Regulation of Investigatory Powers Act 2000

Part IIIInvestigation of electronic data protected by encryption etc.

Power to require disclosure

49Notices requiring disclosure

(1)This section applies where any protected information—

(a)has come into the possession of any person by means of the exercise of a statutory power to seize, detain, inspect, search or otherwise to interfere with documents or other property, or is likely to do so;

(b)has come into the possession of any person by means of the exercise of any statutory power to intercept communications, or is likely to do so;

(c)has come into the possession of any person by means of the exercise of any power conferred by an authorisation under section 22(3) or under Part II, or as a result of the giving of a notice under section 22(4), or is likely to do so;

(d)has come into the possession of any person as a result of having been provided or disclosed in pursuance of any statutory duty (whether or not one arising as a result of a request for information), or is likely to do so; or

(e)has, by any other lawful means not involving the exercise of statutory powers, come into the possession of any of the intelligence services, the police or the customs and excise, or is likely so to come into the possession of any of those services, the police or the customs and excise.

(2)If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds—

(a)that a key to the protected information is in the possession of any person,

(b)that the imposition of a disclosure requirement in respect of the protected information is—

(i)necessary on grounds falling within subsection (3), or

(ii)necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty,

(c)that the imposition of such a requirement is proportionate to what is sought to be achieved by its imposition, and

(d)that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section,

the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information.

(3)A disclosure requirement in respect of any protected information is necessary on grounds falling within this subsection if it is necessary—

(a)in the interests of national security;

(b)for the purpose of preventing or detecting crime; or

(c)in the interests of the economic well-being of the United Kingdom.

(4)A notice under this section imposing a disclosure requirement in respect of any protected information—

(a)must be given in writing or (if not in writing) must be given in a manner that produces a record of its having been given;

(b)must describe the protected information to which the notice relates;

(c)must specify the matters falling within subsection (2)(b)(i) or (ii) by reference to which the notice is given;

(d)must specify the office, rank or position held by the person giving it;

(e)must specify the office, rank or position of the person who for the purposes of Schedule 2 granted permission for the giving of the notice or (if the person giving the notice was entitled to give it without another person’s permission) must set out the circumstances in which that entitlement arose;

(f)must specify the time by which the notice is to be complied with; and

(g)must set out the disclosure that is required by the notice and the form and manner in which it is to be made;

and the time specified for the purposes of paragraph (f) must allow a period for compliance which is reasonable in all the circumstances.

(5)Where it appears to a person with the appropriate permission—

(a)that more than one person is in possession of the key to any protected information,

(b)that any of those persons is in possession of that key in his capacity as an officer or employee of any body corporate, and

(c)that another of those persons is the body corporate itself or another officer or employee of the body corporate,

a notice under this section shall not be given, by reference to his possession of the key, to any officer or employee of the body corporate unless he is a senior officer of the body corporate or it appears to the person giving the notice that there is no senior officer of the body corporate and (in the case of an employee) no more senior employee of the body corporate to whom it is reasonably practicable to give the notice.

(6)Where it appears to a person with the appropriate permission—

(a)that more than one person is in possession of the key to any protected information,

(b)that any of those persons is in possession of that key in his capacity as an employee of a firm, and

(c)that another of those persons is the firm itself or a partner of the firm,

a notice under this section shall not be given, by reference to his possession of the key, to any employee of the firm unless it appears to the person giving the notice that there is neither a partner of the firm nor a more senior employee of the firm to whom it is reasonably practicable to give the notice.

(7)Subsections (5) and (6) shall not apply to the extent that there are special circumstances of the case that mean that the purposes for which the notice is given would be defeated, in whole or in part, if the notice were given to the person to whom it would otherwise be required to be given by those subsections.

(8)A notice under this section shall not require the making of any disclosure to any person other than—

(a)the person giving the notice; or

(b)such other person as may be specified in or otherwise identified by, or in accordance with, the provisions of the notice.

(9)A notice under this section shall not require the disclosure of any key which—

(a)is intended to be used for the purpose only of generating electronic signatures; and

(b)has not in fact been used for any other purpose.

(10)In this section “senior officer”, in relation to a body corporate, means a director, manager, secretary or other similar officer of the body corporate; and for this purpose “director”, in relation to a body corporate whose affairs are managed by its members, means a member of the body corporate.

