Telecommunications (Security) Act 2021

Securing compliance with security dutiesU.K.

5General duty of OFCOM to ensure compliance with security dutiesU.K.

After section 105L of the Communications Act 2003 insert—

“105MGeneral duty of OFCOM to ensure compliance with security duties

OFCOM must seek to ensure that providers of public electronic communications networks and public electronic communications services comply with the duties imposed on them by or under sections 105A to 105D, 105J and 105K.”

6Powers of OFCOM to assess compliance with security dutiesU.K.

(1)The Communications Act 2003 is amended as follows.

(2)After section 105M insert—

“105NPower of OFCOM to assess compliance with security duties

(1)OFCOM may carry out, or arrange for another person to carry out, an assessment of whether the provider of a public electronic communications network or a public electronic communications service is complying or has complied with a duty imposed on the provider by or under any of sections 105A to 105D, 105J and 105K.

(2)Where an assessment under this section is carried out, the provider of the network or service concerned must—

(a)co-operate with the assessment; and

(b)pay the costs reasonably incurred by OFCOM in connection with the assessment.

105OPower of OFCOM to give assessment notices

(1)This section applies for the purposes of an assessment under section 105N in respect of the provider of a public electronic communications network or a public electronic communications service.

(2)OFCOM may by notice (“an assessment notice”) impose on the provider a duty to do any of the following things—

(a)carry out specified tests or tests of a specified description in relation to the network or service;

(b)make arrangements of a specified description for another person to carry out specified tests or tests of a specified description in relation to the network or service;

(c)make available for interview a specified number of persons of a specified description who are involved in the provision of the network or service (not exceeding the number who are willing to be interviewed);

(d)permit an authorised person to enter specified premises;

(e)permit an authorised person to observe any operation taking place on the premises that relates to the network or service;

(f)direct an authorised person to equipment or other material on the premises that is of a specified description;

(g)direct an authorised person to documents on the premises that are of a specified description;

(h)assist an authorised person to view information of a specified description that is capable of being viewed using equipment on the premises;

(i)comply with a request from an authorised person for a copy of the documents to which the person is directed and the information the person is assisted to view;

(j)permit an authorised person to inspect or examine the documents, information, equipment or material to which the person is directed or which the person is assisted to view;

(k)provide an authorised person with an explanation of such documents, information, equipment or material.

(3)The references in subsection (2)(a) and (b) to tests in relation to the network or service include references to—

(a)tests in relation to premises used in connection with the provision of the network or service;

(b)tests in relation to persons involved in the provision of the network or service.

(4)An assessment notice may impose on the provider a duty to carry out, or to make arrangements for another person to carry out, a test in relation to the network or service that risks causing a security compromise, loss to a person or damage to property only if the test consists of the use of techniques that might be expected to be used by a person seeking to cause a security compromise.

(5)An assessment notice may not impose on the provider a duty to permit an authorised person to enter domestic premises.

(6)An assessment notice may not impose on the provider a duty to do anything that would result in the disclosure of documents or information in respect of which a claim to legal professional privilege (or, in Scotland, to confidentiality of communications) could be maintained in legal proceedings.

(7)An assessment notice must, in relation to each duty imposed by the notice, specify the time or times at which, or period or periods within which, the duty must be complied with.

(8)A time or period specified under subsection (7) must not be a time that falls or a period that begins before the end of the period within which an appeal under section 192 can be brought in respect of the assessment notice (ignoring any power to extend the period within which an appeal could be brought).

(9)If an appeal under section 192 is brought in respect of an assessment notice or any provision of an assessment notice, the provider need not comply with any duty imposed by the notice or the provision pending the determination or withdrawal of the appeal.

(10)An assessment notice must provide information about—

(a)the consequences of failing to comply with a duty imposed by the notice; and

(b)the right of appeal in respect of the notice under section 192.

(11)An assessment notice may by further notice—

(a)be revoked by OFCOM;

(b)be varied by OFCOM so as to make it less onerous.

