Policy background
- The IPA 2016 was introduced to provide a clear legal framework for the intelligence services, law enforcement, and other public authorities to obtain and utilise communications, and data about communications, where it was deemed necessary and proportionate and in line with the statutory purposes set out in the Act.
- These powers, supported by safeguards, play an integral part in helping to keep the public safe from a range of threats including terrorism, state threats, and serious and organised crime, such as child sexual abuse and exploitation.
- Since the introduction of the IPA 2016, the world has changed. Technology has advanced, and the type of threats the UK faces continue to evolve. The Investigatory Powers (Amendment) Act therefore seeks to make targeted changes to the IPA 2016 to support the intelligence services in keeping pace with a range of threats against a backdrop of accelerating technological advancements, which provide new opportunities for criminals such as terrorists, hostile state actors, child abusers, and criminal gangs.
- As per s260 of the IPA 2016, the Home Secretary conducted a Statutory Review of the functioning of the Act. The report on the findings of this review was published in February 2023 1 . The overarching conclusion of the review was that parts of the Act were inhibiting the ability of the intelligence services to keep the country safe from both current and evolving threats.
- Engagement with law enforcement, the intelligence services, wider public authorities, and government departments found that, while in high-level terms the IPA 2016 has broadly achieved its aims, there is a case for immediate legislative change to some targeted parts of that Act.
- To complement the Home Secretary’s review and noting the value of the independent scrutiny that informed the passage of IPA 2016, the Home Secretary appointed Lord Anderson to conduct an independent review into the Act to inform any potential legislative change.
- Lord Anderson’s review was entirely independent from the Home Secretary’s statutory review. His subsequent report on his review, published in June 2023, focused on the effectiveness of the bulk personal dataset regime, criteria for obtaining internet connection records, the suitability of certain definitions within the IPA 2016, and the resilience and agility of warrantry processes and the oversight regime.
- The measures being taken forward in the Investigatory Powers (Amendment) Act have been driven by the Home Secretary’s review and the recommendations made in Lord Anderson’s report.
Bulk Personal Datasets (BPDs)
- The retention and examination of bulk personal datasets (BPDs) by the intelligence services is regulated by Part 7 of the IPA 2016. This defines a BPD as a set of information that includes personal data relating to a number of individuals, the nature of the dataset is such that the majority of the individuals are unlikely to be or to become of interest to the intelligence services, and that is retained electronically by an intelligence service and held for analysis in the exercise of its statutory functions.
- Part 7 sets out the safeguards that apply to BPDs. All datasets that meet the current definition of a BPD may only be retained and examined under a warrant that has been subject to prior judicial authorisation under the "double lock" authorisation process. BPD warrants are currently valid for six months.
- The "double lock" authorisation process requires warrants authorised by the Secretary of State to be approved by an independent JC before warrants can be issued.
- BPDs are used by the intelligence services in multiple different ways; for example, to provide ‘building block’ intelligence, such as names, dates, communication identifiers, details of travel, associates, etc. Traditionally, the critical value of a BPD is in the ability to make targeted queries of the data (for example, to identify a subject of interest ), cross-reference them with other BPDs and then overlay the results with other data from a variety of sources, (such as intelligence derived from other investigatory powers). This allows analysts to pull together an assessment on the possible meanings of the fragmentary intelligence that the intelligence services receive.
- Since IPA 2016 entered into force there has been a considerable growth in volume and types of data across all sectors of society globally, and at the same time the threat to the national security of the UK and its allies has diversified (as set out in the Integrated Review Refresh 2023 2 ). The information the intelligence services require to disrupt threats is increasingly fragmented amongst growing and varied data.
- The Home Secretary’s Statutory Review of the functioning of the Act stated that limitations within the IPA 2016 are inhibiting the intelligence services’ ability to maximise the benefits of digital transformation, and to ultimately protect national security. The intelligence services need to acquire increasing quantities of data, much of which is publicly available. It is anticipated that the data will improve analysis and in particular will enable the development of machine learning capabilities at the pace and scale the intelligence services need to identify and disrupt threats.
- As set out in Lord Anderson’s review, the IPA 2016 is restricting the intelligence services’ ability to make use of machine learning (ML) (including training to avoid biases) to support human lead analysis, and to manage increasing volumes of data and increase speed and quality of human decision making. It also restricts access to open resources such as telephone directories which can still be valuable for the more traditional uses of BPD.
- The training of ML models requires large quantities of open source or publicly available data that is representative of the type of data on which the model will be deployed, but which is voluminous enough to overcome or minimise any inherent biases.
