Prospective
(1)The Investigatory Powers Act 2016 is amended as follows.
(2)In section 199 (bulk personal datasets: interpretation)—
(a)in subsection (1), in the words before paragraph (a), after “Part” insert “and Part 7A”;
(b)in subsection (2), after “Part” insert “and Part 7A”.
(3)In the italic heading before section 200, for “warrant” substitute “authorisation”.
(4)In section 200 (requirement for authorisation by warrant: general)—
(a)in subsection (1)—
(i)the words “by a warrant under this Part” become paragraph (a);
(ii)after that paragraph insert “, or
(b)by an individual authorisation under Part 7A (low or no reasonable expectation of privacy) (see section 226B).”;
(b)in subsection (2)—
(i)the words “by a warrant under this Part” become paragraph (a);
(ii)after that paragraph insert “, or
(b)by an individual authorisation under Part 7A.”;
(c)in the heading, omit “by warrant”.
(5)In section 201 (exceptions to section 200(1) and (2)), in subsection (3)—
(a)for “and 220(5)” substitute “, 220(5) and (6) and 226CC(3)”;
(b)after “BPD warrants” insert “or authorisations under Part 7A”.
(6)After section 201 insert—
(7)In section 220 (initial examinations: time limits)—
(a)in subsection (2), for step 3 substitute—
“Step 3
If the head of the intelligence service, or a person acting on their behalf, decides to retain the set and hold it electronically for analysis as mentioned in step 2, as soon as reasonably practicable after making that decision—
apply for a specific BPD warrant (unless the retention of the dataset is authorised by a class BPD warrant), or
(b)after subsection (5) insert—
“(6)If the head of the intelligence service, or a person acting on their behalf, decides to grant an individual authorisation under Part 7A in accordance with step 3 (set out in subsection (2))—
(a)the intelligence service is not to be regarded as in breach of section 200(1) by virtue of retaining the bulk personal dataset during any period when a Judicial Commissioner is deciding whether to approve the decision to grant the authorisation (see section 226B(5)), and
(b)the intelligence service is not to be regarded as in breach of section 200(2) by virtue of examining the bulk personal dataset during that period if the examination is necessary in connection with obtaining the approval of a Judicial Commissioner.”
(8)In section 225 (application of Part 7 to bulk personal datasets obtained under the Act)—
(a)in subsection (4)—
(i)the words “by a class BPD warrant or a specific BPD warrant under this Part” become paragraph (a);
(ii)after that paragraph insert “, or
(b)by an individual authorisation under Part 7A (low or no reasonable expectation of privacy).”;
(b)in subsection (13)—
(i)the words from “apply” to the end become paragraph (a);
(ii)after that paragraph insert “, or
(b)decide to grant an individual authorisation under Part 7A.”
Commencement Information
I1S. 1 not in force at Royal Assent, see s. 32(2)
After Part 7 of the Investigatory Powers Act 2016 insert—
(1)This section applies to a bulk personal dataset if the nature of the bulk personal dataset is such that the individuals to whom the personal data relates could have no, or only a low, reasonable expectation of privacy in relation to the data.
(2)In considering whether this section applies to a bulk personal dataset, regard must be had to all the circumstances, including in particular the factors in subsection (3).
(3)Those factors are—
(a)the nature of the data;
(b)the extent to which—
(i)the data has been made public by the individuals, or
(ii)the individuals have consented to the data being made public;
(c)if the data has been published, the extent to which it was published subject to editorial control or by a person acting in accordance with professional standards;
(d)if the data has been published or is otherwise in the public domain, the extent to which the data is widely known about;
(e)the extent to which the data has already been used in the public domain.
(1)In this Part “an individual authorisation” is an authorisation that authorises an intelligence service to retain, or to retain and examine, any bulk personal dataset described in the authorisation.
(2)See section 200 (requirement for authorisation) for provision about when an individual authorisation under this Part is required.
(3)The head of an intelligence service, or a person acting on their behalf, may grant an individual authorisation where the conditions in subsections (4) and (5) are met.
This is subject to subsection (6).
(4)The condition in this subsection is that the person granting the authorisation considers that—
(a)section 226A applies to the bulk personal dataset described in the authorisation,
(b)the authorisation is necessary for the purpose of the exercise of any function of the intelligence service,
(c)the conduct being authorised is proportionate to what is sought to be achieved by the conduct, and
(d)there are for the time being in force arrangements made by the intelligence service, and approved by the Secretary of State, for storing bulk personal datasets to which section 226A applies and for protecting them from unauthorised disclosure.
(5)The condition in this subsection is that the decision to grant the authorisation has been approved by a Judicial Commissioner.
(6)The condition in subsection (5) does not apply where—
(a)the bulk personal dataset described in the individual authorisation falls within a category of bulk personal datasets authorised for the purposes of this Part by a category authorisation (see section 226BA), or
(b)the person granting the individual authorisation considers that there is an urgent need to grant the authorisation.
