Prospective
After Part 7 of the Investigatory Powers Act 2016 insert—
(1)This section applies to a bulk personal dataset if the nature of the bulk personal dataset is such that the individuals to whom the personal data relates could have no, or only a low, reasonable expectation of privacy in relation to the data.
(2)In considering whether this section applies to a bulk personal dataset, regard must be had to all the circumstances, including in particular the factors in subsection (3).
(3)Those factors are—
(a)the nature of the data;
(b)the extent to which—
(i)the data has been made public by the individuals, or
(ii)the individuals have consented to the data being made public;
(c)if the data has been published, the extent to which it was published subject to editorial control or by a person acting in accordance with professional standards;
(d)if the data has been published or is otherwise in the public domain, the extent to which the data is widely known about;
(e)the extent to which the data has already been used in the public domain.
(1)In this Part “an individual authorisation” is an authorisation that authorises an intelligence service to retain, or to retain and examine, any bulk personal dataset described in the authorisation.
(2)See section 200 (requirement for authorisation) for provision about when an individual authorisation under this Part is required.
(3)The head of an intelligence service, or a person acting on their behalf, may grant an individual authorisation where the conditions in subsections (4) and (5) are met.
This is subject to subsection (6).
(4)The condition in this subsection is that the person granting the authorisation considers that—
(a)section 226A applies to the bulk personal dataset described in the authorisation,
(b)the authorisation is necessary for the purpose of the exercise of any function of the intelligence service,
(c)the conduct being authorised is proportionate to what is sought to be achieved by the conduct, and
(d)there are for the time being in force arrangements made by the intelligence service, and approved by the Secretary of State, for storing bulk personal datasets to which section 226A applies and for protecting them from unauthorised disclosure.
(5)The condition in this subsection is that the decision to grant the authorisation has been approved by a Judicial Commissioner.
(6)The condition in subsection (5) does not apply where—
(a)the bulk personal dataset described in the individual authorisation falls within a category of bulk personal datasets authorised for the purposes of this Part by a category authorisation (see section 226BA), or
(b)the person granting the individual authorisation considers that there is an urgent need to grant the authorisation.
(7)But subsection (6)(a) does not prevent a person granting an individual authorisation from seeking the approval of a Judicial Commissioner in a case where subsection (6)(a) applies if the person considers that it would be appropriate to seek such approval.
(8)An individual authorisation relating to a bulk personal dataset (“dataset A”) may also authorise the retention or examination of other bulk personal datasets (“replacement datasets”) that do not exist at the time of the grant of the authorisation but may reasonably be regarded as replacements for dataset A.
(1)In this Part “a category authorisation” is an authorisation that authorises a category of bulk personal datasets described in the authorisation for the purposes of this Part.
(2)The head of an intelligence service, or a person acting on their behalf, may grant a category authorisation where—
(a)they consider that section 226A applies to any dataset that falls within the category of datasets described in the authorisation, and
(b)the decision to grant the authorisation has been approved by a Judicial Commissioner.
(3)A category authorisation may describe a category of bulk personal datasets by reference to (among other things) the use to which the datasets will be put.
(1)In deciding whether to approve a decision to grant an individual authorisation or a category authorisation, a Judicial Commissioner must review the conclusions of the person who granted the authorisation as to the following matters—
(a)in relation to an individual authorisation, whether section 226A applies to the bulk personal dataset described in the authorisation, and
(b)in relation to a category authorisation, whether section 226A applies to any dataset that falls within the category of datasets described in the authorisation.
(2)In doing so, the Judicial Commissioner must—
(a)apply the same principles as would be applied by a court on an application for judicial review, and
(b)consider the matters referred to in subsection (1) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).
(3)Where a Judicial Commissioner refuses to approve a decision to grant an individual authorisation or a category authorisation, the Judicial Commissioner must give the person who decided to grant the authorisation written reasons for the refusal.
(4)Where a Judicial Commissioner, other than the Investigatory Powers Commissioner, refuses to approve a decision to grant an individual authorisation or a category authorisation, the head of the intelligence service, or a person acting on their behalf, may ask the Investigatory Powers Commissioner to decide whether to approve the decision to grant the authorisation.
(1)This section applies where—
(a)an individual authorisation is granted without the approval of a Judicial Commissioner, and
(b)the person who granted the authorisation considered that there was an urgent need to grant it.
(2)The person who granted the authorisation must inform a Judicial Commissioner that it has been granted.
(3)The Judicial Commissioner must, before the end of the relevant period—
(a)decide whether to approve the decision to grant the authorisation, and
(b)notify the person who granted the authorisation of the Judicial Commissioner’s decision.
