Policy paper

Policy statement on draft regulations for the notification of proposed changes to telecommunications services (accessible version)

Updated 26 April 2024

Introduction

1. The notification of proposed changes (clause 20 of the Investigatory Powers (Amendment) Bill – new section 258A) is an obligation that can be placed on relevant operators that provide, or may be expected to provide lawful access of significant operational value, to inform the Secretary of State of technical changes that they are intending to make which could affect lawful access capabilities.

2. This notification requirement is intended to provide the Secretary of State, and by extension operational partners, with time to understand the potential impact of the changes and ensure exceptional lawful access can be maintained to keep people safe.

3. It does not give the Secretary of State any power to intervene in the rollout of these changes, nor is the Secretary of State’s consent required for the rollout to proceed.

4. Should the Secretary of State wish to intervene in any way with the change the operator intends to make, the Secretary of State would use the notices regimes in the same way that is currently available to them. However, it does not automatically follow that any notified change will result in a notice.

5. The notifications will be important in giving operational partners time to adjust their ways of working to ensure the capabilities can be provided throughout the process of, and after, the change taking place. The primary motivation of this obligation is to create an opportunity for collaborative working in order to protect capabilities and keep people safe.

6. An operator does not need to be under an IPA notice[footnote 1] in order to receive and give effect to an IPA authorisation or warrant required to lawfully access data. It is this access to data – where IPA notices are not in place – the notification requirement intends to safeguard.

7. A requirement to notify the Secretary of State already exists in current regulations. Paragraph 13, Part 1 of Schedule 2 of the Investigatory Powers (Technical Capability) Regulations 2018 sets out a requirement for an operator under a Technical Capability Notice (TCN) to notify the Secretary of State within a reasonable time of proposed changes to existing telecommunication services or systems to which obligations imposed by a TCN relate, or the development of new telecommunication services or systems.

8. The Bill introduces a delegated power for the Secretary of State to set out in regulations further details regarding relevant changes and associated thresholds that may trigger the Secretary of State to issue a notification notice to an operator under clause 20. This parallels similar regulation making powers already in the IPA, which are specified in Section 267 of the IPA.

9. Due to the technical nature of the IPA capabilities, it is right that further detail is laid out in regulations rather than on the face of the Act. Using secondary legislation rather than primary allows for greater agility to amend regulations – which may be technical in nature – in response to the changing landscape with regards to telecommunications operators and technological advances. This will ensure the arrangements continue to accurately reflect proportionate, applicable thresholds in response to changes in technology and operational requirements, including that the notification requirement does not disproportionately affect operators who do not hold operationally relevant data.

10. Given the nature of the obligations to be imposed on operators, it is important that the affirmative Parliamentary procedure applies to regulations made under this clause.

11. This statement is intended to set out further details as to how we expect the notification requirement process to work in practice, including the associated criteria triggering a notification notice and relevant changes the Secretary of State must be notified of to ensure this obligation is proportionate. We intend to produce draft regulations during the passage of the Bill.

Safeguards

12. The IPA includes stringent safeguards for the notices regimes and clause 20 seeks to replicate the relevant safeguards regarding a notification notice. This includes the notice only being issued where the Secretary of State considers it necessary and proportionate to do so. It also sets out other matters the Secretary of State must take into account including the likely benefits of the notice, the likely number of users of a service to which a notice relates, the likely cost of complying and any other effect of the notice on the operator.

13. The Secretary of State must consult the relevant operator before issuing a notification notice. The consultation will result in an individualised and confidential specification, provided as an annex to the notice, setting out applicable telecommunications services and systems, specific to the company, to which the notification requirement applies. The operator will only be required to provide the Secretary of State with a notification of change on these specific services and systems where the proposed change will result in a negative impact on lawful access.

14. Data Retention Notices, Technical Capability Notices and National Security Notices are critical for maintaining access to data and often require operators to make changes to their services or systems to ensure they are able to fulfil obligations set out in the notice. This could include retaining communications data for longer than business requirement or building and/or maintaining a technical capability that can be utilised to lawfully access data when a warrant is issued. It is therefore right that the level of oversight reflects the nature of these notices, which includes authorisation by an independent Judicial Commissioner.

15. A notification requirement will only require relevant operators that have received a notice under section 258A to inform the Secretary of State of relevant changes to relevant services or systems set out in the confidential specification of the notice. It does not require the operator to make any technical changes or provide access to data and therefore the burden on the company in comparison is likely to be small, and there is no additional intrusion relating to privacy. It is for this reason the double lock has not been made a requirement.

16. Once issued, the Secretary of State may vary the notification notice if they consider it is necessary and proportionate to do so, or revoke it in whole or in part. Before varying a notification notice the Secretary of State will consult the company.

Purpose of the regulations

17. As is clear in the clause, the notification requirement will not impose a blanket obligation on all operators to notify the Secretary of State of all changes. Such an obligation would create an unmanageable regime and would be inconsistent with the necessity and proportionality safeguards which currently underpin all powers within the IPA.

18. Regulations will set out high level criteria, as set out in paragraph 22, that may trigger the Secretary of State to issue a notification notice to an operator. These criteria must be taken into account, along with the considerations detailed in paragraph 11 before the Secretary of State issues a notification notice. This will ensure the notification requirement does not disproportionality affect all operators. In practice we anticipate this will be a small number of operators who provide lawful access of significant operational value.