- Unlike traditional uses for BPD, when training ML models the intelligence services do not examine the data to look for information on specific individuals featured in the data. Instead, BPDs are used for ML because they are representative examples of the structure or attributes of data the intelligence services are interested in. For example, the intelligence services may want to build a model to be able to identify weapons within images; the model will do this by learning from the training data features that make types of weaponry similar. Such models can be used to scan and triage images, before they are passed to human experts to assess. Developing models that can assist the intelligence services with growing volumes of data aims to make best use of resources in protecting national security.
- In his Independent Review of The Investigatory Powers Act 2016 3 Lord Anderson made the following recommendations, which are being taken forward via this legislation:
- That IPA 2016 Part 7 should be amended to recognise a new category of BPDs in respect of which there is a low or no expectation of privacy, to which a distinct and less onerous set of safeguards should apply.
- That IPA 2016 s213 be amended to provide that BPD warrants cease to have effect 12 months after they were issued, unless they have already been renewed or cancelled.
- That IPA 2016 ss202, 206, 215, 219, and 220 (but not s210) be amended so as to provide explicitly that the functions with which they are concerned may be exercised by a Crown Servant on behalf of the head of an intelligence service.
- Building on these recommendations, this Act:
- Amends safeguards for the retention and examination of BPDs where there is low or no reasonable expectation of privacy. This creates a new regime alongside the current Part 7. The intention of these changes is to enable the intelligence agencies to make more effective and efficient use of datasets in respect of which individuals have low or no expectation of privacy (such as online encyclopaedias and content from established news media).
- Amends IPA 2016 s213 to allow for the extension of the duration of a BPD warrant from 6 to 12 months. Currently BPD warrants need to be renewed every 6 months. BPDs are often used to support long-term strategic intelligence activities rather than short-term tactical actions. The aim of introducing a longer warrant duration is to enable the value of the BPD to be more appropriately and accurately demonstrated.
- Makes clear that the head of an intelligence service – the agency head – can delegate certain existing functions in relation to BPD warrants. This enables agency heads to delegate certain functions to an appropriate Crown Servant, whilst still being accountable for decisions that are taken on their behalf. The agency heads would still be required to personally carry out functions where risks are higher (such as under the existing duty in s210 to cease activity where a judicial commissioner refuses to sign off an urgent BPD warrant and the agency head must ensure the activity ceases).
Third Party Bulk Personal Datasets (3PD)
- A third party bulk personal dataset (3PD) is a dataset which would fall within Part 7 of IPA 2016 if an intelligence service were to retain it, but which is instead held by a third party (such as Government departments or commercial entities).
- For example, an intelligence service may access Government-held immigration related datasets to conduct checks to ensure those entering the UK do not pose a risk to national security. Many commercial companies acquire various datasets as part of their own business objectives and offer access to these to a variety of customers. Access to such datasets may offer the intelligence services different capabilities and insights to those that are generally available in order to support them in carrying out their statutory functions. It may be more proportionate or practical for the intelligence service to examine in situ a dataset held by a third party rather than acquire and retain the data themselves.
- The Act inserts a new 3PD regime into the IPA 2016 that would apply where an intelligence service has relevant access to the 3PD and examines it in situ (that is, on the third party’s systems) for the purpose of their statutory functions (see the Security Service Act 1989 and the Intelligence Services Act 1994).
- The new regime introduces 3PD warrants, which will be subject to a "double lock", whereby the warrant would need to be approved by both the Secretary of State and an independent Judicial Commissioner. This would build on the statutory regime that already exists in the IPA 2016 to underpin other powers.
- Lord Anderson’s review of the IPA 2016 noted that the Investigatory Powers Commissioner’s Office (IPCO) conducted an ‘extensive review’ of third party datasets in 2019 and concluded that the intelligence service’s current access was compliant with Part 7, as reported in IPCO’s 2019 Annual Report 4 . However, IPCO’s report recommended that the Government consider bringing third-party datasets within IPCO’s oversight. The new regime draws on the already well-established Part 7 IPA 2016 regime and incorporates statutory safeguards, including making provision for independent judicial oversight by the Investigatory Powers Commissioner.
Improvements to the Notices Regime
- For many years, the UK government has had the power to place requirements on telecommunications operators to assist with national security and law enforcement; for example, the power in section 94 of the Telecommunications Act 1984. A Telecommunications Operator is defined in Section 261(10) of the IPA 2016 as:
"Telecommunications operator" means a person who- (a) offers or provides a telecommunications service to persons in the United Kingdom, or
(b) controls or provides a telecommunication system which is (wholly or partly)-
(i) in the United Kingdom, or
(ii) controlled from the United Kingdom.
- The IPA 2016 currently provides for three different types of notice that can be issued to telecommunication operators (and in some cases postal operators):
- Data Retention Notices (DRNs) require the retention of specified types of communication data (communications data is the ‘who’, ‘when’, ‘where’ and ‘how’ – often known as metadata) by telecommunications operators.