The “relevant period” means the period ending with the third working day after the day on which the authorisation was granted.
(4)Subsections (5) to (7) apply if a Judicial Commissioner refuses to approve the decision to grant an individual authorisation.
(5)The authorisation—
(a)ceases to have effect (unless already cancelled), and
(b)may not be renewed,
and section 226BB(4) does not apply in relation to the refusal to approve the decision.
(6)The head of the intelligence service must, so far as is reasonably practicable, secure that anything in the process of being done in reliance on the authorisation stops as soon as possible.
(7)Section 220 (Part 7 initial examinations: time limits) applies in relation to the bulk personal dataset described in the authorisation as if the intelligence service had obtained that dataset at the time when the person who granted the authorisation is notified that the Judicial Commissioner has refused to approve the decision to grant the authorisation.
(8)Nothing in subsection (5) or (6) affects the lawfulness of—
(a)anything done in reliance on the authorisation before it ceases to have effect;
(b)if anything is in the process of being done in reliance on the authorisation when it ceases to have effect—
(i)anything done before that thing could be stopped, or
(ii)anything done that it is not reasonably practicable to stop.
(1)An individual authorisation or a category authorisation ceases to have effect at the end of the relevant period unless—
(a)it is renewed before the end of that period (see section 226CA), or
(b)it is cancelled or otherwise ceases to have effect before the end of that period (see sections 226BC, 226CB, and 226CD).
(2)In this section the “relevant period”—
(a)in the case of an urgent individual authorisation, means the period ending with the fifth working day after the day on which the authorisation was granted;
(b)in any other case, means the period of 12 months beginning with—
(i)the day on which the authorisation was granted, or
(ii)in the case of an authorisation that has been renewed, the day after the day at the end of which the authorisation would have ceased to have effect if it had not been renewed.
(3)For the purposes of subsection (2)(a), an individual authorisation is an “urgent individual authorisation” if—
(a)the authorisation was granted without the approval of a Judicial Commissioner, and
(b)the person who granted the authorisation considered that there was an urgent need to grant it.
(1)If the renewal conditions are met for an individual authorisation or a category authorisation, the head of an intelligence service, or a person acting on their behalf, may, at any time during the renewal period, renew the authorisation.
(2)The renewal conditions for an individual authorisation are that—
(a)the person renewing the authorisation considers that—
(i)section 226A continues to apply to the bulk personal dataset described in the authorisation,
(ii)the authorisation continues to be necessary for the purpose of the exercise of any function of the intelligence service,
(iii)the conduct being authorised continues to be proportionate to what is sought to be achieved by the conduct, and
(iv)there are for the time being in force arrangements made by the intelligence service, and approved by the Secretary of State, for storing bulk personal datasets to which section 226A applies and for protecting them from unauthorised disclosure, and
(b)the decision to renew the authorisation has been approved by a Judicial Commissioner.
(3)But the condition in subsection (2)(b) does not apply where the bulk personal dataset described in the individual authorisation falls within a category of bulk personal datasets authorised for the purposes of this Part by a category authorisation.
(4)The renewal conditions for a category authorisation are that—
(a)the person renewing the authorisation considers that section 226A continues to apply to any dataset that falls within the category of datasets described in the authorisation, and
(b)the decision to renew the authorisation has been approved by a Judicial Commissioner.
(5)In this section the “renewal period” means—
(a)in the case of an urgent individual authorisation which has not been renewed, the relevant period;
(b)in the case of an individual authorisation to which section 226CD (non-renewal or cancellation of category authorisation) applies, the period of three months ending with the day at the end of which the authorisation would otherwise cease to have effect;
(c)in any other case, the period of 30 days ending with the day at the end of which the authorisation would otherwise cease to have effect.
(6)Section 226BB (approval of authorisations by Judicial Commissioner) applies in relation to a decision to renew an authorisation under this section as it applies in relation to a decision to grant an authorisation under this Part.
(7)In this section—
“the relevant period” has the same meaning as in section 226C;
“urgent individual authorisation” is to be read in accordance with subsection (3) of that section.
(1)The head of an intelligence service, or a person acting on their behalf, may, at any time, cancel an individual authorisation or a category authorisation.
(2)If the head of an intelligence service, or a person acting on their behalf, considers that any of the cancellation conditions are met in relation to an individual authorisation, or that the cancellation condition is met in relation to a category authorisation, they must cancel the authorisation.