19. The regulations will also set out details of the changes which will trigger the notification requirement under this obligation. An operator will only be required to notify the Secretary of State of these changes if they negatively impact lawful access capabilities of the services set out in the confidential specification.

20. Details within the regulations must be sufficient to demonstrate transparency and proportionality, however consideration needs to be given regarding the specific level of detail. Investigatory powers are a critical tool for tackling national security and the most serious crimes, it is therefore vital regulations do not inadvertently disclose investigative techniques. Additional details of the requirements will be set out in the notice, following the consultation between the Secretary of State and the operator.

Criteria triggering the Secretary of State to issue a notification notice

21. The operator must provide, or be expected to provide, lawful access of significant operational value. This will be informed by an assessment provided by law enforcement and agencies and will form part of the necessity and proportionality case the Secretary of State will consider before issuing a notification notice. This replicates the assessment that is made before the Secretary of State issues any other notice to an operator under the IPA and ensures the same high threshold must be met before issuing a notification notice.

22. When conducting this assessment, the criteria that must be considered, but is not limited to:

  • a) the current or expected number of IPA warrants, authorisations or requests issued to the operator.
  • b) the operational importance of the data provided under a).
  • c) the types of services the operator provides.
  • d) the customer base of the operator.
  • e) the likely number of users (if known) of a service.
  • f) the market share of the operator.

23. Within the current Investigatory Powers (Technical Capability) Regulations 2018, reg. 4(3) specifies that the obligations specified in Part 1 of Schedule 1 and in Schedule 3 cannot be imposed on an operator who does not provide, or does not intend to provide a telecommunications service to more than 10,000 persons. Applying this threshold to the notification notice would be appropriate to ensure the same high bar is applied, ensuring the obligation does not disproportionality affect all operators.

24. Assessments will be conducted on a case-by-case basis, a notification notice will only be issued to an operator by the Secretary of State if it is deemed necessary and proportionate to safeguard lawful access.

Relevant changes operators are required to notify the Secretary of State

25. When an operator is issued a notification notice they will be required to notify the Secretary of State of proposed relevant changes to services and systems specified within the individualised specification that has been drawn up in consultation with the operator.

26. A relevant change is a change to a telecommunications service or system that would negatively affect lawful access provided by the operator on that service or system.

27. A relevant change includes:

a) Changes to data retention periods by the operator.

An operator will retain data for as long as business requirement dictates. An operator may change their data retention periods at any point.

b) Changes in the operator’s ability to lawfully provide communications data.

Communications data is the ‘who’, ‘when’, ‘where’ and ‘how’, otherwise known as the metadata.

c) Changes in the operator’s ability to lawfully provide the content of communications.

Content differs from communication data as crucially it is the ‘what’.

d) Decommissioning of a service.

The decommissioning of a service may require the Secretary of State to vary the notification notice.  

e) Other relevant change specified in the notification requirement.

Operators provide unique and individual services and may provide specific lawful access capabilities that will be known between the operator and Secretary of State. For the protection of these capabilities, it will be included in the confidential specification agreed between the operator and Secretary of State.

28. As previously noted, there will then be an individualised and confidential specification agreed between the operator and the Secretary of State. These criteria will only apply to the specific systems and services of the operator in question set out in the agreed specification.

Security patches

29. There is no intention for security patches[footnote 2] to be covered by the notification requirement and we would never stop a security patch to a system. We cannot foresee a circumstance in which a security patch would have such sweeping effect on lawful access capabilities.

Process when an operator notifies the Secretary of State of a relevant change

30. If an operator under a notification notice identifies a relevant change to a service or system set out within that notice, they are required to notify the Secretary of State within a reasonable time before making the relevant change to which the notice applies.

31. A reasonable time is reflective of the language used within the current TCN Regulations with regards to the obligation to notify the Secretary of State of changes. It would be impractical to define reasonable time any further given reasonableness would be impacted by factors, such as, the scale and timing of the proposed change and allows flexibility for the operator and government to work collaboratively.

32. The Secretary of State will confirm receipt of the notifiable change and with support from law enforcement and agencies, will conduct an assessment of the change on lawful access capabilities. It will allow a formal opportunity for the operator and government to work together and find a solution that will ensure public safety is protected. HMG will contact the operator within 10 working days of receiving the notification if more information is required.

33. The notification of a proposed change will allow operational partners time to assess the impact and adjust working practices where necessary. Should the Secretary of State wish to intervene in any way with the change the operator intends to make, the Secretary of State would use the notices regimes in the same way that is currently available to them. Such a step would only be taken if required to protect capabilities and keep people safe.

  1. The three types of notice are: Data Retention Notices which require the retention of communications data (the ‘who’, ‘when’, ‘where’, and ‘how’) by operators, Technical Capability Notices which compel companies to build and/or maintain technical capabilities to respond to lawful requests for data under the IPA, National Security Notices which require the telecommunications operator to take specific steps that the Secretary of State considers necessary in the interests of national security. For example, providing services or facilities for the purpose of facilitating or assisting an intelligence service to carry out its functions. 

  2. As defined by the National Cyber Security Centre- “A security patch fixes a defect in installed software and leaves the intended functionality of the software unchanged”.