(11)Schedule 2 (definition of the appropriate permission) shall have effect.

50Effect of notice imposing disclosure requirement

(1)Subject to the following provisions of this section, the effect of a section 49 notice imposing a disclosure requirement in respect of any protected information on a person who is in possession at a relevant time of both the protected information and a means of obtaining access to the information and of disclosing it in an intelligible form is that he—

(a)shall be entitled to use any key in his possession to obtain access to the information or to put it into an intelligible form; and

(b)shall be required, in accordance with the notice imposing the requirement, to make a disclosure of the information in an intelligible form.

(2)A person subject to a requirement under subsection (1)(b) to make a disclosure of any information in an intelligible form shall be taken to have complied with that requirement if—

(a)he makes, instead, a disclosure of any key to the protected information that is in his possession; and

(b)that disclosure is made, in accordance with the notice imposing the requirement, to the person to whom, and by the time by which, he was required to provide the information in that form.

(3)Where, in a case in which a disclosure requirement in respect of any protected information is imposed on any person by a section 49 notice—

(a)that person is not in possession of the information,

(b)that person is incapable, without the use of a key that is not in his possession, of obtaining access to the information and of disclosing it in an intelligible form, or

(c)the notice states, in pursuance of a direction under section 51, that it can be complied with only by the disclosure of a key to the information,

the effect of imposing that disclosure requirement on that person is that he shall be required, in accordance with the notice imposing the requirement, to make a disclosure of any key to the protected information that is in his possession at a relevant time.

(4)Subsections (5) to (7) apply where a person (“the person given notice”)—

(a)is entitled or obliged to disclose a key to protected information for the purpose of complying with any disclosure requirement imposed by a section 49 notice; and

(b)is in possession of more than one key to that information.

(5)It shall not be necessary, for the purpose of complying with the requirement, for the person given notice to make a disclosure of any keys in addition to those the disclosure of which is, alone, sufficient to enable the person to whom they are disclosed to obtain access to the information and to put it into an intelligible form.

(6)Where—

(a)subsection (5) allows the person given notice to comply with a requirement without disclosing all of the keys in his possession, and

(b)there are different keys, or combinations of keys, in the possession of that person the disclosure of which would, under that subsection, constitute compliance,

the person given notice may select which of the keys, or combination of keys, to disclose for the purpose of complying with that requirement in accordance with that subsection.

(7)Subject to subsections (5) and (6), the person given notice shall not be taken to have complied with the disclosure requirement by the disclosure of a key unless he has disclosed every key to the protected information that is in his possession at a relevant time.

(8)Where, in a case in which a disclosure requirement in respect of any protected information is imposed on any person by a section 49 notice—

(a)that person has been in possession of the key to that information but is no longer in possession of it,

(b)if he had continued to have the key in his possession, he would have been required by virtue of the giving of the notice to disclose it, and

(c)he is in possession, at a relevant time, of information to which subsection (9) applies,

the effect of imposing that disclosure requirement on that person is that he shall be required, in accordance with the notice imposing the requirement, to disclose all such information to which subsection (9) applies as is in his possession and as he may be required, in accordance with that notice, to disclose by the person to whom he would have been required to disclose the key.

(9)This subsection applies to any information that would facilitate the obtaining or discovery of the key or the putting of the protected information into an intelligible form.

(10)In this section “relevant time”, in relation to a disclosure requirement imposed by a section 49 notice, means the time of the giving of the notice or any subsequent time before the time by which the requirement falls to be complied with.

51Cases in which key required

(1)A section 49 notice imposing a disclosure requirement in respect of any protected information shall not contain a statement for the purposes of section 50(3)(c) unless—

(a)the person who for the purposes of Schedule 2 granted the permission for the giving of the notice in relation to that information, or

(b)any person whose permission for the giving of a such a notice in relation to that information would constitute the appropriate permission under that Schedule,

has given a direction that the requirement can be complied with only by the disclosure of the key itself.

(2)A direction for the purposes of subsection (1) by the police, the customs and excise or a member of Her Majesty’s forces shall not be given—

(a)in the case of a direction by the police or by a member of Her Majesty’s forces who is a member of a police force, except by or with the permission of a chief officer of police;

(b)in the case of a direction by the customs and excise, except by or with the permission of the Commissioners of Customs and Excise; or

(c)in the case of a direction by a member of Her Majesty’s forces who is not a member of a police force, except by or with the permission of a person of or above the rank of brigadier or its equivalent.

