Investigatory Powers (Amendment) Act 2024

Commentary on provisions of the Act

Part 1: Bulk Personal Datasets

Low or no reasonable expectation of privacy

Section 1: Requirement for authorisation

1. This section makes a number of amendments to Part 7 of the IPA 2016 in consequence of the new Part 7A of that Act inserted by section 2.
2. Subsection (2) amends section 199 (bulk personal datasets: interpretation) so that the definition of when an intelligence service retains a bulk personal dataset (BPD) in that section applies to the new Part 7A as well as Part 7.
3. Subsection (3) amends the heading above section 200 (requirement for authorisation by warrant: general). The heading is amended from "requirement for warrant" to "requirement for authorisation". Subsection (4) amends section 200 so that retention and examination of a BPD may be authorised under Part 7A as well as under Part 7.
4. Subsection (5) amends section 201 (exceptions to section 200(1) and (2)) to cross refer to new exceptions introduced to accommodate the changes made by the new Part 7A. Subsection (6) provides a new heading to be inserted after s201.
5. Subsection (7) makes substantial changes to section 220 (initial examination: time limits) so that the procedure that currently applies to sets of information obtained by intelligence services, and to which Part 7 applies, also accommodates authorisations under the new Part 7A.
6. Subsection (8) amends section 225 (application of Part [7] to BPDs obtained under this Act) so that a direction under subsection (3) of that section can permit a dataset to which it applies to be retained, or retained and examined, pursuant to an authorisation under the new Part 7A as well as Part 7.

Section 2: Low or no reasonable expectation of privacy

1. This section inserts new Part 7A (bulk personal dataset authorisations, low or no reasonable expectation of privacy) after Part 7 of the IPA 2016.

New section 226A of the IPA 2016: Bulk personal datasets: low or no reasonable expectation of privacy

1. Section 226A is concerned with the application of Part 7A and sets out the test and factors that determine whether a BPD is within its scope.
2. Subsection (1) sets out test which must be applied. The test is whether the nature of the BPD is such that the individuals to whom the personal data relates could have no, or only a low, reasonable expectation of privacy in relation to that data.
3. Subsection (2) requires that regard must be had to all the circumstances when considering the test in subsection (1), including, in particular, certain factors listed in subsection (3).
4. Subsection (3) lists the factors to which, in particular, regard must be had when considering the test in subsection (1). These are: the nature of the data; the extent to which the data has been made public (either by the individuals to whom the data relates themselves, or with their consent); the extent to which data that has been published has been subject to editorial control or by a person acting in accordance with professional standards; the extent to which the data is widely known about if it has been published or is in the public domain, and; the extent to which the data has already been used in the public domain.

New Section 226B of the IPA 2016: Individual authorisation

1. Subsection (1) sets out that, for the purposes of Part 7A, "an individual authorisation" is an authorisation that authorises an intelligence service to retain, or retain and examine, any dataset described in that authorisation. Subsection (2) is a cross-reference to section 200 as amended by this Act and is self-explanatory.
2. Subsection (3) allows the head of an intelligence service, or a person acting on their behalf, to grant an individual authorisation where certain conditions are met. These conditions are set out in subsections (4) and (5).
3. The conditions in subsection (4) require that the person granting the authorisation considers that s226A applies to the dataset (it is a dataset in respect of which there is no, or only a low, reasonable expectation of privacy), the authorisation is necessary for the exercise of the intelligence services functions and the conduct being authorised is proportionate to what is sought to be achieved by it, and that there are appropriate arrangements in force (approved by the Secretary of State) for storing and protecting the data.
4. Subsections (5) requires that decisions to grant an individual authorisation must be approved by a Judicial Commissioner (JC). This is subject to the exceptions set out in subsection (6): the approval of a JC is not required if the BPD falls within an existing category authorisation granted under section 226BA, or the person granting the authorisation considers there is an urgent need to grant it.
5. Subsection (7) sets out that a person granting an individual authorisation in respect of a BPD that falls within an existing category authorisation may nevertheless, , still seek JC approval if they consider it appropriate to do so..
6. Subsection (8) sets out that an individual authorisation relating to a BPD may also authorise the retention or examination of BPDs that do not exist at the time of the authorisation, but which may be reasonably regarded as replacements for the dataset that was authorised. For example, this could include circumstances where a publicly available dataset (that the intelligence service retains under an individual authorisation) is periodically updated with new information of a type that is already contained within the dataset. In such a case the intelligence service would not need to obtain a new individual authorisation to retain or examine an updated version of a dataset that is already the subject of an authorisation.

New section 226BA of the IPA 2016: Category authorisation

1. This section provides for "category authorisations", which permit the head of an intelligence service, or a person acting on their behalf, to authorise a category of bulk personal datasets for the purposes of Part 7A if they consider that s226A applies to any dataset that falls within the category described in the authorisation (including by reference to the use to which the datasets will be put). The decision to grant the authorisation must be approved by a JC.
2. A category authorisation is different to an individual authorisation. An individual authorisation authorises the retention, or retention and examination, of a BPD to which section 226A applies. A category authorisation effectively disapplies – per section 226A(6)(a) – the requirement for judicial approval where an individual authorisation pertains to a dataset that falls within a category authorisation. That is because a decision will already have been made, and approved by a JC, that any dataset that falls within the description in the category authorisation is a dataset to which section 226A would apply.

New section 226BB of the IPA 2016: Approval of authorisations by Judicial Commissioners

1. This section makes provision for the approval of category or individual authorisations by JCs.
2. Subsection (1)(a) sets out that in deciding whether to approve a decision to grant an individual authorisation, a JC must review the conclusions of the decision maker in regards to whether section 226A applies to the bulk personal dataset described in the authorisation. Subsection (1)(b) sets out that in respect of a category authorisation, the JC must review the conclusions of the decision maker as to whether section 226A applies to any dataset that falls within the category of datasets described by the authorisation.
3. Subsection (2) sets out that in deciding whether or not to approve a category or individual authorisation, the JC must apply the same principles that would be applied by a court on an application for judicial review and ensure that the duties imposed by section 2 IPA 2016 (general duties in relation to privacy) are complied with.
4. Subsection (3) sets out that when refusing to approve a decision to grant a category or individual authorisation, JC must give written reasons for their refusal to the person who decided to grant the authorisation.
5. Subsection (4) sets out that the head of an intelligence service (or person acting on their behalf) may ask the IPC to decide whether to approve the decision to grant an individual or category authorisation that has been refused by a JC.

New section 226BC of the IPA 2016: Approval of individual authorisations granted in urgent cases

1. This section provides that where an individual authorisation has been granted in urgent circumstances without prior approval from a JC because of an urgent need to grant it, a JC must be informed by the person that granted it. Subsection (3) provides that the JC has three working days (commencing from the day after the urgent authorisation was granted) to decide whether or not to approve the decision to grant the authorisation and to inform the person who granted the authorisation of that decision.
2. Subsection (4) explains that subsections (5) to (7) set out what happens if a judicial commissioner refuses to approve the decision to grant an urgent individual authorisation.
3. Subsection (5) provides that the urgent authorisation ceases to have effect unless already cancelled, may not be renewed and that the head of the intelligence service (or person acting on their behalf) may not ask the IPC to revisit the JC’s decision under section 226BB(4).
4. Subsection (6) provides that where JC has refused to approve the decision to grant an urgent authorisation, the head of the intelligence service must, as far as reasonably practicable, ensure that use of the dataset stops as soon as possible.
5. Subsection (7) provides that where a JC refuses to approve a decision to grant the urgent authorisation, section 220 (Part 7 initial examinations: time limits) applies to that dataset as if intelligence service had obtained that dataset at the time it was notified of the decision to refuse to approve the grant of the urgent authorisation. This has the effect of restarting the time limit for the intelligence service to carry out an initial examination of the dataset so that it can decide whether it wishes to continue to retain, or retain and examine, the dataset in whole or in part and can make such consequential arrangements as are necessary (e.g, granting a further individual authorisation under section 226B).
6. Under subsection (8), the lawfulness of things done in reliance on an urgent individual authorisation that a JC subsequently refuses to approve is not affected by the authorisation ceasing to have effect.