- Technical Capability Notices (TCNs) require telecommunications operators to provide and maintain technical capabilities enabling them to respond to relevant IPA 2016 authorisations or warrants allowing access to communications data, the content of a communication (the ‘what’), or to enable equipment interference. A notice does not itself authorise the activity that the technical capability is intended to enable.
- National Security Notices (NSNs) require the telecommunications operator to take such specified steps as the Secretary of State considers necessary in the interests of national security. This may include providing services or facilities for the purpose of facilitating or assisting an intelligence service to carry out its functions or dealing with an emergency (within the meaning of Part 1 of the Civil Contingencies Act 2004).
- All three types of notices must be ‘double-locked’ (approved by both the Secretary of State and an independent Judicial Commissioner) before they can be given to the operator in question. Section 88(1) and 255(3) of the IPA 2016 also lays out the factors the Secretary of State must consider when deciding whether to give a notice. These matters include:
- The likely benefits of the notice,
- The likely number of users (if known) of any postal or telecommunications service to which the notice relates,
- The technical feasibility of complying with the notice,
- The likely cost of complying with the notice, and
- Any other effect of the notice on the person (or description of person) to whom it relates.
- A notice itself does not allow access to data. Even when there is a notice in place with a Telecommunications Operator (TO), the public authorities and intelligence communities must also have the relevant warrant or authorisation in place before they are able to access data. The decision to issue a warrant or grant an authorisation will, itself, be subject to appropriate safeguards to ensure that it is necessary and proportionate.
- When it was introduced, one of the main aims of the IPA 2016 was to ensure the powers were fit for the digital age. In the period since 2016, the global volumes of data that exist have grown exponentially, and significant, fast-paced technological change has become the norm. The efficacy of the powers has shifted with these changes, resulting in a negative effect on the capabilities of the UK’s law enforcement and intelligence agencies.
- Between 5 June and 31 July 2023, the Government ran a public consultation on the revised notices regimes in the IPA. 5 The consultation set out the Government’s proposed objectives to improve the effectiveness of the current notices regimes in response to technological changes and the risk they pose to investigatory powers, as well the increase in data being held overseas. The consultation sought input to inform potential policy and legislative proposals intended to mitigate those risks whilst still promoting technological innovation and the privacy of citizens.
- The Government consultation response was published 7 November 2023. This response set out the amendments to Part 4 and Part 9 of the IPA 2016 that were made in this Act to maintain the efficacy of these long-standing powers. These measures include: strengthening the notice review process by maintaining the status quo during the notice review period; clarifying the definition of a telecommunications operator; introducing a notification requirement that requires relevant telecommunications operators (who will be directly informed that they are bound by the obligation by the Secretary of State) to inform the Secretary of State if they propose to make changes to their products or services that would negatively impact existing lawful access capabilities; and introduce a notice renewal process with a statutory role for the IPC in order to increase oversight.
- Additionally, under section 255(9) - (11) of the IPA 2016, any TCN is enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA 2016 also provides that a Data Retention Notice (DRN) is enforceable by civil proceedings against a person in the UK, but there is no express provision permitting the enforcement of a DRN against a person outside the UK. The Act, therefore, amends Section 95 and 97 to allow extraterritorial enforcement of DRNs to strengthen policy options when addressing emerging technology, bringing them in line with TCNs. This ensures that notices given to international telecommunication operators can be enforced, should they need to be. The Act also clarifies that the non-disclosure obligation imposed on persons to whom a Technical Capability Notice (TCN) or National Security Notice (NSN) is given, at section 255(8), is also enforceable by civil proceedings, bringing it in line with the enforcement provision at section 95(2) and (5).
- Section 87(4) of the IPA 2016 provides that a DRN cannot require the retention of so-called ‘third party data’. There is no intention to revisit the point of principle; however, the Act contains measures seeking to amend section 87(4) in order to address some discrete and unintended consequences which have unduly broadened the effect of that subsection and restricted the type of data that can be subject to a DRN.
- The Government’s consultation response also set out where the Government decided not to proceed with certain proposals – including compelling telecommunications operators to engage in the consultation process for a notice or strengthening enforcement mechanisms – on the grounds that it is in both the Secretary of State and the operator’s best interest to have a workable notice which is necessary and proportionate and that the IPA 2016 already has strong enforcement options, therefore it is not considered necessary to amend enforcement at this time.
Internet Connection Records (ICRs)
- An Internet Connection Record (ICR) is a record, held by a Telecommunications Operator, about the service to which a device has connected on the internet, for example that someone has accessed ‘illegalsite.com.’ The Government’s policy position is that the ability of investigators to discover and prosecute serious criminals would be revolutionised by better use of these ICRs.
