Search Legislation

Investigatory Powers (Amendment) Act 2024

Legal background

Bulk Personal Datasets (BPDs)

  1. The existing Part 7 regime in the IPA 2016 required the intelligence services to apply the same standard of safeguards to the retention and examination of all Bulk Personal Datasets regardless of the level of intrusion associated with doing so. Whilst some BPDs may contain sensitive personal information in respect of which stringent safeguards are necessary, the current Part 7 safeguards go beyond what the ECHR requires 1 for certain datasets that have low or no reasonable expectation of privacy.
  2. In order to be compatible with the ECHR, the statutory regime provides for adequate and effective safeguards against abuse. In the context of pre-IPA 2016 bulk interception, the Grand Chamber of the European Court of Human Rights dealt with this point in Big Brother Watch v UK 2 at §361:
    "361. In assessing whether the respondent State acted within its margin of appreciation (see paragraph 347 above), the Court would need to take account of a wider range of criteria than the six Weber safeguards. More specifically, in addressing jointly "in accordance with the law" and "necessity" as is the established approach in this area ([…]), the Court will examine whether the domestic legal framework clearly defined:
    • 1. the grounds on which bulk interception may be authorised;
    • 2. the circumstances in which an individual’s communications may be intercepted;
    • 3. the procedure to be followed for granting authorisation;
    • 4. the procedures to be followed for selecting, examining and using intercept material;
    • 5. the precautions to be taken when communicating the material to other parties;
    • 6. the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed;
    • 7. the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance;
    • 8. the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance."
  3. It is also instructive to have regard to the pre-IPA 2016 decision of the Investigatory Powers Tribunal in Privacy International v Secretary of State for Foreign and Commonwealth Affairs.3 This case specifically concerned the acquisition and retention of bulk communications data and bulk personal datasets under the Telecommunications Act 1984 (to note: not datasets that could be said to be low/no datasets). As to safeguards and foreseeability, at §62 the Tribunal set out the following:
    "62. Accordingly, by reference to our considered assessment of the ECHR jurisprudence, we can summarise in short terms what we conclude the proper approach is:
    • (i) There must not be an unfettered discretion for executive action. There must be controls on the arbitrariness of that action. We must be satisfied that there exist adequate and effective guarantees against abuse.
    • (ii) The nature of the rules fettering such discretion and laying down safeguards must be clear and the ambit of them must be in the public domain so far as possible; there must be an adequate indication or signposting, so that the existence of interference with privacy may in general terms be foreseeable.
    • (iii) Foreseeability is only expected to a degree that is reasonable in the circumstances, being in particular the circumstances of national security, and the foreseeability requirement cannot mean that an individual should be enabled to foresee when the authorities are likely to resort to secret measures, so that he can adapt his conduct accordingly.
    • (iv) It is not necessary for the detailed procedures and conditions which are to be observed to be incorporated in rules of substantive law.
    • (v) It is permissible for the Tribunal to consider rules, requirements or arrangements which are ‘below the waterline’ i.e. which are not publicly accessible, provided that what is disclosed sufficiently indicates the scope of the discretion and the manner of its exercise.
    • (vi) The degree and effectiveness of the supervision or oversight of the executive by independent Commissioners is of great importance, and can, for example in such a case as Kennedy, be a decisive factor."
  4. The changes made in this Act introduce a new regime, alongside the current Part 7 which is concerned with datasets in respect of which there is a low or no reasonable expectation of privacy. This test is one that is to be applied in all of the circumstances. 4 The new regime in the Act sets out certain factors, germane to the context, to which intelligence services must have particular regard when assessing the expectation of privacy. Authorisations for the retention, or retention and examination, of such a dataset may be granted by the head of an intelligence service, or a person acting on their behalf. The new regime includes a system of prior judicial approval to provide reassurance that assessments being made are appropriate. As with the other powers in the IPA 2016, there is also ex-post facto oversight by the IPC, and the redress mechanism of the Investigatory Powers Tribunal.
  5. The Act also makes minor changes to Part 7, extending the duration of BPD warrants from six months to twelve months. The changes also provide that certain functions that hitherto had to be performed by the head of the intelligence service – an agency head – can now formally be carried out on his or her behalf by a Crown Servant, in common with other functions in the IPA 2016 (such as applying for a warrant).