(7)But subsection (6)(a) does not prevent a person granting an individual authorisation from seeking the approval of a Judicial Commissioner in a case where subsection (6)(a) applies if the person considers that it would be appropriate to seek such approval.
(8)An individual authorisation relating to a bulk personal dataset (“dataset A”) may also authorise the retention or examination of other bulk personal datasets (“replacement datasets”) that do not exist at the time of the grant of the authorisation but may reasonably be regarded as replacements for dataset A.
(1)In this Part “a category authorisation” is an authorisation that authorises a category of bulk personal datasets described in the authorisation for the purposes of this Part.
(2)The head of an intelligence service, or a person acting on their behalf, may grant a category authorisation where—
(a)they consider that section 226A applies to any dataset that falls within the category of datasets described in the authorisation, and
(b)the decision to grant the authorisation has been approved by a Judicial Commissioner.
(3)A category authorisation may describe a category of bulk personal datasets by reference to (among other things) the use to which the datasets will be put.
(1)In deciding whether to approve a decision to grant an individual authorisation or a category authorisation, a Judicial Commissioner must review the conclusions of the person who granted the authorisation as to the following matters—
(a)in relation to an individual authorisation, whether section 226A applies to the bulk personal dataset described in the authorisation, and
(b)in relation to a category authorisation, whether section 226A applies to any dataset that falls within the category of datasets described in the authorisation.
(2)In doing so, the Judicial Commissioner must—
(a)apply the same principles as would be applied by a court on an application for judicial review, and
(b)consider the matters referred to in subsection (1) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).
(3)Where a Judicial Commissioner refuses to approve a decision to grant an individual authorisation or a category authorisation, the Judicial Commissioner must give the person who decided to grant the authorisation written reasons for the refusal.
(4)Where a Judicial Commissioner, other than the Investigatory Powers Commissioner, refuses to approve a decision to grant an individual authorisation or a category authorisation, the head of the intelligence service, or a person acting on their behalf, may ask the Investigatory Powers Commissioner to decide whether to approve the decision to grant the authorisation.
(1)This section applies where—
(a)an individual authorisation is granted without the approval of a Judicial Commissioner, and
(b)the person who granted the authorisation considered that there was an urgent need to grant it.
(2)The person who granted the authorisation must inform a Judicial Commissioner that it has been granted.
(3)The Judicial Commissioner must, before the end of the relevant period—
(a)decide whether to approve the decision to grant the authorisation, and
(b)notify the person who granted the authorisation of the Judicial Commissioner’s decision.
The “relevant period” means the period ending with the third working day after the day on which the authorisation was granted.
(4)Subsections (5) to (7) apply if a Judicial Commissioner refuses to approve the decision to grant an individual authorisation.
(5)The authorisation—
(a)ceases to have effect (unless already cancelled), and
(b)may not be renewed,
and section 226BB(4) does not apply in relation to the refusal to approve the decision.
(6)The head of the intelligence service must, so far as is reasonably practicable, secure that anything in the process of being done in reliance on the authorisation stops as soon as possible.
(7)Section 220 (Part 7 initial examinations: time limits) applies in relation to the bulk personal dataset described in the authorisation as if the intelligence service had obtained that dataset at the time when the person who granted the authorisation is notified that the Judicial Commissioner has refused to approve the decision to grant the authorisation.
(8)Nothing in subsection (5) or (6) affects the lawfulness of—
(a)anything done in reliance on the authorisation before it ceases to have effect;
(b)if anything is in the process of being done in reliance on the authorisation when it ceases to have effect—
(i)anything done before that thing could be stopped, or
(ii)anything done that it is not reasonably practicable to stop.
(1)An individual authorisation or a category authorisation ceases to have effect at the end of the relevant period unless—
(a)it is renewed before the end of that period (see section 226CA), or
(b)it is cancelled or otherwise ceases to have effect before the end of that period (see sections 226BC, 226CB, and 226CD).
(2)In this section the “relevant period”—
(a)in the case of an urgent individual authorisation, means the period ending with the fifth working day after the day on which the authorisation was granted;
(b)in any other case, means the period of 12 months beginning with—
(i)the day on which the authorisation was granted, or
(ii)in the case of an authorisation that has been renewed, the day after the day at the end of which the authorisation would have ceased to have effect if it had not been renewed.
(3)For the purposes of subsection (2)(a), an individual authorisation is an “urgent individual authorisation” if—
(a)the authorisation was granted without the approval of a Judicial Commissioner, and
(b)the person who granted the authorisation considered that there was an urgent need to grant it.
(1)If the renewal conditions are met for an individual authorisation or a category authorisation, the head of an intelligence service, or a person acting on their behalf, may, at any time during the renewal period, renew the authorisation.
(2)The renewal conditions for an individual authorisation are that—
(a)the person renewing the authorisation considers that—
(i)section 226A continues to apply to the bulk personal dataset described in the authorisation,
(ii)the authorisation continues to be necessary for the purpose of the exercise of any function of the intelligence service,
(iii)the conduct being authorised continues to be proportionate to what is sought to be achieved by the conduct, and
(iv)there are for the time being in force arrangements made by the intelligence service, and approved by the Secretary of State, for storing bulk personal datasets to which section 226A applies and for protecting them from unauthorised disclosure, and
(b)the decision to renew the authorisation has been approved by a Judicial Commissioner.
