xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"

Part 2U.K.Oversight arrangements

7Deputy Investigatory Powers CommissionersU.K.

(1)The Investigatory Powers Act 2016 is amended as follows.

(2)In section 227 (Investigatory Powers Commissioner and other Judicial Commissioners), after subsection (6) insert—

(6A)The Investigatory Powers Commissioner may appoint up to two persons who are Judicial Commissioners to be Deputy Investigatory Powers Commissioners.

(6B)A person appointed as a Deputy Investigatory Powers Commissioner continues to be a Judicial Commissioner.

(3)In section 228 (terms and conditions of appointment), after subsection (5) insert—

(6)A person ceases to be a Deputy Investigatory Powers Commissioner if—

(a)the person ceases to be a Judicial Commissioner,

(b)the Investigatory Powers Commissioner removes the person from being a Deputy Investigatory Powers Commissioner, or

(c)the person resigns as a Deputy Investigatory Powers Commissioner.

(4)In section 263(1) (general definitions), at the appropriate place insert—

(5)In section 265 (index of defined expressions), in the table, at the appropriate place insert—

Deputy Investigatory Powers CommissionerSection 263(1).

Commencement Information

I1S. 7 not in force at Royal Assent, see s. 32(2)

I2S. 7 in force at 14.10.2024 by S.I. 2024/1021, reg. 2(g)

8Delegation of functionsU.K.

(1)Section 227 of the Investigatory Powers Act 2016 (Investigatory Powers Commissioner and other Judicial Commissioners) is amended in accordance with subsections (2) to (6).

(2)For subsections (8) and (9) substitute—

(8)The Investigatory Powers Commissioner may, to such extent as the Investigatory Powers Commissioner may decide, delegate the exercise of functions of the Investigatory Powers Commissioner to—

(a)a Deputy Investigatory Powers Commissioner, or

(b)any other Judicial Commissioner.

This is subject to subsections (8A) to (8C).

(8A)Subsection (8)(a) applies to the function of the Investigatory Powers Commissioner of—

(a)making a recommendation under subsection (4)(e),

(b)deciding under section 90(11) or 257(10) whether to approve a decision of the Secretary of State,

(c)making an appointment under section 228A(2) or 247(1), or

(d)deciding—

(i)an appeal against, or a review of, a decision made by another Judicial Commissioner, and

(ii)any action to take as a result,

only where the Investigatory Powers Commissioner is unable or unavailable to exercise the function for any reason.

(8B)Subsection (8)(b) does not apply to any function of the Investigatory Powers Commissioner mentioned in subsection (8A).

(8C)Subsection (8) does not apply to the function of the Investigatory Powers Commissioner of making an appointment under subsection (6A).

(8D)Where there are two Deputy Investigatory Powers Commissioners, the power in subsection (8)(a) may, in particular, be used to delegate to one Deputy Investigatory Powers Commissioner the exercise of the function of the Investigatory Powers Commissioner of deciding—

(a)an appeal against, or a review of, a decision made by the other Deputy Investigatory Powers Commissioner, and

(b)any action to take as a result.

(3)Omit subsection (9A) (authorisations for obtaining communications data).

(4)After subsection (10) insert—

(10A)Where—

(a)the exercise of a function of the Investigatory Powers Commissioner mentioned in subsection (8A)(d) is delegated to a Deputy Investigatory Powers Commissioner in accordance with subsection (8)(a), and

(b)the Deputy Investigatory Powers Commissioner decides the appeal or review (and any action to take as a result),

no further appeal, or request for a further review, may be made to the Investigatory Powers Commissioner in relation to the decision of the Deputy Investigatory Powers Commissioner.

(5)In subsection (13), for paragraph (b) substitute—

(b)to the Investigatory Powers Commissioner are to be read—

(i)so far as necessary for the purposes of subsection (8)(a), as references to the Investigatory Powers Commissioner or any Deputy Investigatory Powers Commissioner, and

(ii)so far as necessary for the purposes of subsection (8)(b), as references to the Investigatory Powers Commissioner or any other Judicial Commissioner.