New section 226C of the IPA 2016: Duration of authorisation

1. This section sets out that the duration of authorisations under Part 7A, unless renewed or cancelled, is, twelve months for all authorisations other than urgent individual authorisations. Urgent individual authorisations are valid until the end of five working days from the day after the day the authorisation was granted.

New section 226CA of the IPA 2016: Renewal of authorisation

1. This section sets out the process for the renewal of individual and category authorisations (including urgent individual authorisations) and the conditions that must be met.
2. Subsection (1) provides that the head of an intelligence service (or a person acting on their behalf) may renew a category or individual authorisation at any time during the renewal period provided the renewal conditions are met.
3. Subsection (2) and (3) set out the renewal conditions for an individual authorisation, including a requirement that the renewal of individual authorisations must be approved by a JC unless the dataset is one that falls within a category of datasets authorised by a category authorisation (see section 226BA).
4. Subsection (4) sets out the renewal conditions for a category authorisation.
5. Subsection (5) defines what is meant by the expression "renewal period":
   • For urgent individual authorisations, the renewal period is the "relevant period" (per section 226C) i.e. the fifth working day after the day on which the authorisation was granted.
   • For an individual authorisation which was authorised in reliance on a category authorisation that has ceased to have effect because it has been cancelled or has not been renewed, the renewal period is three months ending with the day at the end of which the authorisation would cease to have effect.
   • In any other case, the renewal period is 30 days ending with the day at the end of which the authorisation would cease to have effect.

1. Subsection (6) sets out that the decision to renew individual and category authorisations must be approved by a JC.

New section 226CB of the IPA 2016: Cancellation of authorisation

1. This section sets out that the head of an intelligence service (or another Crown Servant acting on their behalf) may cancel a category or individual authorisation at any time during its duration (subsection (1)) and must do so where certain cancellation conditions are met (subsection (2)).
2. Subsection (3) provides the cancellation conditions for individual authorisations. These are that: the dataset described in the authorisation no longer meets the test in section 226A, the authorisation is no longer necessary, the conduct authorised is no longer proportionate, or that the intelligence service no longer has arrangements approved by the Secretary of State for the storage of datasets authorised under Part 7A or for protecting them from unauthorised disclosure.
3. Subsection (4) provides that the cancellation condition for category authorisations is that the test in section 226A no longer applies to any dataset that falls within the category described in the authorisation.

New section 226CC of the IPA 2016: Non-renewal or cancellation of individual authorisation

1. This section concerns where an individual authorisation ceases to have effect because it has expired without being renewed or because it is cancelled.
2. Subsection (2) provides that the head of an intelligence service (or another Crown Servant on their behalf) may decide to grant a new individual authorisation to retain or retain and examine any material held in reliance on an authorisation that has ceased to have effect. In such circumstances a new authorisation must be granted before the end of five working days, beginning with the day on which the authorisation ceased to have effect.
3. Subsection (3) provides that an intelligence service is not in breach of section 200 (1) of (2) (requirement for authorisation) for certain periods where an individual authorisation has ceased to have effect. These periods are five working days beginning with the day on which the authorisation ceases to have effect, or in the case where a new authorisation is granted, the period in which a JC is deciding whether to approve the decision.

New section 226CD of the IPA 2016: Non-renewal or cancellation of category authorisation

1. This section provides for circumstances in which a category authorisation ceases to have effect because it has expired without being renewed or is cancelled, and an individual authorisation has been granted for a dataset that falls within that category, but that authorisation has not been approved by a JC.
2. Subsections (2) and (3) set out that the authorisation ceases to have effect after 3 months unless it is renewed, cancelled or otherwise ceases to have effect before then. This is also the "renewal period" for the purposes of renewing such an individual authorisation, as opposed to the 30 days that would otherwise apply (see section 226CA(5)(b)).

New section 226D of the IPA 2016: Section 226A ceasing to apply to bulk personal dataset

1. This section provides for circumstances in which an individual authorisation is granted and in the course of examining the dataset the head of an intelligence service (or person acting on their behalf) forms the belief that section 226A either does not apply or no longer applies to part of the dataset This is to be distinguished from circumstances in which it is considered that section 226A no longer applies to the dataset as a whole. In that case a cancellation condition is met and the authorisation must be cancelled (see section 226CB).
2. Subsection (2) provides that the head of the intelligence service must, as far as reasonably practicable, ensure that any activity that is being carried in relation to that part of the dataset stops as soon as possible.
3. Subsection (3) provides that section 220 (Part 7 initial examinations: time limits) applies in relation to the relevant part of the dataset as if that part of the dataset was obtained when the necessary belief referred to in subsection (1) was formed. This has the effect of restarting the time limit for the intelligence service to carry out an initial examination of the relevant part of the dataset so that it can decide whether it wishes to continue to retain, or retain and examine that part of a the dataset as a separate dataset and can make such consequential arrangements as are necessary (e.g, granting a further individual authorisation under section 226B).
4. Subsection (4) provides that the individual authorisation in relation to part of the bulk personal dataset to which section 226A no longer applies, is to be treated as if it had been cancelled at the point in time at which the relevant belief was formed. Subsection (5) sets out that the lawfulness of certain activity carried out before the relevant part of the authorisation cased to have effect is not affected by this section.

New section 226DA of the IPA 2016: Annual report

1. This section provides that the head of each intelligence service must provide an annual report to the Secretary of State. This is a report about the BPDs that were authorised to be retained, or retained and examined, under Part 7A by the intelligence service.
2. The first such report must relate to no less than one year and no more than two years, beginning with the date from which Part 7A is fully brought into force. Subsequent annual reports should cover no more than one year, beginning from the end of the period to which the previous report relates. Reports must be provided to the Secretary of State as soon as reasonably practicable after the end of the relevant reporting period.

New section 226DB of the IPA 2016: Report to Intelligence and Security Committee

1. This section provides that the Secretary of State must provide an annual report to the Intelligence and Security Committee of Parliament. This is a report setting out information about category authorisations and renewals of category authorisations granted during the preceding twelve months.
2. The first such report must relate to no less than one year and no more than two years, beginning with the date from which Part 7A comes fully into force. Subsequent annual reports should cover no more than one year, beginning from the end of the period to which the previous report relates. Reports must be provided to the Secretary of State as soon as reasonably practicable after the end of the relevant reporting period.

New section 226DC of the IPA 2016: Part 7A: Interpretation

1. This section state that within Part 7A, use of the terms ‘category authorisation’ and ‘individual authorisation’ has the same meaning as those provided under section 226B(1) and section 226BA(1) respectively. Subsection (2) provides a cross-reference to and section 199 (bulk personal datasets: interpretation), section 263 (general definitions) and section 265 (index of defined expressions) to assist with interpretation. Subsection (3) provides that for Part 7A, only a person holding office under the Crown may act on behalf of the head of an intelligence service.

Bulk personal dataset warrants

Section 3: Duration of bulk personal dataset warrants

1. This section amends section 213 in Part 7 of the Act so that BPD warrants will have a duration of twelve months rather than six. The change applies to both class BPD warrants and specific BPD warrants, and applies to all warrants that are issued or renewed on or after the date that the section comes into force.

Section 4: Agency head functions

1. This section makes amendments to a number of provisions in Part 7 of the IPA 2016 in which a function is conferred on the head of an intelligence service. The amendment aims to make clear that such functions can be carried out by a Crown Servant on behalf of the head of the intelligence service, as is currently the case in respect of a number of other functions elsewhere in the IPA 2016 (e.g., making an application for a warrant).