(3)But the condition in subsection (2)(b) does not apply where the bulk personal dataset described in the individual authorisation falls within a category of bulk personal datasets authorised for the purposes of this Part by a category authorisation.
(4)The renewal conditions for a category authorisation are that—
(a)the person renewing the authorisation considers that section 226A continues to apply to any dataset that falls within the category of datasets described in the authorisation, and
(b)the decision to renew the authorisation has been approved by a Judicial Commissioner.
(5)In this section the “renewal period” means—
(a)in the case of an urgent individual authorisation which has not been renewed, the relevant period;
(b)in the case of an individual authorisation to which section 226CD (non-renewal or cancellation of category authorisation) applies, the period of three months ending with the day at the end of which the authorisation would otherwise cease to have effect;
(c)in any other case, the period of 30 days ending with the day at the end of which the authorisation would otherwise cease to have effect.
(6)Section 226BB (approval of authorisations by Judicial Commissioner) applies in relation to a decision to renew an authorisation under this section as it applies in relation to a decision to grant an authorisation under this Part.
(7)In this section—
“the relevant period” has the same meaning as in section 226C;
“urgent individual authorisation” is to be read in accordance with subsection (3) of that section.
(1)The head of an intelligence service, or a person acting on their behalf, may, at any time, cancel an individual authorisation or a category authorisation.
(2)If the head of an intelligence service, or a person acting on their behalf, considers that any of the cancellation conditions are met in relation to an individual authorisation, or that the cancellation condition is met in relation to a category authorisation, they must cancel the authorisation.
(3)The cancellation conditions for an individual authorisation are—
(a)that section 226A no longer applies to the dataset described in the authorisation;
(b)that the authorisation is no longer necessary for the purpose of the exercise of any function of the intelligence service;
(c)that the conduct authorised by the authorisation is no longer proportionate to what is sought to be achieved by the conduct;
(d)that there are no longer in force arrangements made by the intelligence service, and approved by the Secretary of State, for storing bulk personal datasets to which section 226A applies and for protecting them from unauthorised disclosure.
(4)The cancellation condition for a category authorisation is that section 226A no longer applies to any dataset that falls within the category of datasets described in the authorisation.
(1)This section applies where an individual authorisation ceases to have effect because it expires without having been renewed or because it is cancelled.
(2)The head of the intelligence service, or a person acting on their behalf, may, before the end of the period of 5 working days beginning with the day on which the authorisation ceases to have effect, decide to grant a new individual authorisation (see section 226B) to retain, or to retain and examine, any material retained by the intelligence service in reliance on the authorisation which has ceased to have effect.
(3)Where an individual authorisation ceases to have effect because it expires without having been renewed or because it is cancelled, an intelligence service is not to be regarded as in breach of section 200(1) or (2) by virtue of its retention or examination of any material to which the authorisation related during the following periods—
(a)the period of 5 working days beginning with the day on which the authorisation ceases to have effect;
(b)if the head of the intelligence service, or a person acting on their behalf, decides to grant a new individual authorisation as mentioned in subsection (2), any period when a Judicial Commissioner is deciding whether to approve the decision.
(1)This section applies where—
(a)a category authorisation ceases to have effect because it expires without having been renewed or because it is cancelled, and
(b)an individual authorisation describing a bulk personal dataset that falls within the category of datasets described in the category authorisation has been granted without the approval of a Judicial Commissioner in accordance with section 226B(6)(a).
(2)The individual authorisation ceases to have effect at the end of the relevant period unless—
(a)it is renewed before the end of that period, or
(b)it is cancelled or otherwise ceases to have effect before the end of that period.
(3)In this section the “relevant period” means the period of three months beginning with the day after the day at the end of which the category authorisation ceased to have effect.
(1)Subsections (2) to (4) apply where—
(a)an individual authorisation is granted under this Part in relation to any bulk personal dataset, and
(b)in the course of examining the dataset in accordance with the authorisation, the head of the intelligence service, or a person acting on their behalf, believes that section 226A does not apply, or no longer applies, to part of the dataset.
(2)The head of the intelligence service must, so far as is reasonably practicable, secure that anything in the process of being done in relation to that part of the bulk personal dataset in reliance on the authorisation stops as soon as possible.
(3)Section 220 (Part 7 initial examinations: time limits) applies in relation to that part of the bulk personal dataset as if the intelligence service had obtained that part of the dataset at the time when the head of the intelligence service, or the person acting on their behalf, first formed the beliefs mentioned in subsection (1)(b).
(4)The individual authorisation in relation to that part of the bulk personal dataset is to be treated as if it had been cancelled under section 226CB at that time.