(3)A permission given for the purposes of subsection (2) by a chief officer of police, the Commissioners of Customs and Excise or a person of or above any such rank as is mentioned in paragraph (c) of that subsection must be given expressly in relation to the direction in question.

(4)A person shall not give a direction for the purposes of subsection (1) unless he believes—

(a)that there are special circumstances of the case which mean that the purposes for which it was believed necessary to impose the requirement in question would be defeated, in whole or in part, if the direction were not given; and

(b)that the giving of the direction is proportionate to what is sought to be achieved by prohibiting any compliance with the requirement in question otherwise than by the disclosure of the key itself.

(5)The matters to be taken into account in considering whether the requirement of subsection (4)(b) is satisfied in the case of any direction shall include—

(a)the extent and nature of any protected information, in addition to the protected information in respect of which the disclosure requirement is imposed, to which the key is also a key; and

(b)any adverse effect that the giving of the direction might have on a business carried on by the person on whom the disclosure requirement is imposed.

(6)Where a direction for the purposes of subsection (1) is given by a chief officer of police, by the Commissioners of Customs and Excise or by a member of Her Majesty’s forces, the person giving the direction shall give a notification that he has done so—

(a)in a case where the direction is given—

(i)by a member of Her Majesty’s forces who is not a member of a police force, and

(ii)otherwise than in connection with activities of members of Her Majesty’s forces in Northern Ireland,

to the Intelligences Services Commissioner; and

(b)in any other case, to the Chief Surveillance Commissioner.

(7)A notification under subsection (6)—

(a)must be given not more than seven days after the day of the giving of the direction to which it relates; and

(b)may be given either in writing or by being transmitted to the Commissioner in question by electronic means.

Contributions to costs

52Arrangements for payments for disclosure

(1)It shall be the duty of the Secretary of State to ensure that such arrangements are in force as he thinks appropriate for requiring or authorising, in such cases as he thinks fit, the making to persons to whom section 49 notices are given of appropriate contributions towards the costs incurred by them in complying with such notices.

(2)For the purpose of complying with his duty under this section, the Secretary of State may make arrangements for payments to be made out of money provided by Parliament.

Offences

53Failure to comply with a notice

(1)A person to whom a section 49 notice has been given is guilty of an offence if he knowingly fails, in accordance with the notice, to make the disclosure required by virtue of the giving of the notice.

(2)In proceedings against any person for an offence under this section, if it is shown that that person was in possession of a key to any protected information at any time before the time of the giving of the section 49 notice, that person shall be taken for the purposes of those proceedings to have continued to be in possession of that key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.

(3)For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if—

(a)sufficient evidence of that fact is adduced to raise an issue with respect to it; and

(b)the contrary is not proved beyond a reasonable doubt.

(4)In proceedings against any person for an offence under this section it shall be a defence for that person to show—

(a)that it was not reasonably practicable for him to make the disclosure required by virtue of the giving of the section 49 notice before the time by which he was required, in accordance with that notice, to make it; but

(b)that he did make that disclosure as soon after that time as it was reasonably practicable for him to do so.

(5)A person guilty of an offence under this section shall be liable—

(a)on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine, or to both;

(b)on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum, or to both.

54Tipping-off

(1)This section applies where a section 49 notice contains a provision requiring—

(a)the person to whom the notice is given, and

(b)every other person who becomes aware of it or of its contents,

to keep secret the giving of the notice, its contents and the things done in pursuance of it.

(2)A requirement to keep anything secret shall not be included in a section 49 notice except where—

(a)it is included with the consent of the person who for the purposes of Schedule 2 granted the permission for the giving of the notice; or

(b)the person who gives the notice is himself a person whose permission for the giving of such a notice in relation to the information in question would have constituted appropriate permission under that Schedule.

(3)A section 49 notice shall not contain a requirement to keep anything secret except where the protected information to which it relates—

(a)has come into the possession of the police, the customs and excise or any of the intelligence services, or

(b)is likely to come into the possession of the police, the customs and excise or any of the intelligence services,

by means which it is reasonable, in order to maintain the effectiveness of any investigation or operation or of investigatory techniques generally, or in the interests of the safety or well-being of any person, to keep secret from a particular person.

