Search Legislation

Telecommunications (Security) Act 2021

 Help about what version

What Version

 Help about advanced features

Advanced Features

 Help about opening options

Opening Options

Changes over time for: Cross Heading: Duties of providers of public electronic communications networks and services

 Help about opening options

Alternative versions:

Status:

Point in time view as at 01/10/2022.

Changes to legislation:

There are currently no known outstanding effects for the Telecommunications (Security) Act 2021, Cross Heading: Duties of providers of public electronic communications networks and services. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Duties of providers of public electronic communications networks and servicesU.K.

1Duty to take security measuresU.K.

(1)The Communications Act 2003 is amended as follows.

(2)For sections 105A to 105D substitute—

105ADuty to take security measures

(1)The provider of a public electronic communications network or a public electronic communications service must take such measures as are appropriate and proportionate for the purposes of—

(a)identifying the risks of security compromises occurring;

(b)reducing the risks of security compromises occurring; and

(c)preparing for the occurrence of security compromises.

(2)In this Chapter “security compromise”, in relation to a public electronic communications network or a public electronic communications service, means—

(a)anything that compromises the availability, performance or functionality of the network or service;

(b)any unauthorised access to, interference with or exploitation of the network or service or anything that enables such access, interference or exploitation;

(c)anything that compromises the confidentiality of signals conveyed by means of the network or service;

(d)anything that causes signals conveyed by means of the network or service to be—

(i)lost;

(ii)unintentionally altered; or

(iii)altered otherwise than by or with the permission of the provider of the network or service;

(e)anything that occurs in connection with the network or service and compromises the confidentiality of any data stored by electronic means;

(f)anything that occurs in connection with the network or service and causes any data stored by electronic means to be—

(i)lost;

(ii)unintentionally altered; or

(iii)altered otherwise than by or with the permission of the person holding the data; or

(g)anything that occurs in connection with the network or service and causes a connected security compromise.

(3)But in this Chapter “security compromise” does not include anything that occurs as a result of conduct that—

(a)is required or authorised by or under an enactment mentioned in subsection (4);

(b)is undertaken for the purpose of providing a person with assistance in giving effect to a warrant or authorisation that has been issued or given under an enactment mentioned in subsection (4);

(c)is undertaken for the purpose of providing a person with assistance in exercising any power conferred by or under prison rules; or

(d)is undertaken for the purpose of providing assistance to a constable or a member of a service police force (acting in either case in that capacity).

(4)The enactments are—

(a)the Investigatory Powers Act 2016;

(b)Part 1 of the Crime and Courts Act 2013;

(c)the Prisons (Interference with Wireless Telegraphy) Act 2012;

(d)the Regulation of Investigatory Powers Act 2000;

(e)the Regulation of Investigatory Powers (Scotland) Act 2000;

(f)the Intelligence Services Act 1994;

(g)any other enactment (whenever passed or made) so far as it—

(i)makes provision which is in the interests of national security;

(ii)has effect for the purpose of preventing or detecting crime or of preventing disorder; or

(iii)makes provision which is in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security.

(5)In this section—

  • connected security compromise” means—

    (a)

    in relation to a public electronic communications network, a security compromise that occurs in relation to another public electronic communications network or a public electronic communications service;

    (b)

    in relation to a public electronic communications service, a security compromise that occurs in relation to a public electronic communications network or another public electronic communications service;

  • crime” and “detecting crime” have the same meanings as in the Investigatory Powers Act 2016;

  • prison rules” means any rules made under—

    (a)

    section 47 of the Prison Act 1952;

    (b)

    section 39 of the Prisons (Scotland) Act 1989; or

    (c)

    section 13 of the Prison Act (Northern Ireland) 1953;

  • service police force” means—

    (a)

    the Royal Navy Police;

    (b)

    the Royal Military Police; or

    (c)

    the Royal Air Force Police;

  • signal” has the same meaning as in section 32.

