Part 8Oversight arrangements

CHAPTER 1Investigatory Powers Commissioner and other Judicial Commissioners

Reports and investigation and information powers

F1235APersonal data breaches

(1)

This section applies where a telecommunications operator would, but for a relevant restriction, be required by regulation 5A(2) of the 2003 Regulations to notify a personal data breach to the Information Commissioner.

(2)

The telecommunications operator must report the personal data breach to the Investigatory Powers Commissioner.

(3)

Where a telecommunications operator reports a personal data breach to the Investigatory Powers Commissioner under subsection (2), a Judicial Commissioner must disclose information about the breach to the Information Commissioner.

(4)

Where a Judicial Commissioner discloses information about a personal data breach to the Information Commissioner under subsection (3), the Information Commissioner must—

(a)

consider whether the breach is serious, and

(b)

if the Information Commissioner considers that the breach is serious, notify the Investigatory Powers Commissioner.

(5)

The Investigatory Powers Commissioner must inform an individual of any personal data breach relating to that individual of which the Commissioner is notified under subsection (4)(b) if the Commissioner considers that it is in the public interest for the individual to be informed of the breach.

(6)

In making a decision under subsection (5), the Investigatory Powers Commissioner must, in particular, consider—

(a)

the seriousness of the breach and its effect on the individual concerned, and

(b)

the extent to which disclosing the breach would be contrary to the public interest or prejudicial to—

(i)

national security,

(ii)

the prevention or detection of serious crime,

(iii)

the economic well-being of the United Kingdom, or

(iv)

the continued discharge of the functions of any of the intelligence services.

(7)

Before making a decision under subsection (5), the Investigatory Powers Commissioner must ask—

(a)

the Secretary of State, and

(b)

any public authority that the Investigatory Powers Commissioner considers appropriate,

to make submissions to the Commissioner about the matters concerned.

(8)

When informing an individual under subsection (5) of a breach, the Investigatory Powers Commissioner must—

(a)

inform the individual of any rights that the individual may have to apply to the Investigatory Powers Tribunal in relation to the breach, and

(b)

provide such details of the breach as the Commissioner considers to be necessary for the exercise of those rights, having regard in particular to the extent to which disclosing the details would be contrary to the public interest or prejudicial to anything falling within subsection (6)(b)(i) to (iv).

(9)

The Investigatory Powers Commissioner may not inform the individual to whom it relates of a personal data breach notified to the Commissioner under subsection (4)(b) except as provided by this section.

(10)

For the purposes of this section, a personal data breach is serious if the breach is likely to result in a high risk to the rights and freedoms of individuals.

(11)

In this section—

2003 Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426);

personal data breach” has the same meaning as in the 2003 Regulations (see regulation 2(1) of those Regulations);

relevant restriction” means any of the following—

(a)

section 57(1) (duty not to make unauthorised disclosures) (including as applied by section 156);

(b)

section 132(1) (duty not to make unauthorised disclosures) (including as applied by section 197);

(c)

section 174(1) (offence of making unauthorised disclosure),

(read with regulation 29(1)(a)(i) of the 2003 Regulations).