(5)Nothing in this section affects the lawfulness of—
(a)anything done in reliance on the authorisation before it ceases to have effect;
(b)if anything is in the process of being done in reliance on the authorisation when it ceases to have effect—
(i)anything done before that thing could be stopped, or
(ii)anything done that it is not reasonably practicable to stop.
(1)The head of each intelligence service must provide an annual report to the Secretary of State about the bulk personal datasets that were authorised under this Part to be retained, or retained and examined, by the intelligence service during the period to which the report relates.
(2)The first report must relate to a period of at least one year and no more than two years, beginning with the day on which this Part comes fully into force.
(3)Subsequent reports must relate to a period of no more than one year, beginning with the end of the period to which the previous report related.
(4)Each report must be provided to the Secretary of State as soon as reasonably practicable after the end of the period to which the report relates.
(1)The Secretary of State must for each relevant period provide to the Intelligence and Security Committee of Parliament a report setting out information about category authorisations and renewals of category authorisations granted in that period.
(2)In subsection (1) “relevant period” means—
(a)a period of at least one year and no more than two years beginning with the date on which this Part comes fully into force, and
(b)subsequent periods of no more than one year, beginning with the end of the period to which the previous report related.
(3)Each report must be provided to the Committee as soon as reasonably practicable after the end of the period to which the report relates.
(1)In this Part—
“category authorisation” has the meaning given by section 226BA(1);
“individual authorisation” has the meaning given by section 226B(1).
(2)See also—
section 199 (bulk personal datasets: interpretation),
section 263 (general definitions),
section 265 (index of defined expressions).
(3)For the purposes of this Part, only a person holding office under the Crown may act on behalf of the head of an intelligence service.”
Commencement Information
I2S. 2 not in force at Royal Assent, see s. 32(2)
(1)In section 213 of the Investigatory Powers Act 2016 (duration of warrants), in subsection (2)(b), for “6 months” substitute “12 months”.
(2)The amendment made by subsection (1) has effect only in relation to a warrant that is issued or renewed under Part 7 of that Act on or after the day on which this section comes into force.
(3)In subsection (2) “warrant” has the same meaning as in section 213(2)(b) of that Act.
Commencement Information
I3S. 3 not in force at Royal Assent, see s. 32(2)
(1)The Investigatory Powers Act 2016 is amended as follows.
(2)In section 202 (restriction on use of class BPD warrants)—
(a)in subsections (1) and (2), after “head of the intelligence service” insert “, or a person acting on their behalf,”;
(b)in subsection (3)—
(i)after “head of the intelligence service”, in the first place it occurs, insert “, or a person acting on their behalf,”;
(ii)omit “by the head of the intelligence service”;
(c)after subsection (4) insert—
“(5)For the purposes of subsections (1), (2) and (3), only a person holding office under the Crown may act on behalf of the head of an intelligence service.”
(3)In section 206 (additional safeguards for health records)—
(a)in subsections (4)(b) and (5)(a) and (b), after “head of the intelligence service” insert “, or a person acting on their behalf,”;
(b)after subsection (7) insert—
“(8)For the purposes of subsections (4)(b) and (5), only a person holding office under the Crown may act on behalf of the head of an intelligence service.”
(4)In section 219 (non-renewal or cancellation of BPD warrants)—
(a)in subsection (2), after “addressed” insert “, or a person acting on their behalf,”;
(b)in the following provisions, after “the head of the intelligence service” insert “, or a person acting on their behalf,”—
(i)subsection (2)(b);
(ii)subsection (7), in both places it occurs;
(iii)subsection (8), in both places it occurs;
(c)after subsection (8) insert—
“(9)For the purposes of subsections (2), (7) and (8), only a person holding office under the Crown may act on behalf of the head of an intelligence service.”
(5)In section 220 (initial examinations: time limits)—
(a)in the following provisions, after “head of the intelligence service” insert “, or a person acting on their behalf,”—
(i)subsection (1)(b);
(ii)subsection (2);
(iii)subsection (3);
(iv)subsection (5);
(b)after subsection (6) (inserted by section 1) insert—
“(7)For the purposes of this section, only a person holding office under the Crown may act on behalf of the head of an intelligence service.”
(6)In section 225 (application of Part 7 to bulk personal datasets obtained under this Act)—
(a)in subsection (3), after “head of the intelligence service” insert “, or a person acting on their behalf”;
(b)in subsection (13), after “head of an intelligence service” insert “, or a person acting on their behalf,”;
(c)after subsection (14) insert—
“(15)For the purposes of subsections (3) and (13), only a person holding office under the Crown may act on behalf of the head of an intelligence service.”
Commencement Information
I4S. 4 not in force at Royal Assent, see s. 32(2)
After Part 7A of the Investigatory Powers Act 2016 (as inserted by section 2) insert—
(1)For the purposes of this Part, an intelligence service examines a third party bulk personal dataset if—
(a)the intelligence service has relevant access, whether on payment or otherwise, to a set of information that is held electronically by a person other than an intelligence service,
(b)the set includes personal data relating to a number of individuals,
(c)the nature of the set is such that the majority of the individuals are not, and are unlikely to become, of interest to the intelligence service in the exercise of its functions, and
(d)after any initial inspection of the contents (see section 226I), the intelligence service examines the set electronically (but does not obtain the set) for the purpose of the exercise of its functions.