- The way in which the IPA 2016 was originally drafted required certain thresholds to be met on the ‘known’ elements of the investigation, such as when a website had been accessed. Condition A for ICR access is focused on identifying subjects relevant to specific known event(s) and does not permit enquiry into wider use beyond that known event(s). A significant gap existed with ICRs where, for example, analysis of a seized device identified a site serving images of child sexual exploitation or that the device was being used for communications between threat actors. In such circumstances, ICRs could not have been used to detect other unknown subjects using those sites, beyond a specific known event.
- This limited the ability of the intelligence services and the NCA to use ICRs to detect previously ‘unknown’ criminals online. The changes will help the intelligence services and NCA to detect and locate individuals involved in serious criminal activities, such as in the grooming of children online, those engaged in widespread internet enabled fraud or those who seek to undermine the security of the UK, where previously this would not have been possible using ICRs.
- The Act adds a new condition D to the list of existing conditions for the use of ICRs at s62 of the IPA 2016. This will enable target detection, which was not possible using the existing ICR conditions A to C. This new condition D is only available to the intelligence services and the NCA, and for a more limited set of lawful purposes relating solely to national security, the economic wellbeing of the UK (so far as those interests are also relevant to the interests of national security), and serious crime.
- The policy objective of this measure therefore is to enable the intelligence services and the NCA to detect previously unknown individuals who are using the internet to commit high-harm crimes. The addition of condition D is a relatively small change to the Act as the intelligence services and the NCA are already permitted to use the existing ICR conditions for subject identification but were required to know the time of access and service in use to do so, which limited the utility of the capability to assist in detecting new subjects of interest.
- The measure allows target detection of high-impact offenders by removing the requirement to unequivocally know a specific time or times of access, and service in use and instead allows these parameters to be set out in the application, based upon detailed analysis and subject matter expertise.
- ICRs could be used to identify high-risk child sexual abuse (CSA) offenders, including those who both access multiple CSA platforms and have ready access to children. Intelligence derived from ICR applications could assist law enforcement partners in prioritising their efforts against CSA, protecting children, and bringing offenders to justice.
- High-harm fraud often involves online behaviour that could be identified by ICRs. ICRs could be used, for example, to search for devices which were simultaneously connecting to legitimate banking applications and to malicious control points. Such behaviour could indicate that a financial fraud is in progress. This improved access to ICRs could enable the intelligence services to detect such activity more effectively and to inform law enforcement colleagues of the identity of the potential fraudsters and of any associated organised crime groups. Flagging suspicious behaviour in that way can lead to action being taken to prevent criminals from defrauding their intended victims.
- The period of time to be specified, and the service(s) to be queried must still meet necessity, proportionality and collateral intrusion tests and service(s) could not be queried, or for any longer, than was absolutely necessary to meet the operational objective of the ICR application. The applicant should explain their reasoning with reference to tangible supporting information which is subject to the existing oversight and safeguards of the regime. Data returned as a result of a Condition D application will be subject to the safeguards as set out in the Codes of Practice, including that data may only be held for as long as the relevant public authority is satisfied that it is still necessary for a statutory purpose.
Warrantry
- The IPA 2016 provides for a warrantry process – the process through which activity under the Act is authorised. The authorisation process is multi layered, involves independent oversight by the judiciary and is based on the principles of necessity and proportionality. Depending on the powers being authorised for use by which authority, different authorisation processes are followed.
- For example, all warrant applications for interception require approval from the Secretary of State and a Judicial Commissioner whereas the use of equipment interference powers by police forces must be authorised by a Chief Constable and a Judicial Commissioner.
- Exceptionally, warrants for the use of interception or equipment interference, where the purpose is to obtain the communications of a member of a relevant legislature, must additionally be approved by the Prime Minister. This is known as "the triple lock".
- Following the Home Secretary’s statutory review of the IPA 2016 and Lord Anderson’s independent review, several areas were identified where processes around warrantry could be made more resilient and effective. This part of the IPA 2016 regime balances the requirement for strong statutory oversight with the operational requirements of the operational community and the Government identified potential ways to improve the regime while maintaining this balance.
- Firstly, given the restrictive nature of the existing approvals process for warrants the purpose of which is to intercept or examine the communications of members of a relevant legislature under Sections 26 and 111 IPA 2016, critical intelligence gathering opportunities may be missed as a result of the Prime Minister being unable to consider a warrant application due to medical incapacitation or a lack of access to secure communications. The Act makes changes to the IPA 2016 with the intention of ensuring that lack of availability of those individuals or office holders required by the IPA 2016 to authorise certain warrants or activities does not come at the cost of critical operations. It does this by providing that alternative approvers of sufficient rank or office are able to approve warrant applications in urgent circumstances. Alternative approvers must have the necessary operational awareness, which will be further defined in the relevant Codes of Practice, in order to be appointed by the Prime Minister to consider warrant applications when the Prime Minister is unable to do so. In the case of Section 26 or 111 warrants, the Act makes provision for the Prime Minister to nominate a cadre of five Secretaries of State who will be empowered to exercise the Prime Minister’s power to provide the final authorisation of the "triple lock". The procedure for the use of an alternative approver would only become available where the requirement for the authorisation is urgent and the Prime Minister is unable by virtue of medical incapacitation or a lack of access to secure communications.