(3)The cancellation conditions for an individual authorisation are—
(a)that section 226A no longer applies to the dataset described in the authorisation;
(b)that the authorisation is no longer necessary for the purpose of the exercise of any function of the intelligence service;
(c)that the conduct authorised by the authorisation is no longer proportionate to what is sought to be achieved by the conduct;
(d)that there are no longer in force arrangements made by the intelligence service, and approved by the Secretary of State, for storing bulk personal datasets to which section 226A applies and for protecting them from unauthorised disclosure.
(4)The cancellation condition for a category authorisation is that section 226A no longer applies to any dataset that falls within the category of datasets described in the authorisation.
(1)This section applies where an individual authorisation ceases to have effect because it expires without having been renewed or because it is cancelled.
(2)The head of the intelligence service, or a person acting on their behalf, may, before the end of the period of 5 working days beginning with the day on which the authorisation ceases to have effect, decide to grant a new individual authorisation (see section 226B) to retain, or to retain and examine, any material retained by the intelligence service in reliance on the authorisation which has ceased to have effect.
(3)Where an individual authorisation ceases to have effect because it expires without having been renewed or because it is cancelled, an intelligence service is not to be regarded as in breach of section 200(1) or (2) by virtue of its retention or examination of any material to which the authorisation related during the following periods—
(a)the period of 5 working days beginning with the day on which the authorisation ceases to have effect;
(b)if the head of the intelligence service, or a person acting on their behalf, decides to grant a new individual authorisation as mentioned in subsection (2), any period when a Judicial Commissioner is deciding whether to approve the decision.
(1)This section applies where—
(a)a category authorisation ceases to have effect because it expires without having been renewed or because it is cancelled, and
(b)an individual authorisation describing a bulk personal dataset that falls within the category of datasets described in the category authorisation has been granted without the approval of a Judicial Commissioner in accordance with section 226B(6)(a).
(2)The individual authorisation ceases to have effect at the end of the relevant period unless—
(a)it is renewed before the end of that period, or
(b)it is cancelled or otherwise ceases to have effect before the end of that period.
(3)In this section the “relevant period” means the period of three months beginning with the day after the day at the end of which the category authorisation ceased to have effect.
(1)Subsections (2) to (4) apply where—
(a)an individual authorisation is granted under this Part in relation to any bulk personal dataset, and
(b)in the course of examining the dataset in accordance with the authorisation, the head of the intelligence service, or a person acting on their behalf, believes that section 226A does not apply, or no longer applies, to part of the dataset.
(2)The head of the intelligence service must, so far as is reasonably practicable, secure that anything in the process of being done in relation to that part of the bulk personal dataset in reliance on the authorisation stops as soon as possible.
(3)Section 220 (Part 7 initial examinations: time limits) applies in relation to that part of the bulk personal dataset as if the intelligence service had obtained that part of the dataset at the time when the head of the intelligence service, or the person acting on their behalf, first formed the beliefs mentioned in subsection (1)(b).
(4)The individual authorisation in relation to that part of the bulk personal dataset is to be treated as if it had been cancelled under section 226CB at that time.
(5)Nothing in this section affects the lawfulness of—
(a)anything done in reliance on the authorisation before it ceases to have effect;
(b)if anything is in the process of being done in reliance on the authorisation when it ceases to have effect—
(i)anything done before that thing could be stopped, or
(ii)anything done that it is not reasonably practicable to stop.
(1)The head of each intelligence service must provide an annual report to the Secretary of State about the bulk personal datasets that were authorised under this Part to be retained, or retained and examined, by the intelligence service during the period to which the report relates.
(2)The first report must relate to a period of at least one year and no more than two years, beginning with the day on which this Part comes fully into force.
(3)Subsequent reports must relate to a period of no more than one year, beginning with the end of the period to which the previous report related.
(4)Each report must be provided to the Secretary of State as soon as reasonably practicable after the end of the period to which the report relates.
(1)The Secretary of State must for each relevant period provide to the Intelligence and Security Committee of Parliament a report setting out information about category authorisations and renewals of category authorisations granted in that period.
(2)In subsection (1) “relevant period” means—
(a)a period of at least one year and no more than two years beginning with the date on which this Part comes fully into force, and
(b)subsequent periods of no more than one year, beginning with the end of the period to which the previous report related.
(3)Each report must be provided to the Committee as soon as reasonably practicable after the end of the period to which the report relates.
(1)In this Part—
“category authorisation” has the meaning given by section 226BA(1);
“individual authorisation” has the meaning given by section 226B(1).
(2)See also—
section 199 (bulk personal datasets: interpretation),
section 263 (general definitions),
section 265 (index of defined expressions).
(3)For the purposes of this Part, only a person holding office under the Crown may act on behalf of the head of an intelligence service.”
Commencement Information
I1S. 2 not in force at Royal Assent, see s. 32(2)