Policy paper

Investigatory Powers (Amendment) Bill: Strengthening the Notice Review Process

Updated 26 April 2024

What is a notice review?

A telecommunications operator can be issued with a notice under the Investigatory Powers Act 2016 (IPA 2016).

When giving a notice for the first time the Secretary of State has a statutory obligation to engage in a consultation period with the relevant telecommunications operator. Following this consultation, and taking into consideration the views of the operator, the Secretary of State then considers whether to formally give the notice. Should they decide to do so, the notice must then be approved by an independent Judicial Commissioner and formally given to the company before its obligations become binding on them.

If at this point the telecommunications operator is dissatisfied with the terms of the notice, they have a statutory right to refer the notice (or part of it) to the Secretary of State for review. This referral must be made within 28 days of the day in which the notice was given.

What happens under the current regime?

If a telecommunications operator refers their notice to the Secretary of State for review, the Secretary of State must then consult the Technical Advisory Board, who must consider the technical requirements and financial consequences of the notice, and an independent Judicial Commissioner who must consider the proportionality. 

The Technical Advisory Board’s membership includes representatives from the telecommunications industry, government/public authorities, and independent members including an independent chair.

Under the current regime, during a review period the operator is not required to comply with the notice, so far as referred, until the Secretary of State has determined the review.

After considering reports from the Technical Advisory Board and the Judicial Commissioner the Secretary of State may decide to vary, revoke or confirm the effect of the notice. Where the Secretary of State decides to confirm or vary the notice, the Investigatory Powers Commissioner must approve the decision.

How will the bill affect the current process?

The amendment will not affect the fundamental process of the review or the current safeguards. The notice must still be approved by both the Secretary of State and a Judicial Commissioner before it is formally given to the company and its obligations become binding on them. If at this point the operator is dissatisfied with the terms of the notice, they will continue to have the statutory right to refer the notice (or part of it) to the Secretary of State for review. The Secretary of State must then consult the Technical Advisory Board and an independent Judicial Commissioner. 

The amendment ensures operators do not make changes during the review period that will negatively impact existing lawful access. Operators will not be required to make changes to specifically comply with the notice, however they will be required to maintain the status quo, meaning if lawful access was provided before the notice was given, then it must be maintained during the review period. This will be without prejudice to the outcome of the review.

After considering reports from the Technical Advisory Board and the Judicial Commissioner, the Secretary of State may decide to vary, revoke or confirm the effect of the notice. Where the Secretary of State decides to confirm or vary the notice, the Investigatory Powers Commissioner must approve the decision.

Why is this being introduced?

This change is required in order to safeguard public safety during the review period. It will ensure telecommunications operators do not make changes that will irreversibly affect existing lawful access whilst the review period is ongoing.

Maintaining the status quo during the review will provide the continued exceptional access to data required by law enforcement and the intelligence services to keep citizens safe.

If at the conclusion of the review the Secretary of State confirms or varies the notice and an independent Judicial Commissioner agrees, the requirement to maintain the status quo will ensure that there would not have been a gap in obtaining operationally relevant data between the review period and the point at which the telecommunications operator is able to meet the obligations within the notice.

Who will it apply to?

This change will only apply to telecommunications operators that have been issued with a notice under the IPA 2016 and who have upon receipt of that notice, referred it back to the Secretary of State for review.

Whilst the definition of a telecommunications operator in the IPA 2016 encompasses a large number of companies, there are stringent safeguards in place to ensure that there is a high threshold for issuing a notice, and that it is both necessary and proportionate.

Before issuing a notice the Secretary of State must engage in a consultation period with the relevant telecommunications operator and will take the views of the operator into account. This consultation period and collaborative working helps ensure that the relatively small proportion of telecommunications operators who are issued with a notice are able to understand the required obligations, often averting the need to refer it back for review.

What are the safeguards around its use?

All notices are subject to robust, independent oversight before they can be issued. Notices must be both necessary and proportionate and subject to the “double-lock” which means they are approved by both the Secretary of State and an independent Judicial Commissioner before they can be given to the operator in question.

If at the point of issue the operator is dissatisfied with the terms of the notice, they have a statutory right to refer the notice (or part of it) to the Secretary of State for review. As previously mentioned, the Secretary of State must consult the Technical Advisory Board and an independent Judicial Commissioner.

The Judicial Commissioner and the Technical Advisory Board must give the relevant telecommunications operator and the Secretary of State the opportunity to provide evidence and make representations to them before reaching their conclusions. Both the Commissioner and the Board must report these conclusions to the person who made the referral and the Secretary of State.

After considering reports from the Technical Advisory Board and the Judicial Commissioner the Secretary of State may decide to vary, revoke or confirm the effect of the notice. Where the Secretary of State decides to confirm or vary the notice, the Investigatory Powers Commissioner must approve the decision.

The Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018 [footnote 1] provides further detail on the review process.

Maintaining the status quo will only apply to the part of the company that provides existing lawful access. This change will not require the telecommunications operator to make changes to specifically comply with the notice they are referring, it ensures the lawful access that was provided before the notice was issued will continue to be provided during the review period.

Will this prevent routine cybersecurity patches from being carried out?

There is no intention for security patches [footnote 2] to be adversely impacted by these changes to the notice review and we would never stop a security patch to a system.

We cannot foresee a circumstance in which a genuine security patch would be subject to, or affected by, a notice being given.

What are the timelines regarding a review?

The length of the review period is determined by the level of engagement from the telecommunications operator concerned. The Technical Advisory Board and Judicial Commissioner must have all the relevant information required in order reach their conclusions and for the Secretary of State to make an informed decision.

The government fully supports  technological innovation and strong privacy, and it is therefore in the interests of all parties for the review to be concluded in the shortest possible timeframe.

Footnotes

  1. The Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018 (legislation.gov.uk) 

  2. As defined by the National Cyber Security Centre- “A security patch fixes a defect in installed software and leaves the intended functionality of the software unchanged”. See also: Device Security Guidance - NCSC.GOV.UK