(4)A person who makes a disclosure to any other person of anything that he is required by a section 49 notice to keep secret shall be guilty of an offence and liable—

(a)on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine, or to both;

(b)on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum, or to both.

(5)In proceedings against any person for an offence under this section in respect of any disclosure, it shall be a defence for that person to show that—

(a)the disclosure was effected entirely by the operation of software designed to indicate when a key to protected information has ceased to be secure; and

(b)that person could not reasonably have been expected to take steps, after being given the notice or (as the case may be) becoming aware of it or of its contents, to prevent the disclosure.

(6)In proceedings against any person for an offence under this section in respect of any disclosure, it shall be a defence for that person to show that—

(a)the disclosure was made by or to a professional legal adviser in connection with the giving, by the adviser to any client of his, of advice about the effect of provisions of this Part; and

(b)the person to whom or, as the case may be, by whom it was made was the client or a representative of the client.

(7)In proceedings against any person for an offence under this section in respect of any disclosure, it shall be a defence for that person to show that the disclosure was made by a legal adviser—

(a)in contemplation of, or in connection with, any legal proceedings; and

(b)for the purposes of those proceedings.

(8)Neither subsection (6) nor subsection (7) applies in the case of a disclosure made with a view to furthering any criminal purpose.

(9)In proceedings against any person for an offence under this section in respect of any disclosure, it shall be a defence for that person to show that the disclosure was confined to a disclosure made to a relevant Commissioner or authorised—

(a)by such a Commissioner;

(b)by the terms of the notice;

(c)by or on behalf of the person who gave the notice; or

(d)by or on behalf of a person who—

(i)is in lawful possession of the protected information to which the notice relates; and

(ii)came into possession of that information as mentioned in section 49(1).

(10)In proceedings for an offence under this section against a person other than the person to whom the notice was given, it shall be a defence for the person against whom the proceedings are brought to show that he neither knew nor had reasonable grounds for suspecting that the notice contained a requirement to keep secret what was disclosed.

(11)In this section “relevant Commissioner” means the Interception of Communications Commissioner, the Intelligence Services Commissioner or any Surveillance Commissioner or Assistant Surveillance Commissioner.

Safeguards

55General duties of specified authorities

(1)This section applies to—

(a)the Secretary of State and every other Minister of the Crown in charge of a government department;

(b)every chief officer of police;

(c)the Commissioners of Customs and Excise; and

(d)every person whose officers or employees include persons with duties that involve the giving of section 49 notices.

(2)It shall be the duty of each of the persons to whom this section applies to ensure that such arrangements are in force, in relation to persons under his control who by virtue of this Part obtain possession of keys to protected information, as he considers necessary for securing—

(a)that a key disclosed in pursuance of a section 49 notice is used for obtaining access to, or putting into an intelligible form, only protected information in relation to which power to give such a notice was exercised or could have been exercised if the key had not already been disclosed;

(b)that the uses to which a key so disclosed is put are reasonable having regard both to the uses to which the person using the key is entitled to put any protected information to which it relates and to the other circumstances of the case;

(c)that, having regard to those matters, the use and any retention of the key are proportionate to what is sought to be achieved by its use or retention;

(d)that the requirements of subsection (3) are satisfied in relation to any key disclosed in pursuance of a section 49 notice;

(e)that, for the purpose of ensuring that those requirements are satisfied, any key so disclosed is stored, for so long as it is retained, in a secure manner;

(f)that all records of a key so disclosed (if not destroyed earlier) are destroyed as soon as the key is no longer needed for the purpose of enabling protected information to be put into an intelligible form.

(3)The requirements of this subsection are satisfied in relation to any key disclosed in pursuance of a section 49 notice if—

(a)the number of persons to whom the key is disclosed or otherwise made available, and

(b)the number of copies made of the key,

are each limited to the minimum that is necessary for the purpose of enabling protected information to be put into an intelligible form.

(4)Subject to subsection (5), where any relevant person incurs any loss or damage in consequence of—

(a)any breach by a person to whom this section applies of the duty imposed on him by subsection (2), or

(b)any contravention by any person whatever of arrangements made in pursuance of that subsection in relation to persons under the control of a person to whom this section applies,

the breach or contravention shall be actionable against the person to whom this section applies at the suit or instance of the relevant person.