Third party bulk personal datasets

Section 5: Third party bulk personal datasets

1. Section 5 insets a new Part, Part 7B, into the IPA 2016.

New section 226E of the IPA 2016: Third party bulk personal datasets: interpretation

1. This section sets out the circumstances in which an intelligence service examines a third party bulk personal dataset for the purposes of Part 7B and therefore requires a warrant. Subsection (1) sets out the circumstances which are that:
   • the intelligence service has "relevant access" to a set of information held electronically, by a third party, which includes personal data relating to a number of individuals;
   • the nature of the set must be that the majority of the individuals are not, and are unlikely to become, of interest to the intelligence services;
   • after an initial inspection, the intelligence service examines the set electronically in situ for the purpose of the exercise of its functions.

1. Subsection (2) defines when an intelligence service has "relevant access" to a set of information. Access must be made available as a result of arrangements made directly between the intelligence service and the third party, the type and extent of the access must be such that it is not generally available (whether on a commercial basis or otherwise), and the access must be electronic.

New section 226F of the IPA 2016: Requirement for authorisation by warrant

1. This section prohibits an intelligence service from exercising the power to examine a third party dataset unless that examination is authorised by a warrant under Part 7B ("a 3PD warrant"). A 3PD warrant may authorise the examination to datasets where the content may change over time and future datasets that do not exist when the warrant is authorised.

New section 226FA of the IPA 2016: Exceptions to section 226F(1)

1. This section provides that the prohibition in s226F(1) does not apply to the exercise of a power to examine a third party bulk personal dataset if done so under any other warrant or authorisation issued or given under the IPA 2016, or to an initial inspection under Part 7B (see section 226I(5)).

New section 226G of the IPA 2016: Application for third party BPD warrant

1. This section permits the head of an intelligence service or a person acting on their behalf to apply to the Secretary of State for a 3PD warrant.
2. Subsection (2) provides that the application must include a general description of the dataset or datasets in the application (a general description may describe more than one dataset provided that the general description applies to each dataset). The requirement to provide a general description is different from the requirement to provide a description for a warrant under Part 7, reflecting the extent to which the intelligence service is able to describe the set given it does not retain a set examined under Part 7B.
3. Subsection (3) provides that where the person making the application knows that:
   • the dataset consists of protected data or health records,
   • a substantial proportion of the dataset consists of sensitive personal data, or
   • the nature of the set, or the circumstances in which it was created, are such that its examination under Part 7B is likely to cause novel or contentious issues,

1. the application must include a statement to that effect (see subsection (6)).
2. Subsection (4) sets out the test that the Secretary of State must apply when deciding whether or not to issue a warrant. The Secretary of State may issue the warrant if he or she considers that the warrant is necessary for specified purposes, the conduct to be authorised is proportionate to what is sought to be achieved by it, there are satisfactory arrangements in place for the examination of the set and, unless it is urgent, the decision to issue the warrant has been approved by a JC. Subsection (5) provides that the fact that a 3PD warrant would authorise the examination of bulk personal datasets relating to activities in the British Islands of a trade union is not in itself sufficient to establish that it is necessary. Subsections (7) and (8) are concerned with the definition of health records for the purposes of section 226G.
3. The application may only be made on behalf of the head of an intelligence service by a person holding office under the Crown.

New section 226GA of the IPA 2016: Approval of warrants by Judicial Commissioners

1. This section outlines the factors which the JCs must use to decide whether to approve the decision to issue a 3PD warrant. They must review the Secretary of State’s conclusions on whether the warrant is necessary and proportionate. The JCs must apply the principles which would be applied by a court on application for judicial review and ensure that the JC complies with the duties imposed by section 2 IPA 2016.
2. If a JC refuses to approve the decision to issue a warrant, written reasons must be provided to the Secretary of State and the Secretary of State may ask the IPC to decide whether to approve to issue the warrant.

New section 226GB of the IPA 2016: Approval of third party BPD warrants issued in urgent cases

1. This section describes the process for the approval of 3PD warrants issued in urgent cases. This applies when a 3PD warrant is issued without JC prior approval and the Secretary of State considered that there was an urgent need for it to be issued.
2. Subsection (2) provides that the Secretary of State must inform the JC that the warrant has been issued. The JC must then, before the end of the third working day after the day on which the warrant was issued – the "relevant period" –decide whether to approve the decision to issue the warrant and notify the Secretary of State of the Judicial Commissioner’s decision.
3. Subsection (4) explains that subsections (5) to (7) set out what happens if a judicial commissioner refuses to approve the decision to grant an urgent individual authorisation.
4. Subsection (5) provides that if a Judicial Commissioner refuses to approve the decision to issue a 3PD warrant, the warrant ceases to have effect (unless already cancelled), and may not be renewed. The Secretary of State may not asked the Investigatory Powers Commissioner to revisit the JC’s decision under section 226GA(4).
5. Subsection (6) provides that the head of the intelligence to which the warrant was issued, must ensure, as far as reasonably practicable, that any processes being done in reliance on the warrant stops as soon as possible.
6. Under subsection (7), the lawfulness of things done in reliance on an urgent individual authorisation that a JC subsequently refuses to approve is not affected by the authorisation ceasing to have effect.

New section 226GC of the IPA 2016: Decisions to issue warrants to be taken personally by Secretary of State

1. This section specifies the Secretary of State must make the decision to issue a 3PD warrant personally. The Secretary of State must also sign the 3PD warrant unless it is not reasonably practicable to do so.
2. If the Secretary of State cannot sign the warrant, it may be signed by a senior official instead (i.e., a member of the Senior Civil Service or a member of the Senior Management Structure of His Majesty’s Diplomatic Service – see section 226IE). In these cases, the warrant must contain a statement that (a) it is not reasonably practicable for the warrant to be signed by the Secretary of State, and (b) the Secretary of State has personally and expressly authorised the issue of the warrant.

New section 226GD of the IPA 2016: Requirements that must be met by warrants

1. This section states that a 3PD warrant must be addressed to the head of an intelligence service by whom or on whose behalf the application was made, and it must include a general description of the dataset (or datasets) to which the warrant relates.

New section 226H of the IPA 2016: Duration of warrants

1. This section sets out that the duration of 3PD warrants, unless renewed or cancelled, is, twelve months. Urgent 3PD warrants are valid until the end of five working days from the day after the day the warrant was issued.

New section 226HA of the IPA 2016: Renewal of warrants

1. This section sets out the process for the renewal of 3PD warrants (including urgent 3PD warrants), which may be renewed by an instrument issued by the Secretary of State, at any time during the "renewal period", if the renewal conditions are met.
2. Subsection (2) sets out the renewal conditions: the Secretary of State considers that the warrant continues to be necessary and proportionate, and the decision to renew has been approved by a JC. In making their decision, the JC must take the same approach as is taken when a warrant is first issued (see subsection (5) and section 226GA (approval of warrants by Judicial Commissioners)).
3. Subsection (3) provides that the "renewal period" means (a) in the case of an urgent warrant, the relevant period, (b) any other case, the period of 30 days which ends with the day the warrant would otherwise cease to have effect. The decision to renew must be taken personally by the Secretary of State and signed by the Secretary of State.
4. Subsection (4) provides that, as with the decision to issue a warrant, the decision to renew a warrant must be taken by the Secretary of State personally and must also be signed by the Secretary of State (see section 226GC (decision to issue warrants to be taken personally by Secretary of State) in respect of the requirements that apply to the issuing of a warrant).

New section 226HB of the IPA 2016: Cancellation of warrants

1. This section states the Secretary of State or senior official acting on their behalf may cancel a warrant at any time and must cancel the warrant should the cancellation conditions be met. The cancellation conditions are that the warrant is no longer necessary on any of the specified grounds or that the conduct authorised is no longer proportionate to what is sought to be achieved by the conduct.

New section 226HC of the IPA 2016: Non-renewal or cancellation of third party BPD warrant

1. This section is concerned with what happens when a 3PD warrant ceases to have effect either because it has expired without being renewed or because it has been cancelled (see section 226HB (cancellation of warrants). Subsection (2) provides that the head of the intelligence service to whom the warrant was addressed must, as far as reasonably practicable, ensure that any activity that is being carried out in reliance on the warrant stops as soon as possible, although the lawfulness of certain activity already done or in process is not affected.