(6)After subsection (13) insert—

(14)In this section a reference to deciding an appeal against, or a review of, a decision made by a Judicial Commissioner includes a reference to deciding whether to approve a decision that the Judicial Commissioner has refused to approve.

(7)In section 238(6)(a) of the Investigatory Powers Act 2016 (funding, staff and facilities etc), after “section”, in the second place it occurs, insert “227(6A), 228A(2) or”.

Commencement Information

I3S. 8 not in force at Royal Assent, see s. 32(2)

I4S. 8 in force at 14.10.2024 by S.I. 2024/1021, reg. 2(h)

9Temporary Judicial CommissionersU.K.

After section 228 of the Investigatory Powers Act 2016 (but before the italic heading before section 229) insert—

228ATemporary Judicial Commissioners

(1)The power in subsection (2) is exercisable where the Investigatory Powers Commissioner and the Secretary of State consider that—

(a)as a result of exceptional circumstances, there is a shortage of persons able to carry out Judicial Commissioner functions, and

(b)the power in subsection (2) needs to be exercised in order to deal with that shortage.

(2)The Investigatory Powers Commissioner may appoint one or more persons to carry out Judicial Commissioner functions.

(3)A person appointed under subsection (2) is referred to in this section as a “temporary Judicial Commissioner”.

(4)A temporary Judicial Commissioner may be appointed under subsection (2) for one or more terms not exceeding six months each and not exceeding three years in total.

(5)As soon as practicable after the appointment of any temporary Judicial Commissioner, the Investigatory Powers Commissioner must notify the following persons of the appointment—

(a)the Prime Minister;

(b)the Secretary of State;

(c)the Scottish Ministers;

(d)the Lord Chancellor;

(e)the Lord Chief Justice of England and Wales;

(f)the Lord President of the Court of Session;

(g)the Lord Chief Justice of Northern Ireland.

(6)A reference to a Judicial Commissioner in any enactment (including this Act) is to be read (so far as the context allows) as referring also to a temporary Judicial Commissioner.

(7)But subsections (1) and (4) to (6) of section 227 and section 228(2) (appointment requirements etc) do not apply in relation to temporary Judicial Commissioners.

(8)In this section “Judicial Commissioner functions” means the functions conferred on Judicial Commissioners by any enactment (including this Act).

Commencement Information

I5S. 9 not in force at Royal Assent, see s. 32(2)

I6S. 9 in force at 14.10.2024 by S.I. 2024/1021, reg. 2(i)

10Main functions of the Investigatory Powers CommissionerU.K.

(1)The Investigatory Powers Act 2016 is amended as follows.

(2)In section 229 (main oversight functions)—

(a)in subsection (3), omit paragraph (c) (prevention or restriction of use of communication devices by prisoners etc);

(b)after subsection (3D) insert—

(3E)The Investigatory Powers Commissioner must keep under review (including by way of audit, inspection and investigation) compliance by any part of His Majesty’s forces, or by any part of the Ministry of Defence, with policies governing—

(a)the use of surveillance outside the United Kingdom, and

(b)the use and conduct of covert human intelligence sources outside the United Kingdom,

(whether or not authorised under the Regulation of Investigatory Powers Act 2000).

(3)In section 230 (additional directed oversight functions), in subsection (1)—

(a)omit the “or” after paragraph (b);

(b)after paragraph (c) insert , or

(d)any public authority not mentioned in paragraphs (a) to (c), or any part of such an authority, so far as engaging in intelligence activities.

(4)In section 231 (error reporting)—

(a)in subsection (9)(b), for “code of practice under Schedule 7” substitute “relevant code of practice”;

(b)after subsection (9) insert—

(10)In subsection (9) “relevant code of practice” means a code of practice under—

(a)Schedule 7,

(b)the Police Act 1997,

(c)the Regulation of Investigatory Powers Act 2000, or

(d)the Regulation of Investigatory Powers (Scotland) Act 2000.