(5)A person is a relevant person for the purposes of subsection (4) if he is—

(a)a person who has made a disclosure in pursuance of a section 49 notice; or

(b)a person whose protected information or key has been disclosed in pursuance of such a notice;

and loss or damage shall be taken into account for the purposes of that subsection to the extent only that it relates to the disclosure of particular protected information or a particular key which, in the case of a person falling with paragraph (b), must be his information or key.

(6)For the purposes of subsection (5)—

(a)information belongs to a person if he has any right that would be infringed by an unauthorised disclosure of the information; and

(b)a key belongs to a person if it is a key to information that belongs to him or he has any right that would be infringed by an unauthorised disclosure of the key.

(7)In any proceedings brought by virtue of subsection (4), it shall be the duty of the court to have regard to any opinion with respect to the matters to which the proceedings relate that is or has been given by a relevant Commissioner.

(8)In this section “relevant Commissioner” means the Interception of Communications Commissioner, the Intelligence Services Commissioner, the Investigatory Powers Commissioner for Northern Ireland or any Surveillance Commissioner or Assistant Surveillance Commissioner.

Interpretation of Part III

56Interpretation of Part III

(1)In this Part—

  • “chief officer of police” means any of the following—

    (a)

    the chief constable of a police force maintained under or by virtue of section 2 of the [1996 c. 16.] Police Act 1996 or section 1 of the [1967 c. 77.] Police (Scotland) Act 1967;

    (b)

    the Commissioner of Police of the Metropolis;

    (c)

    the Commissioner of Police for the City of London;

    (d)

    the Chief Constable of the Royal Ulster Constabulary;

    (e)

    the Chief Constable of the Ministry of Defence Police;

    (f)

    the Provost Marshal of the Royal Navy Regulating Branch;

    (g)

    the Provost Marshal of the Royal Military Police;

    (h)

    the Provost Marshal of the Royal Air Force Police;

    (i)

    the Chief Constable of the British Transport Police;

    (j)

    the Director General of the National Criminal Intelligence Service;

    (k)

    the Director General of the National Crime Squad;

  • “the customs and excise” means the Commissioners of Customs and Excise or any customs officer;

  • “electronic signature” means anything in electronic form which—

    (a)

    is incorporated into, or otherwise logically associated with, any electronic communication or other electronic data;

    (b)

    is generated by the signatory or other source of the communication or data; and

    (c)

    is used for the purpose of facilitating, by means of a link between the signatory or other source and the communication or data, the establishment of the authenticity of the communication or data, the establishment of its integrity, or both;

  • “key”, in relation to any electronic data, means any key, code, password, algorithm or other data the use of which (with or without other keys)—

    (a)

    allows access to the electronic data, or

    (b)

    facilitates the putting of the data into an intelligible form;

  • “the police” means—

    (a)

    any constable;

    (b)

    the Commissioner of Police of the Metropolis or any Assistant Commissioner of Police of the Metropolis; or

    (c)

    the Commissioner of Police for the City of London;

  • “protected information” means any electronic data which, without the key to the data—

    (a)

    cannot, or cannot readily, be accessed, or

    (b)

    cannot, or cannot readily, be put into an intelligible form;

  • “section 49 notice” means a notice under section 49;

  • “warrant” includes any authorisation, notice or other instrument (however described) conferring a power of the same description as may, in other cases, be conferred by a warrant.

(2)References in this Part to a person’s having information (including a key to protected information) in his possession include references—

(a)to its being in the possession of a person who is under his control so far as that information is concerned;

(b)to his having an immediate right of access to it, or an immediate right to have it transmitted or otherwise supplied to him; and

(c)to its being, or being contained in, anything which he or a person under his control is entitled, in exercise of any statutory power and without otherwise taking possession of it, to detain, inspect or search.

(3)References in this Part to something’s being intelligible or being put into an intelligible form include references to its being in the condition in which it was before an encryption or similar process was applied to it or, as the case may be, to its being restored to that condition.

(4)In this section—

(a)references to the authenticity of any communication or data are references to any one or more of the following—

(i)whether the communication or data comes from a particular person or other source;

(ii)whether it is accurately timed and dated;

(iii)whether it is intended to have legal effect;

and

(b)references to the integrity of any communication or data are references to whether there has been any tampering with or other modification of the communication or data.