New section 226I of the IPA 2016: Initial inspection

1. This section makes provision for an initial inspection period before a 3PD warrant is required. The initial inspection process is an important preliminary step which enables the intelligence service to inspect the contents of the dataset in order to determine whether access to the dataset would engage Part 7A and to consider whether to make an application for a 3PD warrant in respect of it. This section enables that process to be carried out in the absence of a 3PD warrant, making it a limited exception to the requirement in section 226F(requirement for authorisation by warrant). Subsection (1) sets out the circumstances in which it can be said that an initial inspection is being carried out and subsection (2) sets out the purposes for which the initial inspection may be carried out.
2. Subsection (3) and (4) make clear that the initial inspection process will lead to a decision by the intelligence service as to whether to apply for an 3PD warrant. Subsection (5) provides that the intelligence service may examine the dataset after the end of the initial examination process for the specific purpose of making an application for a warrant.

New section 226IA of the IPA 2016: Safeguards relating to examination of third party bulk personal datasets

1. This section is concerned with safeguards. It places an obligation on the Secretary of State to ensure that arrangements are in force to secure that any examination of data contained in a 3PD is necessary and proportionate in all the circumstances. The arrangements must take account of the information that is reasonably available to the intelligence service in relation to the data.

New section 226IB of the IPA 2016: Additional safeguards for items subject to legal privilege: examination

1. This section is concerned with safeguards for "protected data" that is legally privileged. It makes provision for the approval of "relevant criteria" to be used for the examination of data. The expression "protected data" is defined in section 203 in Part 7 of the IPA 2016: in broad terms, protected data is likely to be content as opposed to metadata.
2. Subsections (2) to (8) set out a regime for the approval of the use of criteria where either a purpose of using the criteria is to identify items subject to legal privilege, or the use of the criteria is likely to do so.
3. Where the criteria are referrable to an individual known to be in the British Islands, the approval of the Secretary of State is required and, per subsection (4), this approval must also be approved by a JC. When deciding whether to give approval the JC must apply the same principles as a court on application for judicial review and consider with a degree of care to ensure the JC complies with duties imposed by section 2.
4. In all other cases, the approval may be given internally by a senior official. The senior official’s approval does not need to be approved by a JC.
5. Where the purpose of the examination is to identify items subject to legal privilege (as opposed to only being likely to do so), the decision maker is required to balance the need to use the relevant criteria against the public interest in the confidentiality of items subject to legal privilege. Use of the criteria may only be authorised if there are exceptional and compelling circumstances that make it necessary to do so.
6. The "exceptional and compelling" test is further explained in subsection (7) which provides that there cannot be exceptional and compelling circumstances unless (a) public interest in obtaining the information outweighs public interest in confidentiality of items subject to legal privilege, (b) there are no other means to reasonably obtain the data, and (c) obtaining the information is necessary in the interests of national security or for the purpose of preventing death or significant injury.
7. Subsections (9) to (13) set out a regime for the approval of the use of criteria where a purpose of the using the criteria is to examine data (or underlying material i.e. other data from which that data was derived – see subsection (13)) that would be legally privileged but where the intelligence services considers it likely that it was created or held with the intention of furthering a criminal purpose (often called the iniquity exception to legal privilege).
8. Where the criteria are referrable to an individual known to be in the British Islands, the approval of the Secretary of State is required – this approval does not need to be approved by a JC (see subsection (10)).
9. In all other cases, the approval may be given internally by a senior official. The senior official’s approval does not need to be approved by a JC (see subsection (11)).
10. Approval may be given only if the decision maker considers that the targeted data or the underlying material is likely to have been created or to be held with the intention of furthering a criminal purpose.

New section 226IC of the IPA 2016: Additional safeguards for items subject to legal privilege: retention following examination

1. This section explains the process that must be followed if an intelligence service examines legally privileged material in a 3PD and retains it (otherwise than under a warrant issued under Part 7 of the IPA 2016).
2. The intelligence service must inform the IPC as soon as reasonably practicable after retaining the item. The IPC then has certain powers, including to direct that the item must be destroyed or to impose conditions as to its retention or use.
3. If the IPC considers that the (a) the public interest retaining the item outweighs the public interest in confidentiality of items subject to legal privilege, and (b) retaining the item is necessary in the interests of national security or for the purpose of preventing death or significant injury (see subsection (5)), then the intelligence service may continue to retain the item, subject to such conditions as the IPC may impose (see subsection (4)).
4. If the IPC does not agree that the item may be retained, then he or she must direct either that the item be destroyed or that it be subject to one or more conditions as to its use or retention. In deciding whether to require destruction or impose conditions, the IPC may require an affected party (either the Secretary of State or the intelligence service the 3PD warrant was addressed) to make representation and must have regard to any such representations made.

New section 226ID of the IPA 2016: Offence of breaching safeguards relating to examination of material

1. This section creates a new offence that applies where a person deliberately examines a third party bulk personal dataset, in reliance on a 3PD warrant, knowing or believing that the examination is not necessary and proportionate. An offence is committed if a person examines a 3PD with reliance on a 3PD warrant, the person knows the examination is a breach of the requirement specified in subsection (2) and the person deliberately examines that data in breach of that requirement.
2. This section also sets out the penalties for a person found guilty of this offence, and makes clear that proceedings in relation to an offence under this section may only be instituted by or with the consent of the Director of Public Prosecutions in England and Wales or the Director of Public Prosecutions for Northern Ireland in Northern Ireland.

New section 226IE of the IPA 2016: Part 7B: interpretation

1. This section provides definitions for terms used in Part 7B
2. Personal and protected data has the same meaning as in Part 7. Senior official means a member of the Senior Civil Service or a member of the Senior Management Structure of His Majesty’s Diplomatic Service; and third party BPD warrant is defined in section 226F.

Minor and consequential amendments

Section 6: Minor and consequential amendments

1. This section makes minor and consequential amendments to sections 1 and 2 of the IPA 2016 (oversight and general duties in relation to privacy) to reflect the inclusion of the new Parts 7A and 7B within the Act, as well as making necessary amendments to the Regulation of Investigatory Powers Act 2000 to include conduct carried out under Parts 7A and 7B within the list of activities for which the Investigatory Powers Tribunal is the appropriate forum for complaints.

Part 2: Oversight Arrangements

Section 7: Deputy Investigatory Powers Commissioner

1. Section 7(2) inserts two new subsections into section 227 of the IPA 2016, as follows.
2. Subsection (6A) sets out that the Investigatory Powers Commissioner (IPC) may formally appoint up to two persons who are Judicial Commissioners (including Temporary Judicial Commissioners) to become Deputy Investigatory Powers Commissioners (DIPC).
3. Subsection (6B) clarifies that a Deputy Investigatory Powers Commissioner continues to be a Judicial Commissioner (JC).
4. Section 7(3) clarifies the circumstances when a person will cease to be a Deputy Investigatory Powers Commissioner (DIPC). This will be for the following reasons:
   1. the person ceases to be a Judicial Commissioner,
   2. the Investigatory Powers Commissioner removes the person from being a Deputy Investigatory Powers Commissioner, or
   3. the person resigns as a Deputy Investigatory Powers Commissioner.
5. Section 7(4) inserts the definition of a DIPC and refers to appointment of a DIPC under 227(6A) and the expression is also read in accordance with section 227(13)(b)).
6. Section 7(5) inserts the term "Deputy Investigatory Powers Commissioner" into the index of defined expressions.

