Part 2Oversight arrangements

I111Personal data breaches

1

In the Investigatory Powers Act 2016, after section 235 insert—

235APersonal data breaches

1

This section applies where a telecommunications operator would, but for a relevant restriction, be required by regulation 5A(2) of the 2003 Regulations to notify a personal data breach to the Information Commissioner.

2

The telecommunications operator must report the personal data breach to the Investigatory Powers Commissioner.

3

Where a telecommunications operator reports a personal data breach to the Investigatory Powers Commissioner under subsection (2), a Judicial Commissioner must disclose information about the breach to the Information Commissioner.

4

Where a Judicial Commissioner discloses information about a personal data breach to the Information Commissioner under subsection (3), the Information Commissioner must—

a

consider whether the breach is serious, and

b

if the Information Commissioner considers that the breach is serious, notify the Investigatory Powers Commissioner.

5

The Investigatory Powers Commissioner must inform an individual of any personal data breach relating to that individual of which the Commissioner is notified under subsection (4)(b) if the Commissioner considers that it is in the public interest for the individual to be informed of the breach.

6

In making a decision under subsection (5), the Investigatory Powers Commissioner must, in particular, consider—

a

the seriousness of the breach and its effect on the individual concerned, and

b

the extent to which disclosing the breach would be contrary to the public interest or prejudicial to—

i

national security,

ii

the prevention or detection of serious crime,

iii

the economic well-being of the United Kingdom, or

iv

the continued discharge of the functions of any of the intelligence services.

7

Before making a decision under subsection (5), the Investigatory Powers Commissioner must ask—

a

the Secretary of State, and

b

any public authority that the Investigatory Powers Commissioner considers appropriate,

to make submissions to the Commissioner about the matters concerned.

8

When informing an individual under subsection (5) of a breach, the Investigatory Powers Commissioner must—

a

inform the individual of any rights that the individual may have to apply to the Investigatory Powers Tribunal in relation to the breach, and

b

provide such details of the breach as the Commissioner considers to be necessary for the exercise of those rights, having regard in particular to the extent to which disclosing the details would be contrary to the public interest or prejudicial to anything falling within subsection (6)(b)(i) to (iv).

9

The Investigatory Powers Commissioner may not inform the individual to whom it relates of a personal data breach notified to the Commissioner under subsection (4)(b) except as provided by this section.

10

For the purposes of this section, a personal data breach is serious if the breach is likely to result in a high risk to the rights and freedoms of individuals.

11

In this section—

  • 2003 Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426);

  • personal data breach” has the same meaning as in the 2003 Regulations (see regulation 2(1) of those Regulations);

  • relevant restriction” means any of the following—

    1. a

      section 57(1) (duty not to make unauthorised disclosures) (including as applied by section 156);

    2. b

      section 132(1) (duty not to make unauthorised disclosures) (including as applied by section 197);

    3. c

      section 174(1) (offence of making unauthorised disclosure),

    (read with regulation 29(1)(a)(i) of the 2003 Regulations).

2

In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—

a

in subsection (2), after paragraph (b) insert—

ba

to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;

b

after subsection (4) insert—

4AA

The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.

4AB

In subsection (4AA)relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).

3

In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—

a

in subsection (1)(b), after “65(2)(b)” insert “, (ba);

b

in subsection (5)—

i

the words from “section” to the end become paragraph (a), and

ii

after that paragraph insert

, or

b

section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.

c

in subsection (6), for “reference” substitute “complaint or reference has been”.

4

In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—

8

In this section “relevant Commissioner” means—

a

the Investigatory Powers Commissioner or any other Judicial Commissioner,

b

the Investigatory Powers Commissioner for Northern Ireland, or

c

the Information Commissioner.

5

In regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) (personal data breach), omit paragraph (9) (notification to the Investigatory Powers Commissioner).

6

In consequence of subsection (5), in Schedule 10 to the Investigatory Powers Act 2016 (minor and consequential provision), omit paragraph 14 (personal data breach) and the italic heading before it.