- Secondly, the Act makes provision to add a Deputy Director General of the National Crime Agency to the list of law enforcement chiefs who are able to delegate the function of considering Targeted Equipment Interference (TEI) applications under s.106 IPA 2016, to appropriate delegates (as described in the table in Part 1 of Schedule 6 IPA 2016) in urgent cases. Equipment interference (EI) allows the security and intelligence agencies, law enforcement and the armed forces to interfere with equipment to obtain electronic data. This includes computers, tablets, smartphones, cables, wires and static storage devices. EI can be carried out either remotely or by physically interacting with equipment. The policy objective of this change is to improve the resilience of the process and ensure that the lawful authorisation of warrants critical to investigations is not reliant on a potential single point of failure in the authorisation process, while remaining at a suitably senior level.
- Thirdly, under the IPA 2016 as it was enacted, the processes associated with the removal of a subject from a TEI warrant did not provide a power for the Secretary of State to make any decisions about the authorisation at the point of removal stage in the process, but do require the Secretary of State to be notified of the removal. The removal of a subject will not result in further interference with privacy rights, so it could be considered unnecessary to notify the Secretary of State at this stage. The Act therefore makes an amendment to the processes associated with the removal of a subject from a TEI warrant which removes the requirement to notify the Secretary of State at the point of the removal of the subject.
- Fourthly, the Act makes changes to the table in Part 1 of Schedule 6 of the IPA 2016 which rectify a drafting error in the column providing for the delegation, in urgent circumstances, of the authorisation of an equipment interference warrant from a Chief Constable to a Deputy Chief Constable or an Assistant Chief Constable. As enacted, the IPA 2016 referred to a repealed provision within an extant piece of legislation to allow for this delegation. The relevant power of delegation is now set out in different legislation, so Schedule 6 of the IPA 2016 has been updated to reflect this.
- Finally, the way in which the IPA 2016 is currently drafted means that a Targeted Examination Equipment Interference (TXEI) warrant under Part 5 of the IPA 2016 cannot be issued for the purpose of national security where it relates to equipment located in Scotland. The issue has been remedied through a partial commencement. Regulation 9 of The Investigatory Powers Act 2016 (Commencement No. 5 and Transitional and Saving Provisions) Regulations 2018 came into force on 27th June 2018. The Act tidies up the IPA 2016 and corrects the error in legislation by amending section 102(4) IPA 2016 so that the Secretary of State would no longer need to rely on the partial Commencement of a provision.
Investigatory Powers Commissioner (IPC) Functions
- The IPA 2016 contains oversight arrangements that have strengthened the safeguards that apply to the use of investigatory powers. The IPA 2016 created the IPC and their office. The IPC independently oversees the use of investigatory powers, ensuring that they are used in accordance with the law and in the public interest. The Commissioner is supported in their duties by 17 other JCs and the IPCO, who oversee the use of covert investigatory powers by more than 600 public authorities including the intelligence agencies, law enforcement, and local authorities.
- The reforms to the IPA 2016 in this Act provide additional safeguards in areas not currently covered by the IPA 2016. As highlighted in the Home Secretary’s review, the IPA 2016 does not provide an easy mechanism to manage change, causing issues with resilience and flexibility in respect of the IPC and wider IPA 2016 oversight regime. These measures also aim to formalise the IPC’s oversight functions and provide greater legislative clarity in respect of the oversight regime.
- All of the measures regarding the IPC’s oversight functions, where these fell within Lord Anderson’s terms of reference, were supported by the conclusions of the Review. IPCO has also supported all the measures taken forward.
IPC’s oversight functions
- The incumbent IPC, Sir Brian Leveson, has expressed the value of the role’s non-statutory functions being placed on a formal statutory footing. In line with this, the Government has included a measure in the Act to increase transparency in IPC’s oversight, by amending s.229 of the IPA 2016 to place the IPC’s oversight of compliance by the Ministry of Defence (MoD) onto a statutory footing. The IPC currently provides oversight of the MoD’s overseas covert human intelligence sources (CHIS) and surveillance operations on a non-statutory basis. This oversight is carried out at the request of the Ministry of Defence (MoD), and a similar form of oversight has been provided in the form of annual inspections by IPCO’s predecessors since at least 2005. The measure does not give the MoD or the IPC any new powers; however, it does formalise this agreement to increase oversight.