Section 8: Delegation of functions

1. This section gives the IPC the ability to delegate the exercise their functions to a DIPC, in addition to other JCs, and specifies the scope of delegations to DIPCs and (JCs). This is achieved by amending section 227(8) and inserting new subsections (8A) - (8D).
2. Section 8(2) inserts subsection (8A) into section 227 IPA, which specifies that certain personal functions conferred on the IPC, such as deciding an appeal against, or a review of, a decision made by a JC, may only be delegated to DIPCs when the IPC is unable or unavailable to exercise their functions for any reason.
3. Subsection (8B) of section 227 clarifies that the IPC’s functions, as listed in subsection (8A) may not be delegated to JCs who are not DIPCs.
4. Subsection (8C) of section 227 clarifies that the IPC’s functions, as listed in subsection (6A) [appointment of DIPCs] may not be delegated.
5. Subsection (8D) of section 227 specifies that where there are two DIPCs, the power under section 227(8)(a) may be used to delegate to one DIPC the function of the IPC in deciding an appeal against, or a review of, a decision made by the other DIPC.
6. Subsection (10A) of section 227 specifies that where the exercise of the IPCs functions under section 227(8)(c) (deciding an appeal against, or a review of, a decision made by a JC is delegated to DIPCs and the DIPC decides the appeal or review, no further appeal or request for a further review may be made to the IPC in relation to the decision of the DIPC.

Section 9: Temporary Judicial Commissioners

1. This section inserts new section 228A into the IPA 2016 and gives the IPC and the Secretary of State the power to appoint Temporary JCs in exceptional circumstances, which result in a shortage of persons able to carry out the functions of JCs. In the event of a temporary JC being appointed, the IPC must notify certain persons including the Prime Minister, the Secretary of State and the Scottish Ministers as soon as practicable after the appointment. These provisions are based on section 22 of the Coronavirus Act 2020 and regulation 3 of S.I. 2020/360.

New section 228A of the IPA 2016: Temporary Judicial Commissioners

1. Subsection (1) sets out when the power to appoint Temporary JCs can be exercised.
2. Subsections (2) and (3) specifies that the IPC may appoint one or more persons to carry out the functions of JCs and that such persons shall be known as Temporary JCs.
3. Subsection (4) specifies the term of a Temporary JC.
4. Subsection (5) sets out who the IPC must notify when a new Temporary JC is appointed.
5. Subsection (6) clarifies that a reference in any enactment is to be read (so far as context allows) as referring also to a Temporary JC.
6. Subsection (7) specifies that certain provisions relating to the appointment of JCs, under section 227 and 228 IPA 2016, are disapplied in relation to the appointment of Temporary JCs. This includes the requirement for the Prime Minister to appoint JCs, for JCs to be appointed on the recommendation of the Lord Chancellor and other senior judges in the three legal jurisdictions and the requirement for the Prime Minister to consult with the Scottish Ministers (section 227(1) and (4) - (6). Section 228(2) IPA 2016 is also disapplied to allow for Temporary JCs to be appointed for one or more terms not exceeding six months each and not exceeding three years in total, per section 228A(4).
7. Subsection (8) clarifies that in section 228A, the term "Judicial Commissioner functions" means the functions conferred on JCs by any enactment (including the IPA 2016).

Section 10: Main functions of the Investigatory Powers Commissioner

1. This section amends the IPC’s main oversight functions.
2. Section 10(2)(a) removes the IPC’s functions relating to the oversight of prevention or restriction of use of communication devices by prisoners etc., as telecommunications restriction orders are already subject to judicial approval in the county court.
3. Section 10(2)(b) places certain MoD oversight functions on a formalised footing, which are currently overseen on a non- statutory footing. To achieve this, this section inserts a provision into the IPA 2016 that the IPC must keep under review (including by way of audit, inspection and investigation) compliance by any part of His Majesty’s forces, or by any part of the Ministry of Defence, with policies governing the use of surveillance and the use and conduct of covert human intelligence sources outside the UK.
4. Section 10(3) inserts a provision specifying that the Prime Minister may direct the IPC to carry out additional oversight functions in respect of any public authority not mentioned in section 230(1)(a) - (c) of the IPA 2016, so far as engaging in intelligence activities.
5. Section 10(4) replaces the reference to a "code of practice under Schedule 7" with a reference to a "relevant code of practice". This is then defined in a new subsection to mean a code of practice under Schedule 7 of the IPA 2016, the Police Act 1997, Regulation of Investigatory Powers Act 2000, or the Regulation of Investigatory Powers (Scotland) Act 2000. This amendment is intended to clarify the scope of "relevant errors" under the IPA 2016.

Section 11: Personal data breaches

1. Section 11(1) inserts a provision into the Investigatory Powers Act (s.235A) for the Investigatory Powers Commissioner to notify affected individuals of serious personal data breaches relating to warrants issued under the IPA 2016, if the IPC determines it is in the public interest to make such a notification.
2. Subsection (1) sets out the circumstances in which the provision applies, namely where a Telecommunications Operator is prevented from reporting a personal data breach to the Information Commissioner due to a relevant restriction.
3. Subsection (2) sets out that a Telecommunications Operator must report such a personal data breach to the Investigatory Powers Commissioner.
4. Subsection (3) confirms that where a Telecommunications Operator has reported a personal data breach to the Investigatory Powers Commissioner, a Judicial Commissioner must then disclose information about the breach to the Information Commissioner. This will ensure that the Information Commissioner can appropriately investigate such a breach.
5. Subsection (4) sets out that where a Judicial Commissioner discloses information about a personal data breach to the Information Commissioner, the Information Commissioner must consider whether the breach is serious and if such a consideration is made, the Information Commissioner must notify the Investigatory Powers Commissioner.
6. Subsection (5) confirms that the Investigatory Powers Commissioner must inform an individual of any personal data breach relating to that individual of which the Commissioner is notified by the Information Commissioner, if the Commissioner considers that it is in the public interest for the individual to be informed of the breach.
7. Subsection (6) sets out the factors the Investigatory Powers Commissioner must consider in deciding whether it is in the public interest to notify an individual who has been affected by a personal data breach.
8. Subsection (7) confirms that the Investigatory Powers Commissioner must ask the Secretary of State and any public authority the Commissioner considers appropriate for submissions before making a decision regarding the public interest in notifying the affected individual of a breach.
9. Subsection (8) sets out the information the Investigatory Powers Commissioner must provide when notifying an individual who has been affected by a personal data breach of the breach.
10. Subsection (9) provides that the Investigatory Powers Commissioner may not inform an individual who has been affected by a personal data breach of a breach notified by the Information Commissioner, except as provided by section 235A.
11. Subsection (10) sets out that a personal data breach is considered to be serious if the breach is likely to result in a high risk to the rights and freedoms of individuals.
12. Subsection (11) defines the key terms used throughout this section, covering "the 2003 Regulations" (i.e. the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) - "PECR"), "personal data breach" and "relevant restriction".
13. Section 11(2) amends RIPA 2000 to clarify that the Investigatory Powers Tribunal is the appropriate forum for to determine complaints relevant personal data breaches specified in section 235A of the Act.
14. Section 11(3) amends RIPA 2000 in consequence of the amendments made at section 11(2) regarding the Tribunal’s jurisdiction.
15. Section 11(4) amends section 68(8) RIPA 2000 to add the Information Commissioner to the list of relevant Commissioners who may be required to provide assistance to the Tribunal.
16. Section 11(5) repeals regulation 5A(9) of PECR to enable Telecommunications Operators to report certain personal data breaches to the Information Commissioner.
17. Section 11(6) repeals paragraph 14 of Schedule 10 IPA 2016, in consequence of the amendment at Section 11(5).

