Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act 70 of 2002)Directives in Respect of Different Categories of Telecommunications Service Providers made in terms of The Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act No. 70 of 2002)Schedule A : Directive for Fixed Line Operators in Terms of Section 30(7)(a) read with Section 30(2) of The Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act No. 70 of 2002)Part 4: Routing, Provision and Storing of Archived Communication-Related Information15. Security requirements in respect of archived communication-related information |
15.1 | Information on the manner in which storage measures in respect of archived communication-related information are implemented by a FLO shall not be made available to unauthorized persons. |
15.2 | Archived communication-related information shall not be made available to unauthorized persons. |
15.3 | The FLO shall agree confidentiality on the manner in which storage measures in respect of archived communication-related information are implemented with the manufacturers of his technical installations for the implementation of storage measures. |
15.4 | The technical arrangements required within a FLO, to allow implementation of the storage measures in respect of archived communication-related information, shall be realized with due care exercised in operating telecommunication installations, particularly with respect to the following: |
(a) | The need to protect information on which and how many target identities are or were subject to an archived communication-related direction and the periods in respect of which the directions were applicable. |
(b) | The restriction to a minimum of staff engaged in implementation and operation of storing measures in respect of archived communication-related information. |
(c) | To ensure the clear delimitation of functions and responsibilities and the maintenance of third-party telecommunications privacy, storing facilities in respect of archived communication-related information shall be accessible only by authorized personnel. |
(d) | Archived communication-related information shall be delivered through a handover interface to the IC or provided to a law enforcement agency. |
(e) | No access of any form to the handover interface shall be granted to unauthorized persons. |
(f) | A FLO shall take all necessary measures to protect the handover interface against misuse. |
(g) | Archived communication-related information shall only be routed to the IC as indicated in the. direction when proof of the authority to receive of the IC, and proof of the authority to send of the interface, has been furnished. |
(h) | Authentication and proof of authentication shall be implemented subject to national laws and regulations and as agreed upon by the IC and FLO. |
(i) | Where switched lines to the IC are used, call set-up shall be restricted through the use of the Closed User Group (CUG) facility. |
(j) | In certain interception cases applicants may require, at the cost of the IC, the use of encryption or other confidentiality measures to protect the routing of archived communication-related information. |
(k) | FLOs shall ensure that their handover interfaces support the use of encryption, authentication, integrity checking or other confidentiality measures and shall co-operate with applicants or the IC, or a person authorised by them, to implement such measures if required in terms of subparagraph (j). |
(l) | In order to prevent or trace misuse of the technical functions integrated in the telecommunication installation enabling the storing, routing and provision of archived communication-related information, any activation or application of these functions in relation to a given identity shall be fully recorded, including any activation or application caused by faulty or unauthorized input, and the records shall cover all or some of— |
(i) | The target identities of the target service or target services concerned; |
(ii) | the beginning and end of the activation or application of the archived communication related direction; |
(iii) | the IC to which the archived communication-related information is routed or law enforcement agency to which it is provided; |
(iv) | an authenticator suitable to identify the operating staff (including date and time of input); and |
(v) | a reference to the direction. |
15.5 | The FLOs shall take reasonable steps to ensure that the records referred to in paragraph 15.4(l) are secure and only accessible to specific nominated staff. |
15.6 | The FLO shall take reasonable steps to ensure the integrity of archived communication-related information when it is stored, during transfer thereof to any storage device or media and for the entire storage period set out in paragraph 17. |
15.7 | A FLO shall take reasonable steps to ensure the physical, environmental and logical security of all stored archived communication-related information. |
15.8 | A FLO shall employ reasonable measures to ensure the availability of archived communication-related information. |