Third Party Bulk Personal Datasets (3PD)

  1. The intelligence services can currently access 3PDs in the exercise of their functions through relevant information gateways such as the Intelligence Services Act 1994 and the Security Services Act 1989. This regime places intelligence service access to 3PDs onto a statutory footing with additional safeguards and formal oversight. See above policy background for further detail.

Changes to the Notices Regime

  1. Notices may be given to relevant operators that hold data of operational relevance in order to provide and maintain investigatory powers capabilities. This ensures the intelligence services and law enforcement have access to data required for their investigations.
  2. The provisions in this Act amend the definition of a TO out of an abundance of caution to ensure that obligations imposed by the IPA 2016 can apply to all constituent parts or entities of the company, irrespective of where the entity providing the "telecommunications service" is based or the entity controlling the "telecommunications system" is based. Provisions also aim to clarify that a notice may be given to one entity in relation to another entity’s capability.
  3. When giving a notice for the first time, the Secretary of State has a statutory obligation to engage in a consultation period with the relevant operator. Following this consultation, and taking into consideration the views of the operator, the Secretary of State then considers whether to formally give the notice. Should they decide to do so, the notice must then be approved by a JC and formally given to the company before its obligations become binding on them. If at this point the operator is dissatisfied with the terms of the notice, they have a statutory right to refer the notice (or part of it) to the Secretary of State for review as set out in sections 90 and 257 of the IPA 2016.
  4. The Secretary of State must then consult the Technical Advisory Board (TAB) and a JC. As it stands, during a review period the operator is not required to comply with the notice, so far as referred, until the Secretary of State has determined the review. Where an operator is seeking to make significant changes to their services or systems that would have a detrimental effect on a current lawful access capability, this could create a capability gap during the review period.
  5. After considering reports from the Technical Advisory Board (TAB) and the JC, the Secretary of State may decide to vary, revoke, or confirm the effect of the notice. Where the Secretary of State decides to confirm or vary the notice, the IPC must approve the decision. Section 8 amends s.227(8) to allow the IPC to delegate this function to the newly created Deputy IPCs, in the event that the IPC is unable or unavailable to exercise this function.
  6. The measures in this Act aim to ensure that the TO maintains the status quo, by not making any changes that may have a negative impact on lawful access capabilities, until the review by the Secretary of State has concluded (Section 18).
  7. Sections 90(1) and 257(1) of the IPA 2016 include regulation making powers in relation to a review of a notice. The Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018 (S.I. 2018/354), made pursuant to s.90(1) and s.257(1), set out the period and circumstances within which notices maybe referred back to the Secretary of State for a review. However, the pre-existing power does not give the Secretary of State the power to specify in regulations a time limit regarding the overall review process. Section 18 introduces a new regulation making power that will enable the amendment of existing regulations (S.I. 2018/254) to specify both the length of time the Secretary of State can take to reach a decision on the review of a notice, upon receipt of the report by the JC and TAB, and the overall length of time a review of a notice can take. This provides clarity to both operators and operational partners regarding how long a review of a notice can take and therefore how long the status quo must be maintained by the operator.
  8. It is also necessary to make provision for a JC to issue directions to the Secretary of State and the person seeking the review, as they see fit, to ensure the effective management of the notice review process. Section 18 gives a JC the power to give directions to both parties specifying the time period for providing their evidence or making their representations and give the JC the power to disregard any submissions made outside these timelines. This ensures the JC has the appropriate power to deal with non-compliance and provides clarity to all parties regarding timelines and expectations.
  9. A TO, or any person employed or engaged for the purposes of the business of a TO, must not disclose the existence or contents of a notice to any other person without permission of the Secretary of State. This prohibition is enforceable by civil proceedings under Section 95(2) and (5) for DRNs, however there was previously no equivalent enforcement provision for TCNs or NSNs. Provisions in this Act amend s.255(10) IPA 2016 with the intention of ensuring that the duty not to disclose the existence or contents of a TCN or an NSN is also enforceable by civil proceedings.
  10. TOs who are already subject to a notice are required to inform the Secretary of State of any changes that may impact their existing notice obligations. This ensures that changes do not have a negative effect on investigatory powers. This Act imposes obligations on TOs who have not already been issued with a notice, to inform the Secretary of State of relevant changes, including technical changes that might affect lawful access, before such changes are implemented.
  11. Under the current IPA 2016 provisions, the approval of a JC is required where the Secretary of State proposes to vary a notice and that variation would impose additional requirements on the TO (sections 94(4) and 256(4) and (5). The IPA 2016 also requires that the Secretary of State keeps relevant notices under regular review (sections 90(13) and 256(2), with the review process described in the relevant Codes of Practice. This Act creates a statutory role for the IPC within a formalised notice renewal process, if a period of two years has elapsed since a notice was first given, varied or renewed. This introduces an additional safeguard. With the introduction of the notice renewal process, a consequential amendment was required to the IPC’s main oversight functions. As such, this Act makes an amendment to insert a reference into s.229 to enable a JC to decide whether to approve the renewal of certain notices.