Part 3: Communications Data etc

Communications data

Section 12: Offence of unlawfully obtaining communications data

1. Section 12 amends section 11 of the IPA 2016. Subsection (2) amends section 11(1) of the IPA 2016 with the effect that public authorities which acquire communications data from another public authority acting as a Telecommunications Operator (TO) which is not wholly or mainly funded out of public funds will not commit a section 11 offence in relation to that acquisition.
2. Subsection (3) inserts a list of examples of cases which will amount to "lawful authority" in subsection (3A) of section 11 in respect of communications data acquisition from a TO or Postal Operator. This is a non-exhaustive list of authorities that will amount to "lawful authority" and which includes the following; where the relevant person has obtained communications data under section 81(1) IPA 2016, where communications data is obtained in the exercise of a statutory power of the relevant public authority (including other authorisations available under the IPA 2016), where the operator lawfully provides the communications data to the relevant public authority, any judicial authorisation e.g. a court order, where the data has been obtained after it has been published and where the communications data has been obtained by the relevant person when responding to a call made to the emergency services.
3. Subsection (3B) sets out the meaning of ‘emergency services’ and ‘publish’ as referred to in subsection (3A).
4. This section also makes a consequential change to the heading of section 6 with the insertion of ‘in relation to interceptions’ in order to distinguish it from "lawful authority" for communications data.

Section 13: Meaning of "communications data": subscriber details

1. This section makes clear "communications data" includes entity data that comprises the content of a communication made for the purpose of initiating or maintaining an entity’s access to a telecommunications service. It is also the content about an entity to which that telecommunications service is provided or will be provided. It is not the data comprised in the recording of speech, for example voicemails. This will have the practical effect of clarifying that this data is communications data rather than content.

Section 14: Powers to obtain communications data

1. This section amends section 12 of the IPA 2016. Currently section 12(2) of the Act states that any ‘general information gathering power’ which would have previously enabled a public authority to secure disclosure of Communications Data from a Telecommunications Operator or Postal Operator without:
   1. the consent of the operator,
   2. a court order or other judicial authorisation or warrant, and
   3. being a regulatory power,

   no longer enables the public authority to secure such discloser.

2. Section 12(6) of the IPA 2016 then narrowly defined a ‘regulatory power’ as meaning any power to obtain information or documents – but only those exercisable in connection with the regulation of TOs, services or systems or postal operators or services.
3. Section 14(4) inserts new subsections (2B) to (2D) into section 12 with the effect of disapplying section 11(2)’s limitation of general information powers in certain circumstances and to certain specified public authorities. New subsection (2B) provides that subsection (2) does not apply in relation to the exercise of regulatory or supervisory powers, unless those powers are exercised in the course of a criminal investigation. New subsection (2C) defines "criminal investigation". New subsection (2D) provides that an investigation is not in the course of a "criminal investigation" if, at the time of the acquisition of the CD, it is not being done with a view to seeking a criminal prosecution.
4. Section 14(5A) and (5B) provide a definition for ‘specified public authority’ as one listed in either new Schedule 2A or Schedule 4, and states that either the Secretary of State or the Treasury may, by regulations, modify new Schedule 2A.
5. Section 14(6) replaces the term ‘regulatory power’ with the definition of ‘regulatory or supervisory power.’ and defines this new term as being one exercisable in connection with
   1. the regulation of persons or activities,
   2. the checking or monitoring of compliance with requirements, prohibitions or standards imposed by or under an enactment, or
   3. the enforcement of any requirement or prohibition imposed by or under an enactment,
6. This definition of ‘regulatory or supervisory power’ is designed to capture organisations such as the Financial Conduct Authority and HMRC and their respective regulation of the financial sector and supervision of anti-money laundering regulations.
7. Section 14(7) introduces a Schedule which reverses certain of the changes originally made by Schedule 2 to the IPA 2016 with the effect of reinstating powers available to public authorities which confer regulatory and supervisory powers on those authorities. The changes made by Schedule 2 to the IPA 2016 which relate to powers that can only be used for criminal investigations are unchanged by this Act.
8. In effect, this means that the public authority can only acquire Communications Data from a TO using a regulatory or supervisory power, rather than those conferred under the IPA 2016, if at the time of acquisition their intention is to use the information in support of a civil regulatory or supervisory statutory function and not for a criminal investigation or prosecution.

Internet connection records

Section 15: Internet connection records

1. The new section adds an additional access condition ‘D’ which stipulates who may use this new condition and under what circumstances. The condition is split into two parts. Condition ‘D1’ covers the Lawful Purposes for which the new condition may be used when authorisation is by the Investigatory Powers Commissioner. Condition ‘D2’ covers the more limited Lawful Purposes for which the new condition may be used when internal authorisation is permitted.
2. Section 15 (1) makes clear that the following section relates to section 62 of the Act and restrictions in relation to internet connection records.
3. Section 15(2) and (3) simply amend sections in the Act which mention all conditions to ensure they now also reference the new condition D.
4. Section 15(4) inserts new subsections 5A, 5B and 5C into the IPA 2016 which define the new condition D and provides interpretation of the term ‘specified.’
5. New subsection (5A) introduces a table which makes clear that condition D1 only applies to the intelligence services and the NCA.
6. It defines Condition D1 as being when the Investigatory Powers Commissioner considers that it is necessary, for a purpose referenced within the table (see below), to obtain data to identify which persons or apparatuses are using one or more specified internet services in a specified period, where "specified" means specified in the application.
7. This is similar to Condition A save that it removes the requirement to possess unequivocal knowledge about the service(s) and time(s) of use and instead permits that these factors be stated within the application, based upon analysis and subject matter expertise.
8. The table relevant to condition ‘D1’ sets out the limited lawful purposes for which the intelligence services and the NCA may use this provision.
9. For the intelligence services this is:
   1. in the interests of national security,
   2. in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security
   3. for the purpose of preventing or detecting serious crime.
10. For the NCA this is;
    1. for the purpose of preventing or detecting serious crime.
11. New subsection 5B introduces a further table relevant to condition ’D2.’ This sets out the more limited circumstances where a designated senior officer may authorise use of this provision.
12. For the intelligence services this is limited to;
    1. in the interests of national security,
    2. in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security
13. And in urgent cases only;
    1. for the purpose of preventing or detecting serious crime.
14. For the NCA condition D2 permits a designated senior officer to authorise use of the provision, in urgent cases only, for the purpose of preventing or detecting serious crime.
15. New subsection 5C explains that the term ‘specified’ means specified within the application for the authorisation.

Part 4: Notices

Retention notices

Section 16: Powers to require retention of certain data

1. Section 16 amends section 87 of the IPA 2016. That section limits what types of relevant communications data can be required to be retained by a TO under a data retention notice under section 87.
2. Subsection (2) inserts wording into section 87(4) to disapply the effect of s87(4) in relation to data that;
   1. is, or can only be obtained by processing internet connection records. The effect of this is that such data can be retained under a data retention notice.
   2. does not relate to a relevant roaming service.
3. Section 16(3) inserts new subsection (4A) which defines "relevant roaming service". The effect of this definition read with the exclusion of relevant roaming services from s87(4) is that relevant communications data relating to a relevant roaming service can be subject to a data retention notice under section 87 of the IPA 2016.

Section 17: Extra-territorial enforcement of retention notices etc

1. This section amends section 95(5) and 97 of the IPA 2016 to allow extraterritorial enforcement of data retention notices to strengthen policy options when addressing emerging technology, bringing it in line with technical capability notices (TCNs).

