Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act 70 of 2002)Directives in Respect of Different Categories of Telecommunications Service Providers made in terms of The Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act No. 70 of 2002)Schedule B : Directive for Mobile Cellular Operators in terms of Section 30(7)(a) read with Section 30(2) of the Regulation of Interception of Communications Information Act, 2002 (Act No. 70 of 2002)Part 3: Routing, Provision and Storing of Real-Time Communication-Related Information11. Security requirements in respect of real-time communication-related information |
11.1 | Information on the manner in which storage measures in respect of real-time communication-related information are implemented by a MCO shall not be made available to unauthorised persons. |
11.2 | Real-time communication-related information shall not be made available to unauthorised persons. |
11.3 | The MCO shall agree to confidentiality on the manner in which storage measures in respect of real-time communication-related information are implemented with the manufacturers of its technical systems for the implementation of storage measures. |
11.4 | The technical arrangements required within a MCO, to allow implementation of the storage measures in respect of real-time communication-related information, shall be realised with due care exercised in operating telecommunication systems , particuIarly with respect to the following: |
(a) | The need to protect information on which and how many target identities are or were subject to a real-time communication-related direction and the periods in respect of which the directions were applicable. |
(b) | The restriction to a minimum number of staff engaged in implementation and operation of storing measures in respect of real-time communtion-related information. |
(c) | To ensure the clear delimitation of functions and responsibilities and the maintenance of third-party telecommunications privacy, storing facilities in respect of real-time communication-related information shall be accessible only by authorised personnel. |
(d) | Real-time communication-related information shall be delivered through a handover interface to the IC or provided to a law enforcement agency. |
(e) | No access of any form to the handover interface shall be granted to unauthorised persons. |
(f) | A MCO shall take alt necessary measures to protect the handover interface against misuse. |
(g) | Real-time communication-related information shall only be routed to the IC as indicated in the direction when proof of the authority to receive of the IC, and proof of the authority to send of the interface, has been furnished. |
(h) | Authentication and proof of authentication shall be implemented subject to national laws and regulations. |
(i) | Where switched lines to the IC are used, such proof shall be furnished for each routing of information. |
(j) | In certain interception cases applicants may stipulate, at the cost of the IC, the use of additional security devices to protect the routing of real-time communication-related information. |
(k) | MCOs shall ensure that their HI2 (CRI) handover interfaces support the use of encryption, authentication, integrity checking or other confidentiality measures and shall co-operate with applicants or the IC, or a person authorised by them, to implement such measures if required for the purposes of subparagraph (j) above. |
(l) | In order to prevent or trace misuse of the technical functions integrated in the telecommunication system enabling the storing, routing and provision of real-time communication-related information, any activation or application of these functions in relation to a given target identity shall be fully recorded, including any activation or application caused by faulty or unauthorised input, and the records shall cover all or some of— |
(i) | the target identities of the target service or target services concerned; |
(ii) | the beginning and end of the activation or application of the real-time communication-related direction; |
(iii) | the IC to which the real-time communication-related information is routed or law enforcement agency to which it is provided; |
(iv) | an authenticator suitable to identify the operating staff (including date and time of input); and |
(v) | a reference to the direction. |
11.5 | The MCO shall take reasonable steps to ensure that the records referred to in paragraph 11.4(1) are secure and only accessible to specific nominated staff. |
11.6 | The MCO shall take reasonable steps to ensure the integrity of real-time communication-related information when it is recorded and stored. |
11.7 | A MCO shall take reasonable steps to ensure the physical, environmental and logical security of all stored real-time communication-related information. |
11.8 | A MCO shall employ all reasonable measures to ensure the availability of real-time communication-related information. |