(2)For the purposes of subsection (1)(a), an intelligence service has “relevant access” to a set of information that is held electronically by another person where—
(a)the access is made available to the intelligence service as a result of arrangements made directly between the intelligence service and that other person,
(b)the type and extent of the access available to the intelligence service is not generally available (whether on a commercial basis or otherwise), and
(c)the access is electronic.
(1)An intelligence service may not exercise a power to examine a third party bulk personal dataset unless the examination of the dataset is authorised by a third party BPD warrant.
(2)A “third party BPD warrant” is a warrant issued under this Part authorising an intelligence service to examine any third party bulk personal dataset described in the warrant.
(3)A third party BPD warrant may authorise the examination of a bulk personal dataset—
(a)the content of which may vary from time to time, or
(b)that does not exist at the time of the issue of the warrant.
(1)Section 226F(1) does not apply to the exercise of a power of an intelligence service to examine a third party bulk personal dataset if the intelligence service examines the bulk personal dataset under any other warrant or authorisation issued or given under this Act.
(2)See section 226I(5) (initial inspection) for a further exception to 226F(1).
(1)The head of an intelligence service, or a person acting on their behalf, may apply to the Secretary of State for a third party BPD warrant.
(2)The application must include a general description of the bulk personal dataset (or datasets) to which the application relates.
(3)Where the person making the application knows that subsection (6) applies to any bulk personal dataset to which the application relates, the application must also include a statement to that effect.
(4)The Secretary of State may issue the warrant if—
(a)the Secretary of State considers that the warrant is necessary—
(i)in the interests of national security,
(ii)for the purposes of preventing or detecting serious crime, or
(iii)in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security,
(b)the Secretary of State considers that the conduct authorised by the warrant is proportionate to what is sought to be achieved by the conduct,
(c)the Secretary of State considers that the arrangements made by the intelligence service for examining the bulk personal dataset (or datasets) to which the application relates are satisfactory, and
(d)except where the Secretary of State considers that there is an urgent need to issue the warrant, the decision to issue the warrant has been approved by a Judicial Commissioner.
(5)The fact that a third party BPD warrant would authorise the examination of bulk personal datasets relating to activities in the British Islands of a trade union is not, of itself, sufficient to establish that the warrant is necessary on grounds falling within subsection (4)(a).
(6)This subsection applies to a bulk personal dataset if—
(a)the dataset consists of, or includes, protected data or health records,
(b)a substantial proportion of the dataset consists of sensitive personal data, or
(c)the nature of the dataset, or the circumstances in which it was created, is or are such that its examination by the intelligence service is likely to raise novel or contentious issues.
(7)In this section—
“health record” means a record, or a copy of a record which—
consists of information relating to the physical or mental health or condition of an individual,
was made by or on behalf of a health professional in connection with the care of that individual, and
“sensitive personal data” has the meaning given by section 202(4).
(8)In subsection (7), “health professional” and “health service body” have the meaning given by section 206(7).
(9)An application for a third party BPD warrant may only be made on behalf of the head of an intelligence service by a person holding office under the Crown.
(1)In deciding whether to approve a decision to issue a third party BPD warrant, a Judicial Commissioner must review the Secretary of State’s conclusions as to the following matters—
(a)whether the warrant is necessary on grounds falling within section 226G(4)(a), and
(b)whether the conduct that would be authorised by the warrant is proportionate to what is sought to be achieved by that conduct.
(2)In doing so, the Judicial Commissioner must—
(a)apply the same principles as would be applied by a court on an application for judicial review, and
(b)consider the matters referred to in subsection (1) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).
(3)Where a Judicial Commissioner refuses to approve a decision to issue a third party BPD warrant, the Judicial Commissioner must give the Secretary of State written reasons for the refusal.
(4)Where a Judicial Commissioner, other than the Investigatory Powers Commissioner, refuses to approve a decision to issue a third party BPD warrant, the Secretary of State may ask the Investigatory Powers Commissioner to decide whether to approve the decision to issue the warrant.
(1)This section applies where—
(a)a third party BPD warrant is issued without the approval of a Judicial Commissioner, and
(b)the Secretary of State considered that there was an urgent need to issue it.
(2)The Secretary of State must inform a Judicial Commissioner that it has been issued.
(3)The Judicial Commissioner must, before the end of the relevant period—
(a)decide whether to approve the decision to issue the warrant, and
(b)notify the Secretary of State of the Judicial Commissioner’s decision.
The “relevant period” means the period ending with the third working day after the day on which the warrant was issued.
(4)Subsections (5) and (6) apply if a Judicial Commissioner refuses to approve the decision to issue a third party BPD warrant.
