Search Legislation

Investigatory Powers (Amendment) Act 2024

 Help about what version

What Version

 Help about advanced features

Advanced Features

Changes over time for: Section 11

 Help about opening options

Alternative versions:

Changes to legislation:

There are currently no known outstanding effects for the Investigatory Powers (Amendment) Act 2024, Section 11. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

11Personal data breachesU.K.

This section has no associated Explanatory Notes

(1)In the Investigatory Powers Act 2016, after section 235 insert—

235APersonal data breaches

(1)This section applies where a telecommunications operator would, but for a relevant restriction, be required by regulation 5A(2) of the 2003 Regulations to notify a personal data breach to the Information Commissioner.

(2)The telecommunications operator must report the personal data breach to the Investigatory Powers Commissioner.

(3)Where a telecommunications operator reports a personal data breach to the Investigatory Powers Commissioner under subsection (2), a Judicial Commissioner must disclose information about the breach to the Information Commissioner.

(4)Where a Judicial Commissioner discloses information about a personal data breach to the Information Commissioner under subsection (3), the Information Commissioner must—

(a)consider whether the breach is serious, and

(b)if the Information Commissioner considers that the breach is serious, notify the Investigatory Powers Commissioner.

(5)The Investigatory Powers Commissioner must inform an individual of any personal data breach relating to that individual of which the Commissioner is notified under subsection (4)(b) if the Commissioner considers that it is in the public interest for the individual to be informed of the breach.

(6)In making a decision under subsection (5), the Investigatory Powers Commissioner must, in particular, consider—

(a)the seriousness of the breach and its effect on the individual concerned, and

(b)the extent to which disclosing the breach would be contrary to the public interest or prejudicial to—

(i)national security,

(ii)the prevention or detection of serious crime,

(iii)the economic well-being of the United Kingdom, or

(iv)the continued discharge of the functions of any of the intelligence services.

(7)Before making a decision under subsection (5), the Investigatory Powers Commissioner must ask—

(a)the Secretary of State, and

(b)any public authority that the Investigatory Powers Commissioner considers appropriate,

to make submissions to the Commissioner about the matters concerned.

(8)When informing an individual under subsection (5) of a breach, the Investigatory Powers Commissioner must—

(a)inform the individual of any rights that the individual may have to apply to the Investigatory Powers Tribunal in relation to the breach, and

(b)provide such details of the breach as the Commissioner considers to be necessary for the exercise of those rights, having regard in particular to the extent to which disclosing the details would be contrary to the public interest or prejudicial to anything falling within subsection (6)(b)(i) to (iv).

(9)The Investigatory Powers Commissioner may not inform the individual to whom it relates of a personal data breach notified to the Commissioner under subsection (4)(b) except as provided by this section.

(10)For the purposes of this section, a personal data breach is serious if the breach is likely to result in a high risk to the rights and freedoms of individuals.

(11)In this section—

  • 2003 Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426);

  • personal data breach” has the same meaning as in the 2003 Regulations (see regulation 2(1) of those Regulations);

  • relevant restriction” means any of the following—

    (a)

    section 57(1) (duty not to make unauthorised disclosures) (including as applied by section 156);

    (b)

    section 132(1) (duty not to make unauthorised disclosures) (including as applied by section 197);

    (c)

    section 174(1) (offence of making unauthorised disclosure),

    (read with regulation 29(1)(a)(i) of the 2003 Regulations).

(2)In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—

(a)in subsection (2), after paragraph (b) insert—

(ba)to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;;

(b)after subsection (4) insert—

(4AA)The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.

(4AB)In subsection (4AA)relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).

(3)In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—

(a)in subsection (1)(b), after “65(2)(b)” insert “, (ba);

(b)in subsection (5)—

(i)the words from “section” to the end become paragraph (a), and

(ii)after that paragraph insert , or

(b)section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.;

(c)in subsection (6), for “reference” substitute “complaint or reference has been”.

(4)In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—

(8)In this section “relevant Commissioner” means—

(a)the Investigatory Powers Commissioner or any other Judicial Commissioner,

(b)the Investigatory Powers Commissioner for Northern Ireland, or

(c)the Information Commissioner.

(5)In regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) (personal data breach), omit paragraph (9) (notification to the Investigatory Powers Commissioner).

(6)In consequence of subsection (5), in Schedule 10 to the Investigatory Powers Act 2016 (minor and consequential provision), omit paragraph 14 (personal data breach) and the italic heading before it.

Commencement Information

I1S. 11 not in force at Royal Assent, see s. 32(2)

I2S. 11 in force at 14.10.2024 by S.I. 2024/1021, reg. 2(k)

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Notes

Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Timeline of Changes

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources