[Further and supplementary provisionU.K.
226IInitial inspectionU.K.
(1)This section applies where—
(a)an intelligence service has relevant access, whether on payment or otherwise, to a set of information that is held electronically by a person other than an intelligence service,
(b)the intelligence service is considering examining the set of information electronically for the purpose of the exercise of its functions,
(c)the examination would be otherwise than in the exercise of a power conferred by a warrant or other authorisation issued or given under this Act, and
(d)the head of the intelligence service, or a person acting on their behalf, believes that—
(i)the set includes, or may include, personal data relating to a number of individuals, and
(ii)the nature of the set is, or may be, such that the majority of the individuals are not, and are unlikely to become, of interest to the intelligence service in the exercise of its functions.
(2)The head of the intelligence service, or a person acting on their behalf, may carry out an initial inspection of the contents of the set for the purpose of deciding whether, if the intelligence service were to examine it after that initial inspection—
(a)the intelligence service would be examining a third party bulk personal dataset (see section 226E), and
(b)such examination would be necessary and proportionate in all the circumstances.
(3)Subsection (4) applies if, after the initial inspection is carried out, the head of the intelligence service, or a person acting on their behalf, decides that—
(a)the intelligence service would be examining a third party bulk personal dataset (as mentioned in subsection (2)(a)), and
(b)such examination would be necessary and proportionate in all the circumstances.
(4)The head of the intelligence service, or a person acting on their behalf, must—
(a)decide whether to examine the third party bulk personal dataset, and
(b)if they decide to do so, apply for a third party BPD warrant.
(5)If the head of the intelligence service, or a person acting on their behalf, applies for such a third party BPD warrant, the intelligence service is not to be regarded as in breach of section 226F(1) by virtue of examining the bulk personal dataset if the examination is necessary for the purposes of the making of the application for the warrant.
(6)For the purposes of subsection (1)(a), “relevant access” is to be read in accordance with section 226E(2).
(7)For the purposes of this section, only a person holding office under the Crown may act on behalf of the head of an intelligence service.
226IASafeguards relating to examination of third party bulk personal datasetsU.K.
(1)The Secretary of State must ensure, in relation to every third party BPD warrant which authorises the examination of a bulk personal dataset, that arrangements are in force for securing that any examination of data contained in the dataset is necessary and proportionate in all the circumstances.
(2)In doing so, the Secretary of State must in particular have regard to the information that is reasonably available to the intelligence services in relation to the examination of such data.
226IBAdditional safeguards for items subject to legal privilege: examinationU.K.
(1)Subsections (2) and (3) apply if, in a case where protected data contained in a third party bulk personal dataset is to be examined in reliance on a third party BPD warrant—
(a)the purpose, or one of the purposes, of using the criteria to be used for the examination of the data (“the relevant criteria”) is to identify any items subject to legal privilege, or
(b)the use of the relevant criteria is likely to identify such items.
(2)If the relevant criteria are referable to an individual known to be in the British Islands at the time of the examination, the data may be examined using the relevant criteria only if the Secretary of State has approved the use of those criteria.
(3)In any other case, the data may be examined using the relevant criteria only if a senior official acting on behalf of the Secretary of State has approved the use of those criteria.
(4)The Secretary of State may give approval for the purposes of subsection (2) only with the approval of a Judicial Commissioner.
(5)Approval may be given under subsection (2) or (3) only if, where subsection (1)(a) applies, the Secretary of State or (as the case may be) the senior official considers that there are exceptional and compelling circumstances that make it necessary to authorise the use of the relevant criteria.
(6)In deciding whether to give an approval under subsection (2) or (3) in a case where subsection (1)(a) applies, the Secretary of State or (as the case may be) the senior official must have regard to the public interest in the confidentiality of items subject to legal privilege.
(7)For the purposes of subsection (5), there cannot be exceptional and compelling circumstances that make it necessary to authorise the use of the relevant criteria unless—
(a)the public interest in obtaining the information that would be obtained by the examination of the data outweighs the public interest in the confidentiality of items subject to legal privilege,
(b)there are no other means by which the information may reasonably be obtained, and
(c)obtaining the information is necessary in the interests of national security or for the purpose of preventing death or significant injury.
(8)In deciding whether to give approval for the purposes of subsection (4), the Judicial Commissioner must—
(a)apply the same principles as would be applied by a court on an application for judicial review, and
(b)consider the matter with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).
