referred to as the Snooper's Charter) is to be revived. This bill includes proposals that extend beyond what is already required by the Data Retention Regulations 2014.
Changes to this policy
24th June 2021
Updated to reflect changes to email logging and to clarify access to retained data. Some areas were rewritten to improve clarity.