Internet Connection Records (ICRs)

  1. Internet Connection Records are data collected and retained by TOs about the sites and services to which their customers connect on the internet. Certain Public Authorities are permitted to seek disclosure of that data within limited Access Conditions and upon independent authorisation by the Investigatory Powers Commissioner’s Office (IPCO) (or internal authorisation for National Security purposes by the intelligence services). The Public Authorities are laid out in Schedule 4 of the Act and include police forces, the NCA and the UK intelligence services.
  2. The capability allows those specified Public Authorities to ask two primary questions of the data. Firstly, in instances where the subject of interest or device is known, the question of which internet sites or services have been connected to over a specified period (subject development) and secondly, for instances where a site or service is known, which customers have accessed that service at a specified time or times (subject identification).
  3. The change in the Act concerns this second ‘subject identification’ aspect of the legislation. The IPA 2016 as drafted cover this within Condition A.
    Condition A is that the person with power to grant the authorisation considers that it is necessary, for a purpose falling within section 60A(7), 61(7) or 61A(7) (as applicable), to obtain the data to identify which person or apparatus is using an internet service where-
    • (a) the service and time of use are already known, but
    • (b) the identity of the person or apparatus using the service is not known.
  4. Condition A is designed to assist in investigations where a specified internet site or service is known to have been accessed at a specified time or times and the public authority is seeking to determine the identity of the party or parties involved in that connection. To that end this Condition is event (s) specific.
  5. Examples of this may be where officers receive intelligence, perhaps from forensic examination of a seized device, about the use of a specified video conferencing facility, to livestream the abuse of a child or where a public figure has been subject to sustained online threats and abuse via a number of internet facilities, such as an overseas hosted email facility, social media platform or constituency website. In such circumstances investigators would wish to identify subjects accessing those internet resources at relevant specified times coincidental to the abuse occurring and threats having been made.
  6. There were concerns that this requirement to know the specific service and time of access limited utility of the ICR capability and prevented this TO stored and managed data from being used to assist in the detection of some of the most serious offenders and National Security threats.
  7. Whilst investigators may identify websites of interest in the course of their investigations, they may lack knowledge around whether a specified site has been accessed or a specific time or times of access. Where the site is itself criminal in nature then investigators are interested in access at any time.
  8. The addition by this Act of new Condition D to the legislation allows investigators to state a service or services and a time period i.e. ‘between this date/time and this date/time’ within an application. These stated service or services in a particular time period will be based upon subject matter expertise, analysis and existing intelligence and be indicative of behaviours that indicate serious criminality or a national security threat. All such applications must be both necessary and proportionate before they can be authorised.
  9. An example of where a Condition D ICR may be appropriate would be where the intelligence services identify a previously unknown site promoting terrorism, or child sexual abuse and exploitation, or the command and control infrastructure for malware, and wish to identify parties who are accessing those resources – where they may have a clear suspicion that they are being accessed but lack the requisite knowledge that they are and exactly when.
  10. In circumstances where serious criminality may be denoted by a very specific pattern of connections, this new provision aims to allow that pattern to be translated into the form of a question of ICR data to assist in discovering subjects of interest displaying those linked behaviours and in respect of whom it would not otherwise have been possible to detect.
  11. An example of this would be in high-harm fraud which often involves online behaviour that could be identified by ICRs. ICRs can now be used, for example, to search for devices which are simultaneously connecting to legitimate banking applications and to malicious control points. Such behaviour could indicate that a financial fraud is in progress. Improved access to ICRs will enable the intelligence services to detect such activity more effectively and to inform law enforcement partners of the identity of the potential fraudsters and of any associated organised crime groups.
  12. Whilst clearly having the potential to provide significant operational utility it is recognised that such queries are highly susceptible to imprecise construction. As a result, additional safeguards are introduced in this Act with the intention of managing access to this new Condition and mitigating public concerns.
  13. These safeguards include that the capability is to be limited solely to the intelligence service and the NCA who are assessed to possess the requisite subject matter expertise to formulate appropriate queries to derive the correct subset results. This has a significant reliance on understanding the construct of the ICR data queried, which may differ between TOs, understanding of human verses machine generated connections, and understanding of computer logic and the importance of accurate syntax.
  14. The lawful purposes for which this new Access Condition may be utilised are also limited, relating solely to National Security, the Economic Wellbeing of the UK so far as those interests are also relevant to the interests of national security, and for Serious Crime purposes.
  15. Under this new condition, all applications would undergo review, where an appropriately trained authorising officer would consider the application. Applicants would have to address in detail within their application exactly how collateral intrusion would be managed to ensure only those persons who should be the subject of an investigation are so. Persons so identified would then be subject to individual development utilising established investigative capabilities to support the intelligence, all of which would need to be further and separately authorised. Data returned as a result of a Condition D application will be subject to the safeguards as set out in the Codes of Practice, including that data may only be held for as long as the relevant public authority is satisfied that it is still necessary for a statutory purpose.
  16. The need for this change was considered in depth, and supported, by Lord Anderson KC in his review of proposed IPA 2016 reforms.