(5)The warrant—
(a)ceases to have effect (unless already cancelled), and
(b)may not be renewed,
and section 226GA(4) does not apply in relation to the refusal to approve the decision.
(6)The head of the intelligence service to whom the warrant was addressed must, so far as is reasonably practicable, secure that anything in the process of being done in reliance on the warrant stops as soon as possible.
(7)Nothing in subsection (5) or (6) affects the lawfulness of—
(a)anything done in reliance on the warrant before it ceases to have effect;
(b)if anything is in the process of being done in reliance on the warrant when it ceases to have effect—
(i)anything done before that thing could be stopped, or
(ii)anything done that it is not reasonably practicable to stop.
(1)The decision to issue a third party BPD warrant must be taken personally by the Secretary of State.
(2)Before a third party BPD warrant is issued, it must be signed by the Secretary of State.
(3)But if it is not reasonably practicable for a third party BPD warrant to be signed by the Secretary of State, it may be signed by a senior official designated by the Secretary of State for that purpose.
(4)In such a case, the warrant must contain a statement that—
(a)it is not reasonably practicable for the warrant to be signed by the Secretary of State, and
(b)the Secretary of State has personally and expressly authorised the issue of the warrant.
A third party BPD warrant must—
(a)be addressed to the head of the intelligence service by whom, or on whose behalf, the application for the warrant was made, and
(b)include a general description of the bulk personal dataset (or datasets) to which the warrant relates.
(1)A third party BPD warrant ceases to have effect at the end of the relevant period unless—
(a)it is renewed before the end of that period (see section 226HA), or
(b)it is cancelled or otherwise ceases to have effect before the end of that period (see sections 226GB and 226HB).
(2)In this section “the relevant period”—
(a)in the case of an urgent third party BPD warrant, means the period ending with the fifth working day after the day on which the warrant was issued, and
(b)in any other case, means the period of 12 months beginning with—
(i)the day on which the warrant was issued, or
(ii)in the case of a warrant that has been renewed, the day after the day at the end of which the warrant would have ceased to have effect if it had not been renewed.
(3)For the purposes of this section, a third party BPD warrant is an “urgent third party BPD warrant” if—
(a)the warrant was issued without the approval of a Judicial Commissioner, and
(b)the Secretary of State considered that there was an urgent need to issue it.
(1)If the renewal conditions are met, a third party BPD warrant may be renewed, at any time during the renewal period, by an instrument issued by the Secretary of State.
(2)The renewal conditions are—
(a)that the Secretary of State considers that the warrant continues to be necessary on grounds falling within section 226G(4)(a),
(b)that the Secretary of State considers that the conduct that would be authorised by the renewed warrant continues to be proportionate to what is sought to be achieved by the conduct, and
(c)that the decision to renew the warrant has been approved by a Judicial Commissioner.
(3)In this section the “renewal period” means—
(a)in the case of an urgent third party BPD warrant which has not been renewed, the relevant period;
(b)in any other case, the period of 30 days ending with the day at the end of which the warrant would otherwise cease to have effect.
(4)The decision to renew a third party BPD warrant must be taken personally by the Secretary of State, and the instrument renewing the warrant must be signed by the Secretary of State.
(5)Section 226GA (approval of warrants by Judicial Commissioner) applies in relation to a decision to renew a warrant as it applies in relation to a decision to issue a warrant.
(6)In this section—
“the relevant period” has the same meaning as in section 226H;
“urgent third party BPD warrant” is to be read in accordance with subsection (3) of that section.
(1)The Secretary of State, or a senior official acting on behalf of the Secretary of State, may cancel a third party BPD warrant at any time.
(2)If the Secretary of State, or a senior official acting on behalf of the Secretary of State, considers that any of the cancellation conditions are met in relation to a third party BPD warrant, the person must cancel the warrant.
(3)The cancellation conditions are—
(a)that the warrant is no longer necessary on any grounds falling within section 226G(4)(a);
(b)that the conduct authorised by the warrant is no longer proportionate to what is sought to be achieved by that conduct.
(1)This section applies where a third party BPD warrant ceases to have effect because it expires without having been renewed or because it is cancelled.
(2)The head of the intelligence service to whom the warrant was addressed must, so far as is reasonably practicable, secure that anything in the process of being done in reliance on the warrant stops as soon as possible.
(3)Nothing in this section affects the lawfulness of—
(a)anything done in reliance on the warrant before it ceases to have effect;
(b)if anything is in the process of being done in reliance on the warrant when it ceases to have effect—
(i)anything done before that thing could be stopped, or
(ii)anything done that it is not reasonably practicable to stop.
(1)This section applies where—
(a)an intelligence service has relevant access, whether on payment or otherwise, to a set of information that is held electronically by a person other than an intelligence service,
(b)the intelligence service is considering examining the set of information electronically for the purpose of the exercise of its functions,
(c)the examination would be otherwise than in the exercise of a power conferred by a warrant or other authorisation issued or given under this Act, and
(d)the head of the intelligence service, or a person acting on their behalf, believes that—
(i)the set includes, or may include, personal data relating to a number of individuals, and
(ii)the nature of the set is, or may be, such that the majority of the individuals are not, and are unlikely to become, of interest to the intelligence service in the exercise of its functions.
