Reports on security etc
I1I211Reporting on matters related to security
1
The Communications Act 2003 is amended as follows.
2
After section 105Y insert—
105ZOFCOM reports on security
1
As soon as practicable after the end of each reporting period OFCOM must prepare and send to the Secretary of State a report for the period (a “security report”).
2
A security report must contain such information and advice as OFCOM consider may best serve the purpose mentioned in subsection (3).
3
The purpose is to assist the Secretary of State in the formulation of policy in relation to the security of public electronic communications networks and public electronic communications services.
4
A security report must in particular include—
a
b
information about the extent to which providers of public electronic communications networks and public electronic communications services have acted during the reporting period in accordance with codes of practice issued under section 105E;
c
information about the security compromises that OFCOM have been informed of during the reporting period under section 105K;
d
information about the action taken by OFCOM during the reporting period in response to security compromises they have been informed of under section 105K;
e
f
information about any particular risks to the security of public electronic communications networks and public electronic communications services of which OFCOM have become aware during the reporting period;
g
any other information of a kind specified in a direction given by the Secretary of State.
5
A security report must not include personal data (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).
6
The Secretary of State may—
a
publish a security report or any part of it; or
b
disclose a security report or any part of it to any person or body performing functions of a public nature for the purpose of enabling or assisting the performance of those functions.
7
In publishing or disclosing a security report or any part of a security report, the Secretary of State must have regard to the need to exclude from publication or disclosure, so far as is practicable, the matters which are confidential in accordance with subsection (8).
8
A matter is confidential under this subsection if—
a
it relates to the affairs of a particular body; and
b
publication or disclosure of that matter would or might, in the Secretary of State’s opinion, seriously and prejudicially affect the interests of that body.
9
In this section “reporting period” means—
a
the period of 2 years beginning with the day on which section 11 of the Telecommunications (Security) Act 2021 comes into force; and
b
each successive period of 12 months.
3
In section 134B (matters to be dealt with by OFCOM reports on infrastructure)—
a
4
In section 135 (information required for purposes of certain OFCOM functions) in subsection (3) (particular purposes for which information may be required) after paragraph (iza) (inserted by section 6(3)) insert—
izb
preparing a report under section 105Z;
5
In section 393 (general restrictions on disclosure of information) in subsection (6) (exceptions) after paragraph (b) insert—
bza
prevents the publication or disclosure of a report or part of a report under section 105Z(6);
6
In Schedule 8 (decisions not subject to appeal) after paragraph 7B (inserted by section 10(3)) insert—
7C
A decision relating to the making of a report under section 105Z.