105BDuty to take specified security measures

(1)The Secretary of State may by regulations provide that the provider of a public electronic communications network or a public electronic communications service must take specified measures or measures of a specified description.

(2)A measure or description of measure may be specified only if the Secretary of State considers that taking that measure or a measure of that description would be appropriate and proportionate for a purpose mentioned in section 105A(1).

(3)In this section “specified” means specified in the regulations.

(4)Nothing in this section or regulations under it affects the duty imposed by section 105A.

(3)In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in subsection (1) insert—

  • security compromise”, in relation to a public electronic communications network or a public electronic communications service, has the meaning given by section 105A;.

Commencement Information

I1S. 1 in force at Royal Assent for specified purposes, see s. 28(1)(a)

I2S. 1 in force at 1.10.2022 in so far as not already in force by S.I. 2022/931, reg. 2(a)

2Duty to take measures in response to security compromisesU.K.

After section 105B of the Communications Act 2003 insert—

105CDuty to take measures in response to security compromises

(1)This section applies where a security compromise occurs in relation to a public electronic communications network or a public electronic communications service.

(2)The provider of the network or service must take such measures as are appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from the security compromise.

(3)If the security compromise has an adverse effect on the network or service, the provider of the network or service must take such measures as are appropriate and proportionate for the purpose of remedying or mitigating that adverse effect.

105DDuty to take specified measures in response to security compromise

(1)The Secretary of State may by regulations provide that, where a security compromise of a specified description occurs in relation to a public electronic communications network or a public electronic communications service, the provider of the network or service must take specified measures or measures of a specified description.

(2)A measure or description of measure may be specified under subsection (1) only if the Secretary of State considers that taking that measure or a measure of that description would be appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from a security compromise of the specified description.

(3)The Secretary of State may by regulations provide that, where a security compromise occurs in relation to a public electronic communications network or a public electronic communications service and has an adverse effect of a specified description on the network or service, the provider of the network or service must take specified measures or measures of a specified description.

(4)A measure or description of measure may be specified under subsection (3) only if the Secretary of State considers that taking that measure or a measure of that description would be appropriate and proportionate for the purpose of remedying or mitigating an adverse effect of the specified description.

(5)In this section “specified” means specified in the regulations.

(6)Nothing in this section or regulations under it affects the duty imposed by section 105C.

Commencement Information

I3S. 2 in force at Royal Assent for specified purposes, see s. 28(1)(a)

I4S. 2 in force at 1.10.2022 in so far as not already in force by S.I. 2022/931, reg. 2(a)

3Codes of practice about security measures etcU.K.

After section 105D of the Communications Act 2003 insert—

105ECodes of practice about security measures etc

The Secretary of State may—

(a)issue codes of practice giving guidance as to the measures to be taken under sections 105A to 105D by the provider of a public electronic communications network or a public electronic communications service;

(b)revise a code of practice issued under this section and issue the code as revised;

(c)withdraw a code of practice issued under this section.

105FIssuing codes of practice about security measures

(1)Before issuing a code of practice under section 105E the Secretary of State—

(a)must publish a draft of—

(i)the code; or

(ii)where relevant, the revisions of the existing code;

(b)must consult the following about the draft—

(i)OFCOM;

(ii)providers of public electronic communications networks to whom the draft would apply;

(iii)providers of public electronic communications services to whom the draft would apply; and

(iv)such other persons as the Secretary of State considers appropriate; and

(c)may make such alterations to the draft as the Secretary of State considers appropriate following the consultation.

(2)Before issuing a code of practice under section 105E the Secretary of State must also lay a draft of the code before Parliament.

(3)If, within the 40-day period, either House of Parliament resolves not to approve the draft of the code, the code may not be issued.

(4)If no such resolution is made within that period, the code may be issued.

(5)If the code is issued, the Secretary of State must publish it.

(6)A code of practice comes into force at the time of its publication under subsection (5), unless it specifies a different commencement time.