(12)In this section—

• “authorised person” means an employee of, or person authorised by, OFCOM;

• “domestic premises” means premises, or a part of premises, used as a dwelling;

• “specified” means specified in the assessment notice.

105PAssessment notices: urgency statements

(1)This section applies where—

(a)an assessment notice is given under section 105O to the provider of a public electronic communications network or a public electronic communications service;

(b)the notice states that, in OFCOM’s opinion, it is necessary for the provider to comply with a duty imposed by the notice urgently;

(c)the notice gives OFCOM’s reasons for reaching that opinion; and

(d)the notice provides information about the right of the provider to make an application under section 105Q.

(2)Subsections (8) and (9) of section 105O do not apply in relation to the duty mentioned in subsection (1)(b).

(3)A time or period specified under subsection (7) of section 105O in relation to the duty mentioned in subsection (1)(b) must not be a time that falls or a period that begins before the end of the period of 14 days beginning with the day the notice is given.

(4)In a case where—

(a)the duty mentioned in subsection (1)(b) is a duty to do something mentioned in section 105O(2)(d) to (k), and

(b)within the period of 14 days beginning with the day the notice is given an appeal under section 192 is brought in respect of the notice or the provision of the notice that imposes the duty,

the provider of the network or service need not comply with the duty pending the determination or withdrawal of the appeal.

105QAssessment notices: applications in respect of urgency statements

(1)This section applies where an assessment notice given under section 105O to a provider of a public electronic communications network or a public electronic communications service contains a statement under section 105P(1)(b).

(2)The provider may apply to the court for either or both of the following—

(a)the disapplication of the statement in relation to some or all of the duties imposed by the notice;

(b)a change to the time at which, or period within which, a duty imposed by the notice must be complied with.

(3)On an application under this section, the court may do any of the following—

(a)direct that the notice is to have effect as if it did not contain the statement;

(b)direct that the inclusion of the statement is not to have effect in relation to a duty imposed by the notice;

(c)vary the notice by changing the time at which, or the period within which, a duty imposed by the notice must be complied with;

(d)vary the notice by making other changes required to give effect to a direction under paragraph (a) or (b) or in consequence of a variation under paragraph (c).

(4)The decision of the court on an application under this section is final.

(5)In this section “the court” means the High Court or, in Scotland, the Court of Session.

105RAssessment notices: information about entering premises

Every report under paragraph 12 of the Schedule to the Office of Communications Act 2002 (OFCOM’s annual report) must include a statement of the number of occasions during the financial year to which the report relates on which premises have been entered in pursuance of a duty imposed under section 105O(2)(d).”

(3)In section 135 (information required for purposes of certain OFCOM functions) in subsection (3) (particular purposes for which information may be required) after paragraph (i) insert—

“(iza)carrying out an assessment under section 105N;”.

(4)In Schedule 8 (decisions not subject to appeal) after paragraph 7 insert—

“7AA decision to include a statement under section 105P(1)(b) in an assessment notice under section 105O.”

7Powers of OFCOM to enforce compliance with security dutiesU.K.

(1)The Communications Act 2003 is amended as follows.

(2)After section 105R insert—

“105SEnforcement of security duties

(1)Sections 96A to 100, 102 and 103 apply in relation to a contravention of a security duty as they apply in relation to a contravention of a condition set under section 45, other than an SMP apparatus condition.

(2)This section is subject to section 105T (enforcement of security duties: amount of penalties).

(3)In this section “security duty” means a duty imposed by or under any of sections 105A to 105D, 105I to 105K, 105L(6), (7)(c) and (8), 105N(2)(a) and 105O.

105TEnforcement of security duties: amount of penalties

(1)In its application in relation to a contravention of a security duty, other than a security duty imposed by section 105I, section 96B(5) has effect as if the maximum penalty specified were £100,000 per day.

(2)In its application in relation to a contravention of a security duty imposed by section 105I, section 96B(5) has effect as if the maximum penalty specified were £50,000 per day.

(3)In its application in relation to a contravention of a security duty imposed by section 105I, section 97(1) has effect as if the maximum penalty specified were £10 million.