Warrantry

Sections 26 and 111

Section 26
  1. Where an intercepting authority makes an application to the Secretary of State for the issue of either a targeted interception warrant (where the purpose is to authorise or require the interception of communications sent by or intended for, a person who is a member of a relevant legislature) or a targeted examination warrant (where the purpose is to authorise the selection for examination of the content of such communications), the warrant must be approved by the Prime Minister.
Section 111
  1. Where an application is made to the Secretary of State for a targeted equipment interference or examination warrant the purpose of which is to obtain or examine protected material consisting of communications sent by, or intended for, a person who is a member of a relevant legislature, or their private information, the warrant must be approved by the Prime Minister.

Director General NCA

  1. Section 106 provides the power for a "law enforcement chief" to issue TEI warrants. The power to issue a TEI warrant may be assigned to an "appropriate delegate" only if it is not practicable for the law enforcement chief to exercise it, and only in urgent cases.
  2. Schedule 6 (table in Part 1) describes who is a law enforcement chief for the purposes of section 106 and, for the NCA, identifies the Director General (DG) only. The Act adds a Deputy Director General of the NCA to the list of law enforcement chiefs who are able to delegate the function of considering TEI applications under s.106 IPA 2016, to appropriate delegates (as described in the table in Part 1 of Schedule 6 IPA 2016) in urgent cases.

Law Enforcement Equipment Interference delegation

  1. Schedule 6 of the IPA 2016 refers to section 12A of the Police Act 1996 which was repealed in 2012 and replaced by s.41 of the Police Reform and Social Responsibility Act 2011 (Commencement No. 7 and Transitional Provisions and Commencement No. 3 and Transitional Provisions (Amendment)) Order 2012. The Act corrects a drafting error, by making reference to the 2011 Act, rather than the repealed section of the Police Act 1996.