Flexibility and resilience
- The Act contains measures which amend the role of the IPC and wider oversight regime with the intent of providing increased flexibility and resilience, and to formalise the IPC’s functions.
- Under the current legislation, there are currently two mechanisms by which the IPC’s functions can be amended. This is either by: regulations made by the Secretary of State under s.239 of the IPA 2016 to amend s.229 of the IPA 2016; or by a direction issued by the Prime Minister under s.230. Such directions under s.230 are currently limited to the activities of the intelligence agencies and the MoD, so far as engaging in intelligence activities. The Government’s policy intent in this Act is to achieve greater consistency in how the Government can direct the IPC to oversee the activities of public authorities whose activities fall within the remit of the IPA 2016, by extending the power of the Prime Minister to issue such directions to other public authorities that use the IPA 2016, so far as engaging in intelligence activities. This ensures clearer parameters regarding the IPC’s oversight and ensures that law enforcement agencies, such as, the NCA are included in the scope of s.230, with the flexibility that would allow a rapid response to emerging oversight requirements.
- The IPA 2016 did not make provision for the IPC to formally appoint a Deputy IPC (DIPC) to exercise functions that are personally conferred on the IPC (such as, the ability to review a decision of a JC not to approve a warrant or approve the decision of a Secretary of State to give a notice). Lord Anderson’s report highlighted that this could hamper IPCO’s resilience and agility, particularly in circumstances where the IPC may be unavailable to carry out their role. The Act allows for up to two Deputy IPCs to be appointed, given that the IPC is contracted to work for 3 days per week and JCs are contracted to work for 90 days per year to provide further resilience. The policy intent is that the IPC would be able to formally appoint up to two DIPCs because of the risk that a single Deputy might become unavailable. The specific appointment and removal from office of Deputy IPCs would be the responsibility of the IPC.
- The Act contains a measure which delegates all the IPC’s appellate functions to the newly created Deputy IPCs when the IPC is unable or unavailable to determine them for any reason. This is relevant in the context of authorisations under the IPA 2016 and Schedule 3 of the Counter Terrorism Boarder Security Act 2019, regarding appeals to the IPC against a JC’s decision. This measure gives Deputy IPCs the power to determine such appeals when the IPC is unable or unavailable to determine them.
- The IPA 2016 was amended by the Data Retention and Acquisition Regulations 2018 to add a new provision to give the IPC power to authorise the acquisition of Communications Data (CD) (Section 227(9A) of the IPA 2016). The IPC’s power to delegate functions to a JC under s.227(8) of the IPA 2016 does not extend to the IPC’s functions relating to CD under ss.60A and 65(3B) IPA 2016 and extends only to where the IPC is unable to exercise these functions because of illness or absence or for any other reason. This restriction caused issues during the Covid pandemic, where although office access was limited, the IPC was arguably not "unable" carry out his functions within the meaning of s.227(9A) IPA 2016. This Act amends the IPA 2016 to remove this limitation and allows the IPC’s power in respect of CD authorisation to be generally exercised by JCs.
- This Act removes the IPC’s oversight functions relating to telecommunications restriction orders (TROs) for prisoners under s.229(3)(c) of the IPA 2016. TROs are already subject to judicial approval in the county court, which provides the necessary degree of assurance and oversight, and the Government has not identified any additional benefit in the IPC overseeing this process after the event.
- There was previously no provision in the IPA 2016 for the IPC to formally appoint temporary JCs. The ability to appoint temporary JCs under the Coronavirus Act 2020 proved vital to the continued operation of the IPA 2016 and its oversight regime during the COVID-19 pandemic. Following the suspension of the emergency legislation, the Home Office has replicated the procedures, safeguards, and terms of appointment set out in ss. 22 and 23 of the Coronavirus Act 2020 in this Act, but removed the connection to coronavirus and widened its application to exceptional circumstances which result in a shortage of JCs. Specifically, the powers provide that: the IPC may appoint temporary JCs to carry out the functions conferred on JCs by any enactment; a temporary JC would be appointed for one or more terms not exceeding six months each and not exceeding three years in total; and the Secretary of State and the IPC must also agree that an exceptional circumstance which results in a shortage of JCs exists before these powers are exercised.
Greater clarity to oversight functions
- The Act includes measures to clarify the scope of error reporting notifications that are to be made to the IPC to include errors of a description identified in codes of practice issued under the Regulation of Investigatory Powers Act 2000 (RIPA 2000), Regulation of Investigatory Powers (Scotland) Act 2000 (RIP(S)A 2000) and the Police Act 1997 (in addition to the IPA 2016). In practice, these relevant errors are already reported to IPCO by public authorities. However, this change makes this reporting of a relevant error a statutory requirement, with the policy aim of closing the gap regarding these reporting obligations by ensuring that there is oversight in respect of errors, as described in codes of practice issued under RIPA 2000 and other relevant legislation. These amendments specifically includes these codes and legislation within the IPA 2016’s error reporting regime (s.231(9)) and clarifies that such errors fall within the IPC’s remit.
