Part 2Oversight arrangements
I1I211Personal data breaches
1
In the Investigatory Powers Act 2016, after section 235 insert—
235APersonal data breaches
1
This section applies where a telecommunications operator would, but for a relevant restriction, be required by regulation 5A(2) of the 2003 Regulations to notify a personal data breach to the Information Commissioner.
2
The telecommunications operator must report the personal data breach to the Investigatory Powers Commissioner.
3
Where a telecommunications operator reports a personal data breach to the Investigatory Powers Commissioner under subsection (2), a Judicial Commissioner must disclose information about the breach to the Information Commissioner.
4
Where a Judicial Commissioner discloses information about a personal data breach to the Information Commissioner under subsection (3), the Information Commissioner must—
a
consider whether the breach is serious, and
b
if the Information Commissioner considers that the breach is serious, notify the Investigatory Powers Commissioner.
5
6
In making a decision under subsection (5), the Investigatory Powers Commissioner must, in particular, consider—
a
the seriousness of the breach and its effect on the individual concerned, and
b
the extent to which disclosing the breach would be contrary to the public interest or prejudicial to—
i
national security,
ii
the prevention or detection of serious crime,
iii
the economic well-being of the United Kingdom, or
iv
the continued discharge of the functions of any of the intelligence services.
7
Before making a decision under subsection (5), the Investigatory Powers Commissioner must ask—
a
the Secretary of State, and
b
any public authority that the Investigatory Powers Commissioner considers appropriate,
to make submissions to the Commissioner about the matters concerned.
8
When informing an individual under subsection (5) of a breach, the Investigatory Powers Commissioner must—
a
inform the individual of any rights that the individual may have to apply to the Investigatory Powers Tribunal in relation to the breach, and
b
provide such details of the breach as the Commissioner considers to be necessary for the exercise of those rights, having regard in particular to the extent to which disclosing the details would be contrary to the public interest or prejudicial to anything falling within subsection (6)(b)(i) to (iv).
9
10
For the purposes of this section, a personal data breach is serious if the breach is likely to result in a high risk to the rights and freedoms of individuals.
11
In this section—
“2003 Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426);
“personal data breach” has the same meaning as in the 2003 Regulations (see regulation 2(1) of those Regulations);
“relevant restriction” means any of the following—
- a
section 57(1) (duty not to make unauthorised disclosures) (including as applied by section 156);
- b
section 132(1) (duty not to make unauthorised disclosures) (including as applied by section 197);
- c
section 174(1) (offence of making unauthorised disclosure),
(read with regulation 29(1)(a)(i) of the 2003 Regulations).
2
In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—
a
in subsection (2), after paragraph (b) insert—
ba
to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;
b
after subsection (4) insert—
4AA
The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.
4AB
3
In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—
a
in subsection (1)(b), after “65(2)(b)” insert “, (ba)”
;
b
in subsection (5)—
i
the words from “section” to the end become paragraph (a), and
ii
after that paragraph insert
, or
b
section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.
c
in subsection (6), for “reference” substitute “complaint or reference has been”
.
4
In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—
8
In this section “relevant Commissioner” means—
a
the Investigatory Powers Commissioner or any other Judicial Commissioner,
b
the Investigatory Powers Commissioner for Northern Ireland, or
c
the Information Commissioner.
5
In regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) (personal data breach), omit paragraph (9) (notification to the Investigatory Powers Commissioner).
6
In consequence of subsection (5), in Schedule 10 to the Investigatory Powers Act 2016 (minor and consequential provision), omit paragraph 14 (personal data breach) and the italic heading before it.