Targeted Equipment Interference, removal of a subject

  1. Part 5 of the IPA 2016 is concerned with equipment interference warrantry. Warrants may be issued by, amongst others, the Secretary of State or by Scottish Ministers. Such a warrant may be modified in accordance with section 118; sections 119-122 set out how that modification process works. Section 119(1) provides that a senior official acting on behalf of the Secretary of State (or the Scottish Ministers, as the case may be) may modify a warrant.
  2. Section 121 concerns the notification of modifications (this does not apply to urgent modifications, in respect of which a different regime applies). Subsection (1) provides that where a modification is made under section 118, a JC must be notified of it and of the reasons for making it, but this is subject to certain exceptions as set out in subsection (2). Subsection (3) applies where a modification is made by a senior official in accordance with section 119(1) and requires the Secretary of State (or a member of the Scottish Government, as the case may be) to be notified personally. The Act changes these provisions to remove the obligation on the Senior Official to notify the Secretary of State personally when a modification is made that removes a matter, name or description from a targeted equipment interference or targeted examination warrant.

Targeted Examination warrants in Scotland

  1. Under the IPA 2016, the Secretary of State may not issue an equipment interference warrant if the only grounds that the warrant is necessary is for the prevention and detection of serious crime and the warrant would authorise interference with equipment that is in Scotland at time of issue. Warrants of this nature are issued by Scottish Ministers in accordance with section 103(1)(b) and 103(2)(b). Section 102(4) states that targeted examination warrants may not be issued by the Secretary of State if the warrant relates to a person who would be in Scotland at the time of issue. As section 103 only permits Scottish Ministers to issue warrants where the purpose is for prevention and detection of serious crime, this creates a gap.
  2. A targeted examination warrant under section 102(3) that relates to equipment in Scotland, and which is necessary only for the purpose of the prevention and detection of serious crime, could be issued by the Scottish Ministers, but if the purpose was for national security, it could not legally be issued. The issue has been remedied through a partial commencement. Regulation 9 of The Investigatory Powers Act 2016 (Commencement No. 5 and Transitional and Saving Provisions) Regulations 2018 came into force on 27th June 2018. The Act corrects this by amending section 102 with the effect that the Secretary of State may issue a targeted examination equipment interference warrant for National Security purposes where it relates to someone who was in Scotland at the time of the issue of the warrant.

Investigatory Powers Commissioner Functions

  1. The legal background related to Investigatory Powers Commissioner functions is covered in the policy background.

Amending the list of bodies dealing with security matters under s.23 FOIA

  1. Section 23(1) of FOIA exempts, as a class, all information directly or indirectly supplied by, or relating to, certain bodies dealing with security matters. This provision confers an absolute exemption. Subsection (3) lists the relevant security bodies that have the benefit of the exemption. Section 23(5) of FOIA provides that the obligation to confirm or deny whether or not the authority holds the information does not arise, if compliance with that obligation would itself disclose information which is exempt by virtue of subsection (1).
  2. Section 23 of FOIA (as relevant) states:
    "23. Information supplied by, or relating to, bodies dealing with security matters.

    (1) Information held by a public authority is exempt information if it was directly or indirectly supplied to the public authority by, or relates to, any of the bodies specified in subsection (3)

    (2) A certificate signed by a Minister of the Crown certifying that the information to which it applies was directly or indirectly supplied by, or relates to, any of the bodies specified in subsection (3) shall, subject to section 60, be conclusive evidence of that fact.

    (3) The bodies referred to in subsections (1) and (2) are-

    • (a) Security Service …" …
    • "(5) The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would involve the disclosure of any information (whether or not already recorded) which was directly or indirectly supplied to the public authority by, or relates to, any of the bodies specified in subsection (3)."

  3. Amendments to section 23 of FOIA have to be made by primary legislation, as there is no power to add to the list of security bodies by regulations, as is possible for amendments to Schedule 1, by virtue of section 4 FOIA. This Act adds JCs to the list of bodies dealing with security matters with the intention of ensuring that sensitive equities contained in information provided or relating to the functions of JCs are protected.

Communications Data (CD)

  1. Section 11 of the IPA 2016 created an offence of obtaining CD without lawful authority. There was no definition, in the original Act, of "lawful authority" in respect of CD acquisition. The objective of amending section 11 has been to make clear that certain types of authority or methods of acquiring CD will amount to "lawful authority". This includes applications to request CD in line with Part 3 IPA 2016, or through a judicial authorisation or Court Order as well as those included ina non-exhaustive list detailing circumstances which will amount to lawful authority for the purposes of section 11.
  2. The Act provides examples of authorisations that will amount to "lawful authority" and includes an IPA 2016 authorisation, a Court order or other statutory power to require or provide CD, as well as CD relating to Public Emergency call services (codes of practice paragraph 6.1) and publicly available data with the intention of providing the legal certainty for those bodies who acquire CD and wish to avoid committing the section 11 offence.
  3. The purpose of section 11 was also to discourage public authorities from abusing Part 3 powers to acquire CD from private companies. The explanatory note to section 11 says: ‘The offence is intended to act as a deterrent and provide reassurance that abuse of powers to acquire communications data will be punished’.
  4. The "powers" in question are the power to issue a notice to a TO to compel disclosure of CD. The obligation to comply with a notice does not bind the Crown so this power logically cannot have been aimed at public sector sharing of CD. Section 11 was not intended to catch public sector sharing of data and the Data Protection Act provides sufficient safeguards to protect the sharing of CD between public sector organisations where it is necessary and proportionate to do so. The offence will continue to apply to the acquisition of CD from private sector TOs. The IPC will continue to oversee the acquisition of CD by relevant public authorities from TOs in both the public and private sectors.
  5. The purpose of section 12 IPA 2016 was to provide transparency around public authority access to CD, in effect ensuring that the Act was the only route available in relation to the ‘statutory purposes’ at section 61(7).
  6. Section 12 and Schedule 2 IPA 2016 amended general information gathering powers, so far as they enabled public authorities to secure the disclosure, by a TO, of CD without the consent of the operator; where the disclosure did not involve a court order or other judicial authorisation or warrant, was not a regulatory power, and where it was not possible for the public authority to use a power under the IPA 2016 or the RIPA 2000.
  7. Regulatory powers were in turn limited, in section 12(6), to those solely exercisable in connection with the regulation of telecommunications operators, services or systems and postal operators and services.
  8. The statutory purposes at section 60A(7) state that it must be necessary to obtain the data-
    "(a) in the interests of national security,

    (b) for the applicable crime purpose,

    (c) in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security,

    (d) in the interests of public safety,

    (e) for the purpose of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,

    (f) to assist investigations into alleged miscarriages of justice, or

    (g) where a person ("P") has died or is unable to identify themselves because of a physical or mental condition-

    1. to assist in identifying P, or
    2. to obtain information about P’s next of kin or other persons connected with P or about the reasons for P’s death or condition."
  9. The statutory purposes had originally included "for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department" and, secondly, "for the purpose of exercising functions relating to the regulation of financial services and markets or financial stability". These lawful purposes were however subsequently excluded by the Data Retention and Acquisition Regulations 2018 enacted in response to the Court of Justice of the European Union’s (CJEU) Tele2/Watson Judgment. 5
  10. These specific provisions were not routinely used because bodies with regulatory or supervisory functions, such as those who regulate the Financial Markets or ensure compliance with Money Laundering and Terrorist Financing Regulations, were previously able to acquire the data they needed in pursuance of their functions by using their own information gathering powers already available to them rather than the IPA 2016 provisioned powers.
  11. However, as businesses are increasingly moving their service offerings online, more of the data those business collect about their customers now falls within the definition of Communications Data as it relates to the provision of a Telecommunications Service as defined in the IPA 2016. This data was data which regulatory and supervisory bodies would have previously been able to access using their own information gathering powers, but in respect of which those businesses are now seeking IPA 2016 Part 3 authorisations, from public authorities, before agreeing to disclosure.
  12. The Section 12 provisions had the effect of preventing those regulatory or supervisory organisations from gathering the data they require where their enquiries failed to meet the serious crime threshold, which was the main remaining statutory purpose available to them to access some types of required data.
  13. The purpose of the Section 12 reforms in this Act are to allow bodies with recognised regulatory and supervisory functions, and who utilise civil proceedings as a means of enforcement, to continue to perform the roles required of them by Parliament in permitting them to acquire CD using their own information gathering powers as previously was the case.
  14. These reforms do not diminish nor expand upon the existing statutory requirements for the disclosure of CD. The position remains that an IPA 2016 authorisation is required to obtain the disclosure of CD in the course of any criminal investigation where there is a view to initiating a criminal prosecution.
  15. Provisions in the associated Codes of Practice will require any organisation changing their approach from a civil investigation to a criminal investigation (with a view to a criminal prosecution) to satisfy both themselves and the IPCO, that their application of the legislation is right and proper at all times. This is an area that is already subject to oversight and scrutiny and these measures aim to ensure that this reform cannot be used to circumvent the safeguards in place within the IPA 2016.
  16. Section 261 IPA 2016 includes the definition of CD. When the IPA 2016 was enacted, section 21 of RIPA 2000 was replaced, and the definition of CD changed. Under section 261(3) "subscriber" or "account data" were brought within a new category of CD referred to as "Entity" data. Section 261(6) of the IPA 2016 created a new definition of what the "content" of a communication is to ensure a clear distinction between "content" and CD on the basis of Parliamentary concern in relation to privacy, by providing that anything that was "content" could not be CD. However, the section 261(6) "content" carve-out created uncertainty as to whether ‘subscriber data’ or ‘account data’ is CD or whether it might be the "content" of a communication created by the subscriber or account information, when they complete an online application form, for example. A practical example is provided below:
    Your name may be included in an electronic form when you open an online account and when clicking ‘submit’, it is sent to that company’s servers. The "content" of that communication could be argued to be the information entered in the form which includes ‘subscriber’ communications data information.
  17. The amendment provides additional clarity that subscriber data and account data fall within the scope of CD, rather than potentially being within the meaning of "content" under section 261(6) of the IPA. The change aims to achieve clarity because public authorities, the independent oversight body (IPCO) and the TOs carry a risk of having to record or report the acquisition of subscriber or account data as an error (because some TOs might consider it as content and so not disclosable under a part 3 CD authorisation). These provisions, providing clarification of subscriber or account data as CD, aim to reduce the risk of errors and provide greater legal certainty.

Interception

  1. Section 56 of the IPA 2016 prohibits the use of intercepted communication and relevant secondary data in legal proceedings. The exceptions to this principle are set out in Schedule 3 to the IPA 2016.
  2. Paragraph 13 of Schedule 3 deals with disclosure to Parole Commissioners for Northern Ireland, to permit the review of intercept materials in certain circumstances.
  3. Paragraph 24 of Schedule 3 permits disclosure of relevant intercept materials to a coroner or a legal advisor, the exception only covers the Coroners and Justice Act 2009 which applies to inquests in England and Wales only. The new paragraphs 25 and 26 will extend the exception to coroners and legal advisors conducting inquests and inquiries into deaths in both Northern Ireland and Scotland. This will bring parity among all administrations.

1 Under the Human Rights Act 1998, respect for private and family life is a qualified right. This means interference by a public authority with the exercise of this right is lawful provided it is done in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

2 (2022) 74 EHRR 17; see also: https://hudoc.echr.coe.int/eng?i=001-210077

3 [2017] 3 All ER 647; see also: https://investigatorypowerstribunal.org.uk/judgement/privacy-international-and-1-secretary-of-state-for-foreign-and-commonwealth-affairs-2-secretary-of-state-for-the-home-department-3-government-communications-headquarters-4-security-service-5/

4 See ZXC v Bloomberg LP [2022] UKSC 5.

5 EUR-Lex - 62015CJ0203 - EN - EUR-Lex (europa.eu) - https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62015CJ0203

Back to top