Personal data breaches
- This Act includes measures that specify Telecommunications Operators (TOs) must notify certain personal data breaches to the Investigatory Powers Commissioner (IPC) who must then disclose to the Information Commissioner details of those breaches. The Act provides the IPC with the power to inform an individual if they have been affected by a personal data breach committed by a TO, if the IPC determines it is in the public interest to do so. The Act also repeals s.5A(9) of PECR, so TOs are required to notify any Personal Data Breaches that occur in relation to authorisations or notices for Communications Data under Part 3 of the Act to the Information Commissioner.
- The Act also makes amendments to the Regulation of Investigatory Powers Act 2000 to ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about personal data breaches committed by TOs.
Freedom of Information Act 2000
- The Freedom of Information Act 2000 (FOIA) provides a general right of access to recorded information held by ‘public authorities’, as defined by section 3 with reference to bodies listed in Schedule 1, or companies as defined within section 6 of that Act.
- IPCO is not listed as a Schedule 1 ‘public authority’ for the purposes of FOIA and therefore the information it holds is not accessible under that legislation. However, the previous legislative position means that information shared by IPCO, or which relates to its activities, and which is held by a public authority as defined in FOIA is accessible. While a public authority, in consultation with IPCO, may seek to apply one of the exemptions in FOIA, the final decision on disclosure (including where applicable the balance of the public interest) rests with the public authority.
- This Act adds JCs (a term that includes the IPC) to the list of bodies dealing with security matters at section 23 of FOIA. Section 23 provides an absolute exemption, thereby protecting information held by other public authorities which relates to the activities of JCs.
Communications Data (CD)
Section 11
- Section 11 of the IPA 2016 created an offence for a relevant person within a relevant public authority of "knowingly or recklessly" obtaining CD from a Telecommunications Operator (TO) or a Postal Operator (PO) without lawful authority. A relevant public authority is an authority listed in Schedule 4 of IPA 2016. The Act now provides examples of what will be included within the meaning of "lawful authority" under section 11.
- When the legislative provision was created it was to ensure there were adequate safeguards and oversight to protect privacy, especially personal data that is not publicly or commercially available and was to be obtained from private sector TOs. The offence set out under section 11 combined with the complexity of the CD definition posed significant challenges to public authorities. This Act therefore set out examples of authorities that will amount to "lawful authority" for the purposes of section 11 with the aim of providing greater reassurance to public authorities when acquiring CD from TOs.
- It was also not the policy or legislative intent to prevent data sharing between public sector organisations required to meet their statutory duties and obligations when administering public services or systems, for example authenticating a citizen’s benefits application against government tax systems and preventing and detecting fraud.
- Government departments are likely to fall within the definition of a TO in the IPA 2016 because of the services they offer via digital platforms for citizens to manage their access to public services, for example submitting tax returns, and applying for benefits, passports, or driving licenses. The measures in this Act aim to remove the risk of them (and other public sector organisations) committing a section 11 offence by receiving CD from another public sector organisation in the exercise of their functions. When referring to public sector organisations the Act uses a similar definition to that used in the Procurement Act 2023. Not all such organisations will be TOs.
- The sharing of CD between public authorities will still require compliance with data protection legislation and would continue to be subject to sufficient oversight. There is an agreement between the IPC and the Information Commissioner in relation to where their responsibilities may overlap.
Section 12
- As businesses move more of their service offerings online, more of the data that they capture is now falling within the definition of CD.
- Section 12 and Schedule 2 IPA 2016 removed general information gathering powers from public authorities, ensuring that those authorities could only secure the disclosure of CD from a TO, without that TO’s consent, via certain routes. These routes included obtaining a Part 3 IPA 2016 authorisation, a court order or other judicial authorisation, under certain "regulatory powers" relating to the regulation of TOs or Postal Operators or "postal powers", or as secondary data from interception and EI warrants.
- As a result, several bodies with regulatory or supervisory functions, such as those with responsibility for supervising the financial sector and ensuring compliance with Money Laundering and Terrorist Financing Regulations, were unable to perform their statutory functions as effectively as they needed to.
- For those regulatory or supervisory bodies with IPA 2016 powers, this issue remained extant where there was an inability to meet the serious crime threshold in the IPA 2016 for the acquisition of certain types of CD in their enquiries. For example, they may be able to acquire CD where there is a serious crime involved with the possibility of a prison sentence of one year or more, but not if the matter can only lead to the imposition of a civil penalty or fine.