(7)A code of practice may—

(a)specify different commencement times for different purposes;

(b)include transitional provisions and savings.

(8)In this section, the “40-day period”, in relation to a draft of a code, means the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the 2 days on which it is laid).

(9)For the purposes of calculating the 40-day period, no account is to be taken of any period during which—

(a)Parliament is dissolved or prorogued, or

(b)both Houses are adjourned for more than 4 days.

105GWithdrawing codes of practice about security measures

(1)Before withdrawing a code of practice under section 105E the Secretary of State must—

(a)publish notice of the proposal to withdraw the code; and

(b)consult the following about the proposal—

(i)OFCOM;

(ii)providers of public electronic communications networks to whom the code applies;

(iii)providers of public electronic communications services to whom the code applies; and

(iv)such other persons as the Secretary of State considers appropriate.

(2)Where the Secretary of State withdraws a code of practice under section 105E the Secretary of State must—

(a)publish notice of the withdrawal of the code; and

(b)lay a copy of the notice before Parliament.

(3)A withdrawal of a code of practice has effect at the time of the publication of the notice of withdrawal under subsection (2), unless the notice specifies a different withdrawal time.

(4)A notice of withdrawal may—

(a)specify different withdrawal times for different purposes;

(b)include savings.

105HEffects of codes of practice about security measures

(1)A failure by the provider of a public electronic communications network or a public electronic communications service to act in accordance with a provision of a code of practice does not of itself make the provider liable to legal proceedings before a court or tribunal.

(2)In any legal proceedings before a court or tribunal, the court or tribunal must take into account a provision of a code of practice in determining any question arising in the proceedings if—

(a)the question relates to a time when the provision was in force; and

(b)the provision appears to the court or tribunal to be relevant to the question.

(3)OFCOM must take into account a provision of a code of practice in determining any question arising in connection with the carrying out by them of a relevant function if—

(a)the question relates to a time when the provision was in force; and

(b)the provision appears to OFCOM to be relevant to the question.

(4)In this section—

  • code of practice” means a code of practice issued under section 105E;

  • relevant function” means a function conferred on OFCOM by any of the following provisions—

    (a)

    section 105M (general duty of OFCOM to ensure compliance with security duties);

    (b)

    section 105N (power of OFCOM to assess compliance with security duties);

    (c)

    section 105O (power of OFCOM to give assessment notices);

    (d)

    section 105S (enforcement of security duties);

    (e)

    section 105U (enforcement of security duties: proposal for interim steps);

    (f)

    section 105V (enforcement of security duties: direction to take interim steps).

105IDuty to explain failure to act in accordance with code of practice

(1)This section applies where OFCOM have reasonable grounds for suspecting that the provider of a public electronic communications network or a public electronic communications service is failing, or has failed, to act in accordance with a provision of a code of practice issued under section 105E.

(2)OFCOM may give a notification to the provider that—

(a)specifies the provision of the code of practice;

(b)specifies the respects in which the provider is suspected to be failing, or to have failed, to act in accordance with it; and

(c)directs the provider to give to OFCOM a statement under subsection (3) or (4).

(3)A statement under this subsection is a statement that—

(a)confirms that the provider is failing, or has failed, in the respects specified in the notification to act in accordance with the provision of the code of practice; and

(b)explains the reasons for the failure.

(4)A statement under this subsection is a statement that—

(a)states that the provider is not failing, or has not failed, in the respects specified in the notification to act in accordance with the provision of the code of practice; and

(b)explains the reasons for that statement.

(5)The provider must comply with a direction given under subsection (2)(c) within such reasonable period as may be specified in the notification.

Commencement Information

I5S. 3 in force at Royal Assent for specified purposes, see s. 28(1)(b)

I6S. 3 in force at 1.10.2022 in so far as not already in force by S.I. 2022/931, reg. 2(a)

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.

Close

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Notes

Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Timeline of Changes

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources