Date laid: 18 December 2017
Parliamentary procedure: affirmative
Summary: These draft Regulations will bring into force five Codes of Practice under the Investigatory Powers Act 2016 (“the 2016 Act”) which relate to the bulk acquisition of communications data, equipment interference, national security notices, and the intelligence services’ retention and use of bulk personal datasets. These are significant matters as the Codes set out the way in which the powers under the 2016 Act will be used in practice, the criteria to be used when applying for or authorising a warrant and what safeguards will apply to the use and retention of the data obtained. The bundle of papers is sizeable, running to several hundred pages. We were therefore disappointed with the obscurity of the original Explanatory Memorandum which gave the reader no indication at all of the potential effects of these Codes. At our request the Home Office has now replaced this with one that sets out more clearly what the Codes do and why. Because bulk interceptions in particular have the potential to include the communications of people who are not suspects as well as those whom the security services are targeting, this legislation is likely to be of interest to the House.
These Regulations are drawn to the special attention of the House on the ground that they raise policy issues likely to be of interest to the House.
1.These Regulations have been laid by the Home Office under provisions of the Investigatory Powers Act 2016 (“the 2016 Act”). The Codes of Practice Regulations will bring into force five separate Codes of Practice relating to the interception of communications, equipment inference, the bulk acquisition of communications data, national security notices and the intelligence services’ retention and use of bulk personal datasets. An inadequate Explanatory Memorandum (EM) was laid with the Regulations and this has now been replaced with a more informative one.
2.The 2016 Act permits all these activities but these Codes regulate how those powers are to be used and the conditions and safeguards that apply to them. The 2016 Act makes it a criminal offence to intercept the communications of a person in the UK without lawful authority and stipulates what constitutes lawful authority to do so, for example a warrant issued by the Secretary of State. The decision to issue interception warrants is also subject to approval by a Judicial Commissioner. In each case a warrant may only be issued where it is necessary and proportionate and meets one or more of three statutory grounds, that is, it is in the interests of national security, for the prevention and detection of serious crime or in the interests of the economic well-being of the UK (so far as those interests also relate to national security).
3.Each Code contains guidance on a range of practical matters including what details the public authorities must include in an application to use the relevant powers; the format of, and detail that must be included in, a warrant or notice; the authorisation and renewal process; the safeguards that apply in relation to the retention, storage, copying, destruction and dissemination of material obtained using the relevant investigatory powers.
4.Interception of Communications: this Code relates to the exercise of targeted and bulk interceptions permitting the content of the communication to be made available to someone other than the sender or intended recipient. Targeted interception warrants are primarily an investigative tool that enable authorities such as the Police, HMRC or the Ministry of Defence to intercept communications in relation to a specified subject matter such as an individual person or a group of persons carrying out a particular activity or sharing a common purpose, for example an organised crime group. Bulk interception warrants may only be sought by the intelligence services in relation to matters of national security and authorise the interception of overseas-related communications, for example, to identify previously unknown threats to the national security of the UK. Such a warrant may result in the acquisition of large volumes of data that may only be selected for examination for an operational purpose specified on the warrant.
5.Equipment Interference: this Code describes a range of techniques that may be used to obtain communications, equipment data or other information. Equipment interference can be carried out either remotely or by physically interacting with the equipment. At the lower end of the scale, this may mean covertly downloading data from a subject’s mobile device or using someone’s login credentials to gain access to data held on a computer. More complex equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to extract remotely material or monitor the user of the device. Targeted equipment interference warrants may only be sought by a limited number of public authorities such as the intelligence services, law enforcement agencies (including police forces, the National Crime Agency, HMRC and immigration and customs authorities) and certain oversight bodies such as the Independent Police Complaints Commission. In addition, certain equipment interference authorities may only seek warrants for specified limited purposes, for example, an immigration officer may only seek an equipment interference warrant in relation to a serious crime that is an immigration or nationality offence. As with bulk interception, bulk equipment interference warrants are primarily used as an intelligence gathering tool, may only be sought by the intelligence services and must be necessary in the interests of national security.
6.Bulk Acquisition of Communications Data may result in the collection of large volumes of data, which are essential to enable communications relating to subjects of interest to be identified and subsequently pieced together in the course of an investigation. Warrants for the acquisition of bulk communications data are limited to the three intelligence services and the 2016 Act does not impose a limit on the volume of communications or constrain them to a specific investigation. Once acquired in bulk, selection of data for examination is only permitted for the operational purposes specified on the warrant.
7.National Security Notices: using a national security notice, the Secretary of State may require an operator to take specified steps to do something to facilitate the activities of an intelligence service, deal with an emergency or provide services or facilities for the purpose of assisting an intelligence service to carry out its functions more securely or more effectively. However, a national security notice could not be used as an alternative to an interception warrant where such a warrant is required to authorise the relevant activity.
8.Intelligence Services’ Retention and Use of Bulk Personal Datasets: having obtained material from a variety of sources to meet the requirements of their statutory functions under the Security Service Act 1989 and the Intelligence Services Act 1994 the intelligence services need to process it. A bulk personal dataset will be held electronically and will typically be very large, for example relating to all the travellers on a particular route. It is also likely that the majority of individuals within it are not, and are unlikely to become, of interest to the intelligence services. The 2016 Act does not create any new powers to obtain such datasets but requires that the retention and use of these datasets by the intelligence services must be subject to an authorisation scheme and robust and transparent safeguards.
9.At the same time as laying these Regulations, the Home Office also laid three other sets of draft Regulations which deal mainly with consequential aspects of the proposed new system, particularly the practical impact on telecommunications and postal firms:
10.These are significant matters as the Codes set out the way in which the powers under the 2016 Act will be used in practice, the criteria to be used when applying for a warrant and what safeguards will apply to the use and retention of the data obtained. The bundle of papers is sizeable, running to several hundred pages. We were therefore disappointed with the obscurity of the original Explanatory Memorandum which gave the reader no indication at all of the potential effects of these Codes. At our request the Home Office has now replaced this with one that sets out more clearly what the Codes do and why, which should aid the House in its scrutiny of the way the system is to operate. Because bulk interceptions in particular have the potential to include the communications of people who are not suspects as well as those who the security services are targeting, this legislation is likely to be of interest to the House.
1 The Home Office states that a sixth code on communications data will be brought into force at a later date.
2 from 8 January 2018