- For regulatory or supervisory bodies without IPA 2016 powers this issue remained due to the fact that some of the data for which disclosure was required by those bodies to carry out their statutory functions effectively now fell within the definition of CD and required an IPA 2016 authorisation to acquire it. The changes to legislation in this Act aim to make it easier for these organisations to carry out their lawful functions.
- Section 12 of the IPA 2016 recognised the need for bodies with "regulatory functions" to acquire CD. This was previously limited to organisations such as the Office of Communications (Ofcom) and the Information Commissioner’s Office for their regulation of TOs. This amendment to the IPA 2016 expands the definition of ‘Regulatory Powers’ to include those with wider, statutory regulatory or supervisory responsibilities, with the intention of returning their general information gathering powers and enabling them to gather the information they need to perform their lawful functions and, explicitly, where the CD is not being acquired in the course of a criminal investigation.
- Where the purpose of the investigation is in the course of a criminal investigation, the Part 3 IPA 2016 authorisation process should still be followed by those organisations authorised under Schedule 4 or via some other judicial authorisation route.
- The acquisition of CD using non-IPA 2016 powers by these public authorities for the purposes of regulation or supervision, but which then is subsequently used for criminal prosecution, will be subject to oversight by the IPC.
- The bodies who may be permitted to use their non-IPA 2016 powers for the purposes of regulation or supervision are the public authorities listed within Schedule 4 of the IPA 2016 together with those currently listed and who may be later added, by regulations, to new Schedule 2A.
Section 261
- The IPA 2016 provides the definition of CD for the purposes of acquiring such data under Part 3 and retention under Part 4. That definition of CD is made up of "Entity data" (for example, phone numbers or other identifiers linked to customer accounts) and "Events data" (for example, the fact that someone has sent or received an email, phone call, text or social media message and the location of a person when they have made a mobile call or used a Wi-Fi hotspot), with a carve-out to exclude the "Content" of a communication.
- Insufficient clarity existed over whether subscriber and account data was CD or content, for example in the context of registration details provided in online forms when an individual was setting up an account or taking up a service over the internet.
- Due to the complex nature of whether subscriber and account data amounted to CD or content, this Act amends s261 IPA 2016 with the intention of removing any potential ambiguity. This change aims to provide a clear basis for the acquisition of subscriber and account data as CD and also aims to make it clearer when an error has occurred.
- The amendments to section 261 covering "subscriber data" and "content" do not affect the oversight function of IPCO which continues to inspect and highlight any errors.
Interception
- Section 56 of the IPA 2016 makes it clear that any intercepted communication and any secondary data obtained from a communication is excluded from being used in or for legal proceedings. There are exceptions to this set out in Schedule 3 to the IPA 2016.
- Although an exception applies in respect of parole proceedings in Northern Ireland (paragraph 13 of Schedule 3), Parole Board proceedings in England and Wales do not currently benefit from an exemption. This means that panel members of the Parole Board for England and Wales are unable to review key interception materials as evidence to make parole considerations. It is Government policy that panel members of a Parole Board need to be able to review intercepted materials to make more informed assessments as to the risk of harm to the public from terrorists and other dangerous prisoners by considering all classified materials. The Act therefore amends the IPA 2016, allowing intercepted communications and relevant secondary data to be considered in proceedings before the Parole Board and proceedings that arise out of those hearings.
- Another exception is being introduced as an amendment to Schedule 3 to the IPA 2016 to give relevant Northern Ireland coroners and Scottish sheriffs conducting investigations into deaths the power to review intercepted materials in line with their counterparts in England and Wales. This enables relevant coroners in Northern Ireland and sheriffs in Scotland the opportunity to review all relevant evidence in inquiries and inquests related to deaths in Northern Ireland and Scotland.
Bulk Equipment Interference
- Bulk equipment interference (IPA 2016 Chapter 3) includes methods involving interference with multiple computers and devices. This could include implanting software into devices for the purpose of data retrieval to locate potential targets of interest. Only the intelligence agencies have the power, under IPA 2016, to undertake equipment interference in bulk and it is reserved for activity with a foreign focus.
- Section 195 of Chapter 3 provided additional safeguards for journalistic material, requiring that the Investigatory Powers Commissioner be informed if material thought to contain confidential journalistic material or sources of journalistic material is retained, following examination, for a purpose other than its own destruction.
- This Act introduces prior independent authorisation to Section 195, the effect of which is to add an additional layer of scrutiny over the intelligence’s agencies’ handling of material which may contain confidential journalistic material or sources of journalistic material. It also brings journalistic safeguards into alignment with the bulk interception regime which is being amended via the Investigatory Powers Act 2016 (Remedial) Order 2023 which was laid before Parliament on 18th October 2023 and signed into law on 15th April 2024