(9)Subsections (10) and (11) apply if, in a case where protected data contained in a third party bulk personal dataset is to be examined in reliance on a third party BPD warrant—
(a)the purpose, or one of the purposes, of using the criteria to be used for the examination of the data (“the relevant criteria”) is to identify data that, if the data or any underlying material were not created or held with the intention of furthering a criminal purpose, would be an item subject to legal privilege, and
(b)the person to whom the warrant is addressed considers that the data (“the targeted data”) or any underlying material is likely to be data or underlying material created or held with the intention of furthering a criminal purpose.
(10)If the relevant criteria are referable to an individual known to be in the British Islands at the time of the examination, the data may be examined using the relevant criteria only if the Secretary of State has approved the use of those criteria.
(11)In any other case, the data may be examined using the relevant criteria only if a senior official acting on behalf of the Secretary of State has approved the use of those criteria.
(12)Approval may be given under subsection (10) or (11) only if the Secretary of State or (as the case may be) the senior official considers that the targeted data or the underlying material is likely to be data or underlying material created or held with the intention of furthering a criminal purpose.
(13)In this section “underlying material”, in relation to data contained in a third party bulk personal dataset that is to be examined in reliance on a third party BPD warrant, means any communications or other items of information from which the data was produced.
226ICAdditional safeguards for items subject to legal privilege: retention following examinationU.K.
(1)Subsection (2) applies where—
(a)an intelligence service examines a third party bulk personal dataset in reliance on a third party BPD warrant,
(b)as part of the examination, the intelligence service examines an item subject to legal privilege,
(c)the intelligence service retains the item, and
(d)the retention of the item may not be authorised by a warrant under Part 7 (bulk personal dataset warrants).
(2)The person to whom the third party BPD warrant (mentioned in subsection (1)(a)) is addressed must inform the Investigatory Powers Commissioner as soon as reasonably practicable after retaining the item.
(3)Unless the Investigatory Powers Commissioner considers that subsection (5) applies to the item, the Commissioner must—
(a)direct that the item is destroyed, or
(b)impose one or more conditions as to the use or retention of that item.
(4)If the Investigatory Powers Commissioner considers that subsection (5) applies to the item, the Commissioner may nevertheless impose such conditions under subsection (3)(b) as the Commissioner considers necessary for the purpose of protecting the public interest in the confidentiality of items subject to legal privilege.
(5)This subsection applies to an item subject to legal privilege if—
(a)the public interest in retaining the item outweighs the public interest in the confidentiality of items subject to legal privilege, and
(b)retaining the item is necessary in the interests of national security or for the purpose of preventing death or significant injury.
(6)The Investigatory Powers Commissioner—
(a)may require an affected party to make representations about how the Commissioner should exercise any function under subsection (3), and
(b)must have regard to any such representations made by an affected party (whether or not as a result of a requirement imposed under paragraph (a)).
(7)Each of the following is an “affected party” for the purposes of subsection (6)—
(a)the Secretary of State;
(b)the person to whom the third party BPD warrant is or was addressed.
226IDOffence of breaching safeguards relating to examination of materialU.K.
(1)A person commits an offence if—
(a)the person examines, in reliance on a third party BPD warrant, any data contained in a third party bulk personal dataset,
(b)the person knows or believes that the examination of that data is in breach of the requirement specified in subsection (2), and
(c)the person deliberately examines that data in breach of that requirement.
(2)The requirement specified in this subsection is that any examination of the data is necessary and proportionate.
(3)A person guilty of an offence under this section is liable—
(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court, to a fine or to both;
(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months, to a fine not exceeding the statutory maximum or to both;
(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months, to a fine not exceeding the statutory maximum or to both;
(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years, to a fine or to both.
(4)No proceedings for any offence which is an offence by virtue of this section may be instituted—
(a)in England and Wales, except by or with the consent of the Director of Public Prosecutions;
(b)in Northern Ireland, except by or with the consent of the Director of Public Prosecutions for Northern Ireland.
226IEPart 7B: interpretationU.K.
(1)In this Part—
“personal data” has the same meaning as in Part 7 (see section 199(2));
“protected data” has the same meaning as in Part 7 (see section 203);
“senior official” means a member of the Senior Civil Service or a member of the Senior Management Structure of His Majesty’s Diplomatic Service;
“third party BPD warrant” has the meaning given by section 226F.
(3)See also—