Commencement Information

I7S. 10 not in force at Royal Assent, see s. 32(2)

I8S. 10 in force at 14.10.2024 by S.I. 2024/1021, reg. 2(j)

11Personal data breachesU.K.

(1)In the Investigatory Powers Act 2016, after section 235 insert—

235APersonal data breaches

(1)This section applies where a telecommunications operator would, but for a relevant restriction, be required by regulation 5A(2) of the 2003 Regulations to notify a personal data breach to the Information Commissioner.

(2)The telecommunications operator must report the personal data breach to the Investigatory Powers Commissioner.

(3)Where a telecommunications operator reports a personal data breach to the Investigatory Powers Commissioner under subsection (2), a Judicial Commissioner must disclose information about the breach to the Information Commissioner.

(4)Where a Judicial Commissioner discloses information about a personal data breach to the Information Commissioner under subsection (3), the Information Commissioner must—

(a)consider whether the breach is serious, and

(b)if the Information Commissioner considers that the breach is serious, notify the Investigatory Powers Commissioner.

(5)The Investigatory Powers Commissioner must inform an individual of any personal data breach relating to that individual of which the Commissioner is notified under subsection (4)(b) if the Commissioner considers that it is in the public interest for the individual to be informed of the breach.

(6)In making a decision under subsection (5), the Investigatory Powers Commissioner must, in particular, consider—

(a)the seriousness of the breach and its effect on the individual concerned, and

(b)the extent to which disclosing the breach would be contrary to the public interest or prejudicial to—

(i)national security,

(ii)the prevention or detection of serious crime,

(iii)the economic well-being of the United Kingdom, or

(iv)the continued discharge of the functions of any of the intelligence services.

(7)Before making a decision under subsection (5), the Investigatory Powers Commissioner must ask—

(a)the Secretary of State, and

(b)any public authority that the Investigatory Powers Commissioner considers appropriate,

to make submissions to the Commissioner about the matters concerned.

(8)When informing an individual under subsection (5) of a breach, the Investigatory Powers Commissioner must—

(a)inform the individual of any rights that the individual may have to apply to the Investigatory Powers Tribunal in relation to the breach, and

(b)provide such details of the breach as the Commissioner considers to be necessary for the exercise of those rights, having regard in particular to the extent to which disclosing the details would be contrary to the public interest or prejudicial to anything falling within subsection (6)(b)(i) to (iv).

(9)The Investigatory Powers Commissioner may not inform the individual to whom it relates of a personal data breach notified to the Commissioner under subsection (4)(b) except as provided by this section.

(10)For the purposes of this section, a personal data breach is serious if the breach is likely to result in a high risk to the rights and freedoms of individuals.

(11)In this section—

(2)In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—

(a)in subsection (2), after paragraph (b) insert—

(ba)to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;;

(b)after subsection (4) insert—

(4AA)The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.

(4AB)In subsection (4AA)relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).

(3)In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—

(a)in subsection (1)(b), after “65(2)(b)” insert “, (ba);

(b)in subsection (5)—

(i)the words from “section” to the end become paragraph (a), and

(ii)after that paragraph insert , or

(b)section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.;

(c)in subsection (6), for “reference” substitute “complaint or reference has been”.

(4)In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—

(8)In this section “relevant Commissioner” means—

(a)the Investigatory Powers Commissioner or any other Judicial Commissioner,

(b)the Investigatory Powers Commissioner for Northern Ireland, or

(c)the Information Commissioner.

(5)In regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) (personal data breach), omit paragraph (9) (notification to the Investigatory Powers Commissioner).

(6)In consequence of subsection (5), in Schedule 10 to the Investigatory Powers Act 2016 (minor and consequential provision), omit paragraph 14 (personal data breach) and the italic heading before it.

Commencement Information

I9S. 11 not in force at Royal Assent, see s. 32(2)

I10S. 11 in force at 14.10.2024 by S.I. 2024/1021, reg. 2(k)