(2)The head of the intelligence service, or a person acting on their behalf, may carry out an initial inspection of the contents of the set for the purpose of deciding whether, if the intelligence service were to examine it after that initial inspection—
(a)the intelligence service would be examining a third party bulk personal dataset (see section 226E), and
(b)such examination would be necessary and proportionate in all the circumstances.
(3)Subsection (4) applies if, after the initial inspection is carried out, the head of the intelligence service, or a person acting on their behalf, decides that—
(a)the intelligence service would be examining a third party bulk personal dataset (as mentioned in subsection (2)(a)), and
(b)such examination would be necessary and proportionate in all the circumstances.
(4)The head of the intelligence service, or a person acting on their behalf, must—
(a)decide whether to examine the third party bulk personal dataset, and
(b)if they decide to do so, apply for a third party BPD warrant.
(5)If the head of the intelligence service, or a person acting on their behalf, applies for such a third party BPD warrant, the intelligence service is not to be regarded as in breach of section 226F(1) by virtue of examining the bulk personal dataset if the examination is necessary for the purposes of the making of the application for the warrant.
(6)For the purposes of subsection (1)(a), “relevant access” is to be read in accordance with section 226E(2).
(7)For the purposes of this section, only a person holding office under the Crown may act on behalf of the head of an intelligence service.
(1)The Secretary of State must ensure, in relation to every third party BPD warrant which authorises the examination of a bulk personal dataset, that arrangements are in force for securing that any examination of data contained in the dataset is necessary and proportionate in all the circumstances.
(2)In doing so, the Secretary of State must in particular have regard to the information that is reasonably available to the intelligence services in relation to the examination of such data.
(1)Subsections (2) and (3) apply if, in a case where protected data contained in a third party bulk personal dataset is to be examined in reliance on a third party BPD warrant—
(a)the purpose, or one of the purposes, of using the criteria to be used for the examination of the data (“the relevant criteria”) is to identify any items subject to legal privilege, or
(b)the use of the relevant criteria is likely to identify such items.
(2)If the relevant criteria are referable to an individual known to be in the British Islands at the time of the examination, the data may be examined using the relevant criteria only if the Secretary of State has approved the use of those criteria.
(3)In any other case, the data may be examined using the relevant criteria only if a senior official acting on behalf of the Secretary of State has approved the use of those criteria.
(4)The Secretary of State may give approval for the purposes of subsection (2) only with the approval of a Judicial Commissioner.
(5)Approval may be given under subsection (2) or (3) only if, where subsection (1)(a) applies, the Secretary of State or (as the case may be) the senior official considers that there are exceptional and compelling circumstances that make it necessary to authorise the use of the relevant criteria.
(6)In deciding whether to give an approval under subsection (2) or (3) in a case where subsection (1)(a) applies, the Secretary of State or (as the case may be) the senior official must have regard to the public interest in the confidentiality of items subject to legal privilege.
(7)For the purposes of subsection (5), there cannot be exceptional and compelling circumstances that make it necessary to authorise the use of the relevant criteria unless—
(a)the public interest in obtaining the information that would be obtained by the examination of the data outweighs the public interest in the confidentiality of items subject to legal privilege,
(b)there are no other means by which the information may reasonably be obtained, and
(c)obtaining the information is necessary in the interests of national security or for the purpose of preventing death or significant injury.
(8)In deciding whether to give approval for the purposes of subsection (4), the Judicial Commissioner must—
(a)apply the same principles as would be applied by a court on an application for judicial review, and
(b)consider the matter with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).
(9)Subsections (10) and (11) apply if, in a case where protected data contained in a third party bulk personal dataset is to be examined in reliance on a third party BPD warrant—
(a)the purpose, or one of the purposes, of using the criteria to be used for the examination of the data (“the relevant criteria”) is to identify data that, if the data or any underlying material were not created or held with the intention of furthering a criminal purpose, would be an item subject to legal privilege, and
(b)the person to whom the warrant is addressed considers that the data (“the targeted data”) or any underlying material is likely to be data or underlying material created or held with the intention of furthering a criminal purpose.
(10)If the relevant criteria are referable to an individual known to be in the British Islands at the time of the examination, the data may be examined using the relevant criteria only if the Secretary of State has approved the use of those criteria.
(11)In any other case, the data may be examined using the relevant criteria only if a senior official acting on behalf of the Secretary of State has approved the use of those criteria.
(12)Approval may be given under subsection (10) or (11) only if the Secretary of State or (as the case may be) the senior official considers that the targeted data or the underlying material is likely to be data or underlying material created or held with the intention of furthering a criminal purpose.
(13)In this section “underlying material”, in relation to data contained in a third party bulk personal dataset that is to be examined in reliance on a third party BPD warrant, means any communications or other items of information from which the data was produced.