Retention, national security and technical capability notices

Section 18: Review of notices by the Secretary of State

1. When a notice is formally given to a TO by the Secretary of State, its obligations become binding on them. If at this point the operator is dissatisfied with the terms of the notice, they have a statutory right to refer the notice (or part of it) to the Secretary of State for review.
2. Section 90(4)(a) of the IPA 2016 (data retention notices) specifies that during that review period the TO is not required to make any changes to specifically comply with the notice. This requirement is replicated in section 257(3)(a) (national security and technical capability notices). This ensures consistency across all notice types.
3. Section 90(4A) of the IPA 2016 specifies that the TO must not make any relevant changes which relates to obligations within the notice. Subsection (4B) defines "relevant change", This proposal would preserve the status quo during the review period, meaning if the TO was providing assistance in relation to warrants, authorisations or notices under the IPA 2016 then this assistance must continue during the review period. This requirement is replicated in section 257(3A) and (3B) to ensure consistency across all notice types.
4. Section 90(5) of the IPA 2016 (data retention notices) is amended to specify that the Secretary of State must review a notice before the end of the review period and decide what action to take under subsection (10). This requirement is replicated in section 257(4) (national security and technical capability notices) to ensure consistency across all notice types.
5. Section 90(5A) of the IPA 2016 (data retention notices) defines the "review period". This amendment introduces a new regulation making power, enabling the Secretary of State to specify in regulations the overall length of time a review of a notice can take. This requirement is replicated in section 257(4A) (national security and technical capability notices) to ensure consistency across all notice types.
6. Section 90(9A) and (9B) of the IPA 2016 (data retention notices) make provisions for a JC to give a direction to the operator and Secretary of State specifying the time period within which both parties may provide evidence or representations and the power to disregard any submissions provided outside these timescales. This requirement is replicated in Section 257(8A) and (8B) (national security and technical capability notices) to ensure consistency across all notice types.
7. The amendment to Section 90(10) of the IPA 2016 (data retention notices) ensures the Secretary of State must, after considering the conclusions of the TAB and JC, decide what action to take before the end of the "relevant period". This requirement is replicated in section 257(9) (national security and technical capability notices) to ensure consistency across all notice types.
8. Section 90(11A) of the IPA 2016 (data retention notices) defines the "relevant period". This amendment introduces a new regulation making power, enabling the Secretary of State to specify in regulations the length of time the Secretary of State can take to reach a decision. This requirement is replicated in section 257(10A) (national security and technical capability notices) to ensure consistency across all notice types.
9. Section 90(14)-(16) of the IPA 2016 (data retention notices) makes provision for the Secretary of State to include in regulations made pursuant to these sections, provisions to extend any period of time provided for by the regulations, the circumstances in which the Secretary of State may extend the review period and the relevant period and the associated requirements if an extension is sought. These requirements are replicated in Section 257(13)-(15) (national security and technical capability notices) to ensure consistency across all data types.
10. The amendment to 267(3) of the IPA 2016 applies the affirmative procedure to regulations made under these sections.
11. The amendment to section 95(5) of the IPA 2016 ensures (data retention notices) that the new duty under section 90(4A) is enforceable by current mechanisms specified in this section. This requirement is replicated in section 255(10) (national security and technical capability notices) in relation to the new duty under section 257(3A).
12. The further amendment to section 255(10) of the IPA 2016 ensures subsection (8), the prohibition of revealing the existence of notices, is enforceable by current mechanisms specified in this section, just as subsection already 9 is. This is to ensure consistency across all notice types.

Section 19: Meaning of "telecommunications operator" etc

1. As companies increasingly have multiple entities spread across the globe involved in the delivery of their services, this section amends the definition of a TO out of an abundance of caution to ensure the IPA 2016 continues to apply to all those it was intended to.
2. Section 261(10)(c) of the IPA 2016 provides additional clarification ensuring that large companies with complex corporate structures are covered in their totality by the IPA 2016. The amendment made by this Act is not seeking to bring additional companies within scope.
3. The amendment to section 253(1)(a) makes clear that a TCN may be issued to one entity in relation to another entity’s capability.

Section 20: Renewal of notices

1. Section 87(6A) of the IPA 2016 (data retention notices) introduces a new obligation for a notice to be renewed, if it has not been varied so as to require additional obligations, renewed or revoked, within the relevant period. Subsection (6B) defines the "relevant period" as a period of two years beginning with the day a notice comes into force (if the notice has not previously been varied) or in the case of a notice that has been varied or renewed, the day after the day the notice would have ceased to have effect, had it not been varied or renewed. This requirement is replicated in section 255(5A) and (5B) (national security and technical capability notices) to ensure consistency across all notice types.

New sections 94A and 256A of the IPA 2016: Renewal of notices

1. Section 94A(2) sets out the renewal conditions which the Secretary of State must take into account for the purposes of determining the necessity and proportionality justifications of the notice. The provision also specifies that the decision to renew a notice is subject to the approval of a JC. This requirement is replicated in section 256A(2) for national security notices and subsection (3) for TCNs to ensure consistency across all notice types.
2. Section 94A(3)-(5) make clear the renewal period, the manner in which the Secretary of State may bring the renewal to attention of the operator and ensuring that the current processes regarding the issuing of a data retention notice, under sections 87(10), 88, 89 and 90, apply to renewals. This is replicated in section 256A subsections (4)-(7) to ensure that current processes for issuing national security and technical capability notices apply to renewals.
3. A consequential amendment to section 229(8)(e)(i) is required to bring notices requiring renewal, pursuant to sections 94A and 256A, under the main oversight functions of the IPC. This ensures JCs are able to carry out their functions in deciding whether to approve the renewal of a notice.

Notification of changes to telecommunications services etc

Section 21: Notification of proposed changes to telecommunications services etc

1. This section amends the IPA 2016 by inserting section 258A into the Act.

New section 258A of the IPA 2016: Notification of proposed changes to telecommunications services etc

1. Section 258A(1) introduces a notification requirement. This is an obligation that the Secretary of State can place on an operator that requires them to notify the Secretary of State of relevant changes that the operator is intending to make.
2. Subsection (2) and (3) defines the term "relevant change", which is a change to a service or system provided by the operator and that is specified in regulations.
3. Subsection (4) makes provisions for regulations, which will set out thresholds for the notification requirement to ensure that it does not disproportionately or unnecessarily affect operators who do not hold or provide operationally relevant data.
4. Subsection (5) and (6) sets out what the Secretary of State must consider before issuing a notice to an operator under this section.
5. Subsection (7) requires the Secretary of State to consult the operator before giving them a notice under this section. The provision would require the Secretary of State to discuss, during the consultation with the operator, the specifics of the obligation to be imposed on the operator before the Secretary of State issues the notice. These individualised and confidential specifics will be included in the formal notice issued by the Secretary of State.
6. Subsections (8) - (10) ensures that the new duty under 258A and the non-disclosure of the existence of a notice under this section is enforceable by civil proceedings.
7. Subsection (11) and (12) defines the term "relevant operator". This is to ensure that the notification requirement can be placed on operators that provide lawful access of significant operational value and who currently provide assistance with warrants, authorisations or notices under the IPA 2016. This is to ensure the notification requirement does not disproportionality affect all operators.
8. A consequential amendment to sections 65, 67 and 68 of RIPA 2000 is required to bring notices issued pursuant to section 258A under the Investigatory Power Tribunal’s jurisdiction (consistent with other similar notices issued under the IPA). This is a minor and technical amendment.

New section 258B of the IPA 2016: Variation and revocation of notices given under section 258A

1. Section 258B introduces a provision that allows the Secretary of State to vary or revoke a notice under this section if required. This is to ensure that the notification requirement remains necessary and proportionate and continues to accurately reflect the systems and services the operator provides and are in scope of the thresholds.

Part 5: Miscellaneous

Members of Parliament

Section 22: Interception and examination of communications: Members of Parliament etc

1. Subsection (1) sets out that the section amends section 26 of the IPA 2016. Section 26 sets out the additional safeguards that apply to the issue of a targeted interception warrant or a targeted examination warrant, where the purpose of that warrant relates to the acquisition of communications sent by, or intended for, a member of a relevant legislature (such as an MP). The safeguard in section 26 is sometimes referred to as the "triple lock".
2. Subsection (2) amends section 26(2) IPA 2016 to provide, that where conditions A and B are met, a Secretary of State designated under the amended s26 may approve the issue of the warrant instead of the Prime Minister. The approval decision may not be made by the Secretary of State to whom the warrant application is made.
3. Subsection (3) inserts new subsections (2A) - (2F) at the end of section 26. New subsection (2A) provides condition A, which is that the Prime Minister is unable to decide whether to give approval under subsection (2), due to incapacity or an inability to access secure communications. New subsection (2B) sets out condition B, which is that there is an urgent need for the approval decision to be made. Both conditions A and B must be met for a designated Secretary of State to be able to give approval in place of the Prime Minister.
4. New subsection (2C) and (2D) specify that the Prime Minister may only designate individuals holding the office of Secretary of State and only five such individuals may be designated. Subsection (2D) also specifies that an individual Secretary of State may only be designated if they have the necessary operational awareness to decide whether to give approvals under subsection (2). New subsection (2E) provides for the duration of such a designation under section 26, which is that it will end when the individual ceases to hold the office of Secretary of State or when the Prime Minister revokes the designation. Subsection (2F) provides a definition of "senior official" for the purposes of that section, as amended.