(4)The Secretary of State may by regulations amend this section so as to substitute a different amount for the amount for the time being specified in subsection (1), (2) or (3).

(5)No regulations are to be made containing provision authorised by subsection (4) unless a draft of the regulations has been laid before Parliament and approved by a resolution of each House.

(6)In this section “security duty” has the same meaning as in section 105S.

105UEnforcement of security duties: proposal for interim steps

(1)This section applies where—

(a)OFCOM determine that there are reasonable grounds for believing that the provider of a public electronic communications network or a public electronic communications service is contravening or has contravened a duty imposed by or under any of sections 105A to 105D;

(b)OFCOM either have not commenced, or have commenced but not completed, enforcement action in connection with the contravention;

(c)OFCOM determine that there are reasonable grounds for believing that either or both of the following conditions are met—

(i)a security compromise has occurred as a result of the contravention;

(ii)there is an imminent risk of a security compromise or (as the case may be) a further security compromise occurring as a result of the contravention; and

(d)OFCOM determine that, having regard to the seriousness or likely seriousness of the security compromise or security compromises mentioned in paragraph (c), it is reasonable to require the provider to take interim steps pending the completion by OFCOM of enforcement action in connection with the contravention.

(2)OFCOM may give a notification to the provider that—

(a)sets out the determinations mentioned in subsection (1);

(b)specifies the interim steps that OFCOM think the provider should be required to take pending the completion by OFCOM of enforcement action in connection with the contravention; and

(c)specifies the period during which the provider has an opportunity to make representations about the matters notified.

(3)In this section and section 105V—

(a)references to the commencement by OFCOM of enforcement action in connection with a contravention are to the giving of a notification under section 96A (as applied by section 105S) in respect of the contravention; and

(b)references to the completion by OFCOM of enforcement action in connection with a contravention are to the taking of action under section 96C(2)(a) or (b) (as applied by section 105S) in connection with the contravention.

(4)In this section “interim steps” means—

(a)in a case where OFCOM determine that there are reasonable grounds for believing that the condition in subsection (1)(c)(i) is met, steps to—

(i)prevent adverse effects (on the network or service or otherwise) arising from the security compromise;

(ii)remedy or mitigate any adverse effects on the network or service arising from the security compromise;

(b)in a case where OFCOM determine that there are reasonable grounds for believing that the condition in subsection (1)(c)(ii) is met, steps to—

(i)eliminate or reduce the risk of the security compromise or (as the case may be) the further security compromise occurring;

(ii)prevent adverse effects (on the network or service or otherwise) arising from the security compromise or (as the case may be) the further security compromise in the event it occurs.

105VEnforcement of security duties: direction to take interim steps

(1)This section applies where—

(a)the provider of a public electronic communications network or a public electronic communications service has been given a notification under section 105U;

(b)OFCOM have allowed the provider an opportunity to make representations about the matters notified; and

(c)the period allowed for the making of representations has expired.

(2)OFCOM may—

(a)direct the provider to take the interim steps or any of the interim steps specified in the notification; or

(b)inform the provider that a direction under paragraph (a) will not be given.

(3)OFCOM may give a direction under subsection (2)(a) only if (after considering any representations) they are satisfied—

(a)that there are reasonable grounds for believing that the contravention on the basis of which the notification was given occurred;

(b)that there are reasonable grounds for believing that either or both of the following conditions are met—

(i)a security compromise has occurred as a result of the contravention;

(ii)there is an imminent risk of a security compromise or (as the case may be) a further security compromise occurring as a result of the contravention; and

(c)that, having regard to the seriousness or likely seriousness of the security compromise or security compromises mentioned in paragraph (b), it is reasonable to give the direction.

(4)A direction under subsection (2)(a) must include a statement of OFCOM’s reasons for giving the direction.

(5)A direction under subsection (2)(a) must, in relation to each interim step, specify the period within which the step must be taken.

(6)A direction under subsection (2)(a) is ineffective in so far as it would require interim steps to be taken after the completion by OFCOM of enforcement action in connection with the contravention concerned.