(1)Subsection (2) applies where—
(a)an intelligence service examines a third party bulk personal dataset in reliance on a third party BPD warrant,
(b)as part of the examination, the intelligence service examines an item subject to legal privilege,
(c)the intelligence service retains the item, and
(d)the retention of the item may not be authorised by a warrant under Part 7 (bulk personal dataset warrants).
(2)The person to whom the third party BPD warrant (mentioned in subsection (1)(a)) is addressed must inform the Investigatory Powers Commissioner as soon as reasonably practicable after retaining the item.
(3)Unless the Investigatory Powers Commissioner considers that subsection (5) applies to the item, the Commissioner must—
(a)direct that the item is destroyed, or
(b)impose one or more conditions as to the use or retention of that item.
(4)If the Investigatory Powers Commissioner considers that subsection (5) applies to the item, the Commissioner may nevertheless impose such conditions under subsection (3)(b) as the Commissioner considers necessary for the purpose of protecting the public interest in the confidentiality of items subject to legal privilege.
(5)This subsection applies to an item subject to legal privilege if—
(a)the public interest in retaining the item outweighs the public interest in the confidentiality of items subject to legal privilege, and
(b)retaining the item is necessary in the interests of national security or for the purpose of preventing death or significant injury.
(6)The Investigatory Powers Commissioner—
(a)may require an affected party to make representations about how the Commissioner should exercise any function under subsection (3), and
(b)must have regard to any such representations made by an affected party (whether or not as a result of a requirement imposed under paragraph (a)).
(7)Each of the following is an “affected party” for the purposes of subsection (6)—
(a)the Secretary of State;
(b)the person to whom the third party BPD warrant is or was addressed.
(1)A person commits an offence if—
(a)the person examines, in reliance on a third party BPD warrant, any data contained in a third party bulk personal dataset,
(b)the person knows or believes that the examination of that data is in breach of the requirement specified in subsection (2), and
(c)the person deliberately examines that data in breach of that requirement.
(2)The requirement specified in this subsection is that any examination of the data is necessary and proportionate.
(3)A person guilty of an offence under this section is liable—
(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court, to a fine or to both;
(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months, to a fine not exceeding the statutory maximum or to both;
(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months, to a fine not exceeding the statutory maximum or to both;
(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years, to a fine or to both.
(4)No proceedings for any offence which is an offence by virtue of this section may be instituted—
(a)in England and Wales, except by or with the consent of the Director of Public Prosecutions;
(b)in Northern Ireland, except by or with the consent of the Director of Public Prosecutions for Northern Ireland.
(1)In this Part—
“personal data” has the same meaning as in Part 7 (see section 199(2));
“protected data” has the same meaning as in Part 7 (see section 203);
“senior official” means a member of the Senior Civil Service or a member of the Senior Management Structure of His Majesty’s Diplomatic Service;
“third party BPD warrant” has the meaning given by section 226F.
(3)See also—
section 263 (general definitions),
section 265 (index of defined expressions).”
Commencement Information
I5S. 5 not in force at Royal Assent, see s. 32(2)
(1)The Investigatory Powers Act 2016 is amended in accordance with subsections (2) to (4).
(2)In section 1 (overview of Act), in subsection (6)—
(a)in the words before paragraph (a), for “Parts 2 to 7” substitute “Parts 2 to 7B”;
(b)in paragraph (e)—
(i)for “Part 7 deals” substitute “Parts 7 to 7B deal”;
(ii)after “warrants” insert “and authorisations”.
(3)In section 2 (general duties in relation to privacy), in subsection (1)—
(a)in paragraph (a), for “or 7” substitute “, 7 or 7B”;
(b)omit the “or” after paragraph (j);
(c)after that paragraph insert—
“(ja)to grant, renew or cancel an authorisation under Part 7A,
(jb)to approve a decision to grant or renew such an authorisation, or”;
(d)in paragraph (k), for “or (i)” substitute “, (i) or (ja)”.
(4)In section 229 (main oversight functions), in subsection (9), in the definition of “bulk personal dataset”, after “199” insert “(and includes a third party bulk personal dataset (see section 226E))”.
(5)Section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal) is amended as follows.
(6)In subsection (5)—
(a)after paragraph (czh) insert—
“(czha)the granting or renewal of an authorisation under Part 7A of that Act (low or no expectation of privacy bulk personal datasets);
(czhb)the issue, renewal or service of a warrant under Part 7B of that Act (third party bulk personal datasets);”;
(b)in paragraph (czl)(i)—
(i)for “or 7” substitute “, 7 or 7B”;
(ii)after “Part 3” insert “or 7A”.
(7)In subsection (7ZB), after “(czh)” insert “, (czha), (czhb)”.
(8)In subsection (8)—
(a)in paragraph (a), for “or 7” substitute “, 7 or 7B”;
(b)after paragraph (bb) insert—
“(bba)an authorisation under Part 7A of that Act;”.
Commencement Information
I6S. 6 not in force at Royal Assent, see s. 32(2)