Duties of providers of public electronic communications networks and services
I11Duty to take security measures
1
The Communications Act 2003 is amended as follows.
2
For sections 105A to 105D substitute—
105ADuty to take security measures
1
The provider of a public electronic communications network or a public electronic communications service must take such measures as are appropriate and proportionate for the purposes of—
a
identifying the risks of security compromises occurring;
b
reducing the risks of security compromises occurring; and
c
preparing for the occurrence of security compromises.
2
In this Chapter “security compromise”, in relation to a public electronic communications network or a public electronic communications service, means—
a
anything that compromises the availability, performance or functionality of the network or service;
b
any unauthorised access to, interference with or exploitation of the network or service or anything that enables such access, interference or exploitation;
c
anything that compromises the confidentiality of signals conveyed by means of the network or service;
d
anything that causes signals conveyed by means of the network or service to be—
i
lost;
ii
unintentionally altered; or
iii
altered otherwise than by or with the permission of the provider of the network or service;
e
anything that occurs in connection with the network or service and compromises the confidentiality of any data stored by electronic means;
f
anything that occurs in connection with the network or service and causes any data stored by electronic means to be—
i
lost;
ii
unintentionally altered; or
iii
altered otherwise than by or with the permission of the person holding the data; or
g
anything that occurs in connection with the network or service and causes a connected security compromise.
3
But in this Chapter “security compromise” does not include anything that occurs as a result of conduct that—
a
is required or authorised by or under an enactment mentioned in subsection (4);
b
is undertaken for the purpose of providing a person with assistance in giving effect to a warrant or authorisation that has been issued or given under an enactment mentioned in subsection (4);
c
is undertaken for the purpose of providing a person with assistance in exercising any power conferred by or under prison rules; or
d
is undertaken for the purpose of providing assistance to a constable or a member of a service police force (acting in either case in that capacity).
4
The enactments are—
a
the Investigatory Powers Act 2016;
b
Part 1 of the Crime and Courts Act 2013;
c
the Prisons (Interference with Wireless Telegraphy) Act 2012;
d
the Regulation of Investigatory Powers Act 2000;
e
the Regulation of Investigatory Powers (Scotland) Act 2000;
f
the Intelligence Services Act 1994;
g
any other enactment (whenever passed or made) so far as it—
i
makes provision which is in the interests of national security;
ii
has effect for the purpose of preventing or detecting crime or of preventing disorder; or
iii
makes provision which is in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security.
5
In this section—
“connected security compromise” means—
- a
in relation to a public electronic communications network, a security compromise that occurs in relation to another public electronic communications network or a public electronic communications service;
- b
in relation to a public electronic communications service, a security compromise that occurs in relation to a public electronic communications network or another public electronic communications service;
“crime” and “detecting crime” have the same meanings as in the Investigatory Powers Act 2016;
“prison rules” means any rules made under—
- a
section 47 of the Prison Act 1952;
- b
section 39 of the Prisons (Scotland) Act 1989; or
- c
section 13 of the Prison Act (Northern Ireland) 1953;
“service police force” means—
- a
the Royal Navy Police;
- b
the Royal Military Police; or
- c
the Royal Air Force Police;
“signal” has the same meaning as in section 32.
105BDuty to take specified security measures
1
The Secretary of State may by regulations provide that the provider of a public electronic communications network or a public electronic communications service must take specified measures or measures of a specified description.
2
A measure or description of measure may be specified only if the Secretary of State considers that taking that measure or a measure of that description would be appropriate and proportionate for a purpose mentioned in section 105A(1).
3
In this section “specified” means specified in the regulations.
4
Nothing in this section or regulations under it affects the duty imposed by section 105A.
3
In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in subsection (1) insert—
“security compromise”, in relation to a public electronic communications network or a public electronic communications service, has the meaning given by section 105A;