(7)Where a direction under subsection (2)(a) has been given and has not been revoked, OFCOM must as soon as reasonably practicable—

(a)commence enforcement action in connection with the contravention concerned (unless enforcement action was commenced by OFCOM before the direction was given); and

(b)complete enforcement action in connection with the contravention concerned.

(8)A direction under subsection (2)(a) may at any time—

(a)be revoked by OFCOM; or

(b)be varied by OFCOM so as to make it less onerous.

(9)A provider of a public electronic communications network or a public electronic communications service who is given a direction under subsection (2)(a) must comply with it.

(10)That duty is enforceable in civil proceedings by OFCOM—

(a)for an injunction;

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

(c)for any other appropriate remedy or relief.”

(3)In section 113 (suspension of application of the electronic communications code) in subsection (2)(b) for “section 105D” substitute “section 105S”.

8Civil liability for contravention of security dutiesU.K.

After section 105V of the Communications Act 2003 insert—

“105WCivil liability for breach of security duties

(1)A duty imposed by or under any of sections 105A to 105D and 105J on a provider of a public electronic communications network or a public electronic communications service is a duty owed to every person who may be affected by a contravention of the duty.

(2)Subsections (3) and (4) apply where a duty is owed by virtue of subsection (1) to a person.

(3)A breach of the duty that causes that person to sustain loss or damage is actionable at the suit or instance of that person.

(4)An act which—

(a)by inducing a breach of the duty or interfering with its performance, causes that person to sustain loss or damage, and

(b)is done wholly or partly for achieving that result,

is actionable at the suit or instance of that person.

(5)In proceedings brought against a provider of a public electronic communications network or a public electronic communications service by virtue of subsection (3), it is a defence for the provider to show that they took all reasonable steps and exercised all due diligence to avoid contravening the duty in question.

(6)The consent of OFCOM is required for the bringing of proceedings by virtue of this section.

(7)If OFCOM give their consent subject to conditions relating to the conduct of the proceedings, the proceedings are not to be carried on except in compliance with those conditions.”

9Relationship between security duties and certain other duties etcU.K.

After section 105W of the Communications Act 2003 insert—

“105XRelationship between security duties and certain other duties etc

(1)A security duty imposed on a provider of a public electronic communications network or a public electronic communications service does not apply in so far as compliance with the duty would—

(a)result in a failure by the provider to comply with a duty or prohibition imposed by or under an enactment mentioned in section 105A(4);

(b)prevent the provider from giving effect to a warrant or authorisation that has been issued or given under an enactment mentioned in section 105A(4);

(c)prevent the provider from providing a person with assistance in giving effect to a warrant or authorisation that has been issued or given under an enactment mentioned in section 105A(4); or

(d)prevent the provider from providing a person with assistance in exercising any power conferred by or under prison rules.

(2)In this section—

• “prison rules” has the same meaning as in section 105A;

• “security duty” means a duty imposed by or under—

  (a)

  section 96C as applied by section 105S; or

  (b)

  any of sections 105A to 105D, 105I to 105K, 105L(6), (7)(c) and (8), 105N(2)(a), 105O and 105V.”

10Statement of policy on ensuring compliance with security dutiesU.K.

(1)The Communications Act 2003 is amended as follows.

(2)After section 105X insert—

“105YStatement of policy on ensuring compliance with security duties

(1)OFCOM must prepare and publish a statement of their general policy with respect to the exercise of their functions under sections 105I and 105M to 105V.

(2)OFCOM may from time to time revise that statement as they think fit.

(3)Where OFCOM make or revise their statement of policy under this section, they must publish that statement or (as the case may be) the revised statement in such manner as they consider appropriate for bringing it to the attention of the persons who, in their opinion, are likely to be affected by it.

(4)In exercising their functions under sections 105I and 105M to 105V OFCOM must have regard to the statement for the time being in force under this section.”

(3)In Schedule 8 (decisions not subject to appeal) after paragraph 7A (inserted by section 6(4)) insert—

“7BA decision relating to the making or revision of a statement under section 105Y.”