Section 23: Equipment interference: Members of Parliament etc

1. Subsection (1) sets out that the following sections amend Section 111 of the IPA 2016. The subsequent sections set out which sections will be amended and how.
2. Subsection (2) provides, that where conditions A and B are met, a Secretary of State, other than the original authorising Secretary of State, may provide the final authorisation in the triple lock mechanism in relation to a targeted equipment interference warrant or a targeted examination warrant. Subsection (3) inserts wording into section 111(6) to the same effect but in relation to a targeted equipment interference warrant from a law enforcement chief.
3. Subsection (4) inserts new subsections (7A) - (7E) into section 111. New subsection (7A) provides condition A, which is that the Prime Minister is unavailable to decide whether to approve the issue of the warrant due to incapacity or an inability to access secure communications. New subsection (7B) sets out condition B, which is that there is an urgent need for the approval decision to be made. Both conditions A and B must be met for a designated Secretary of State to be able to give approval in place of the Prime Minister.
4. New subsections (7C) and (7D) specify that the Prime Minister may only designate individuals holding the office of Secretary of State and only five such individuals may be designated. Subsection (2D) also specifies that an individual Secretary of State may only be designated if they have the necessary operational awareness to decide whether to give approvals under subsection (2) only a Secretary of State can be designated under section 111. New subsection (7D) provides for the duration of such a designation under section 111, which is that it will end when the individual ceases to hold the office of Secretary of State or when the Prime Minister revokes the designation.

Equipment interference

Section 24: Issue of equipment interference warrants

1. Subsection 1 describes the location within the Act that the relevant changes will be made i.e. Part 1 of the table in Schedule 6.
2. Subsection 2 substitutes the reference to section 12A(1) and (2) of the Police Act 1996, (which is referenced to allow for the delegation from the Chief Constable to Deputy and Assistant Chief Constables in urgent cases), now repealed, to instead reference section 41(1) and (5) of the Police Reform and Social Responsibility Act 2011.
3. Subsections 3 and 4 allows for Deputy Director Generals at the NCA to be able to issue Targeted Equipment Interference warrants and delegate their authorisation functions to designated senior officers in the NCA in urgent cases.
4. Amend process of removal of subjects from a TEI or TXEI warrant.

Section 25: Modification of equipment interference warrants

1. This section removes the requirement to notify the Secretary of State where a modification is to remove any matter, name or description included in the warrant in accordance with section 115(3) to (5) of the IPA 2016.

Section 26: Issue of targeted examination warrants to intelligence services

1. This section amends section 102(4) of the IPA 2016 to allow the Secretary of State to issue warrants for Scottish applications for national security purposes.

Section 27: Bulk equipment interference: safeguards for confidential journalistic material etc

1. This section improves journalistic safeguards within the IPA 2016’s bulk equipment interference regime (Section 195).
2. It will replace the existing Section 195 IPA provisions with a requirement for prior independent authorisation by the Investigatory Powers Commissioner before criteria can be used to select material for examination (from that acquired under a bulk equipment interference warrant) for the purpose of finding confidential journalistic material or finding or identifying a source of journalistic information, or where the finding or identifying of such material is highly likely.
3. The section provides a new urgency process (Section 195A) for dealing with requests which need to be approved out of hours, for authorisations to use criteria to select material for examination. These authorisations will be undertaken by a senior official (under Section 195(2)) rather than the Investigatory Powers Commissioner, and will be subject to subsequent judicial authorisation as soon as reasonably practicable.
4. The section also provides a consequential amendment to section 229(8) of the IPA 2016 which includes references to the new functions of the Investigatory Powers Commissioner in sections 195 and 195A to ensure consistency within the IPA.

Exclusion of matters from legal proceedings etc: exceptions

Section 28: Exclusion of matters from legal proceedings etc: exceptions

1. This section creates exceptions to the prohibition on disclosing intercept materials to be used as evidence under section 56 of the IPA. The exception is being extended to proceedings before the Parole Board of England and Wales and will also affect any subsequent proceedings that arise out of those proceedings (such as an appeal). The section also provides the limits on the disclosure of intercept material for this purpose.
2. An exception is also being introduced to permit disclosure to certain coroners who conduct inquiries or inquests in Northern Ireland and relevant sheriffs who conduct inquiries or inquests into a person’s death in Scotland. New paragraph 25 of Schedule 3 to the IPA 2016 makes it clear that a disclosure can be made to a relevant coroner or, in certain circumstances, to a legal adviser working with them. New paragraph 26 of Schedule 3 to the IPA 2016 permits disclosures to relevant persons conducting an inquiry under the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 or a lawyer appointed under section 24 of that Act to assist the relevant person.

Freedom of information

Section 29: Freedom of information: bodies dealing with security matters

1. This section amends section 23 of the Freedom of Information Act 2000 to add JCs to the list of bodies dealing with security matters, to ensure that the exemption at section 23 may be applied by public authorities to protect sensitive information from disclosure in response to FOIA requests.

Part 6: General

General

Section 30: Power to make consequential provision

1. This section allows for the Secretary of State to amend or repeal a provision of the Act. The Secretary of State can only do this by laying a statutory instrument which must be approved by both Houses of Parliament in relation to changes to an instrument which changes primary legislation. If the instrument makes consequential changes which are to legislation other than to primary legislation, the instrument will be subject to annulment by a resolution of either House of Parliament.

Section 31: Extent

1. This section sets out the territorial extent of the Act. Subsection (3) provides for the Act to be extended to (with or without modifications) to the Isle of Man or any of the British overseas territories, by Order in Council.

Section 32: Commencement

1. Part 6 of the Act (this part) comes into force on the day on which the Act is passed. The other provisions of the Act come into force on such day as is appointed by regulations made by the Secretary of State.
2. Regulations under this section may include provision of the sort mentioned in subsection (3) and (4), namely transitional and saving provision and different provisions for different purposes. They are to be made by statutory instrument but are not subject to the negative or affirmative Parliamentary procedure.

Section 33: Short title

1. The Act is to be referred to as the Investigatory Powers (Amendment) Act 2024.

Schedule: Disclosure powers

1. Section 14 of this Act amends section 12 of the IPA 2016 and the powers to obtain communications data reverses the effect of certain repeals of disclosure powers and makes consequential provision to schedule 2 of the IPA 2016.

Part 1: Restoration of disclosure powers

Health and Safety at Work etc Act 1974

1. In section 20 of the Health and Safety at Work etc Act 1974 (powers of inspectors), omit subsections (9) and (10).

Criminal Justice Act 1987

1. In section 2 of the Criminal Justice Act 1987 (investigation of powers of the Director of Serious Fraud Office), omit subsections (10A) and (10B).

Consumer Protection Act 1987

1. In section 29 of the Consumer Protection Act 1987 (powers of search etc), omit subsections (8) and (9).

Environment Protection Act 1990

1. In section 71 of the Environment Protection Act 1990 (obtaining of information from persons and authorities), omit subsections (5) and (6).

Financial Services and Markets Act 2000

1. In section 175 of the Financial Services and Markets Act 2000 (information gathering and investigations: supplemental provision), omit subsections (5A) and (5B).

Part 2: Consequential amendments

1. In consequence of the above, paragraphs 1 to 4 and 9 of Schedule 2 to the IPA 2016 (abolition of disclosure powers) will be omitted.