Amendment 1

Investigatory Powers (Amendment) Bill [HL] - Committee (1st Day) – in the House of Lords at 3:23 pm on 11 December 2023.

Alert me about debates like this

Lord Coaker:

Moved by Lord Coaker

1: Clause 2, page 3, leave out lines 24 to 27 and insert—“(b) the extent to which information contained within the personal data has been made public as a result of steps deliberately taken by the data subject;”Member’s explanatory statementThis amendment would ensure the definition of a low privacy bulk personal dataset is in line with the definition set out in Schedule 10 of the Data Protection Act 2018.

Photo of Lord Coaker Lord Coaker Shadow Spokesperson (Defence), Shadow Spokesperson (Home Affairs), Opposition Whip (Lords)

My Lords, before I get to the specifics of my Amendment 1, I will make some general remarks. I thank the Minister and all his officials for their very helpful briefing and the collaborative way in which they have approached the Bill. As he knows, we support the Bill, but we will seek clarification and further information about a number of clauses and the details in them.

It is important for me to say that this is the Committee stage, so some significant details will be explored that will be helpful to us. Indeed, on my own part, there may be one or two misunderstandings as to the actual meaning of certain parts of the Bill. None the less, it is an important Bill and an important step forward for our country and its security; I think we all want to see it be as successful as it can be.

This group of amendments deals with bulk personal datasets. These include personal data where a large majority of people included will not necessarily be relevant to an intelligence investigation. Currently, all BPD warrants must go through a double-lock process of approval via the Secretary of State and then a judicial commissioner, and must be renewed every six months. Agency heads must also perform certain functions associated with the warrant.

As the importance of data-based intelligence grows, the Bill rightly includes several measures to make it easier and quicker to analyse various datasets. Individual BPDs considered to have a low or no expectation of privacy could be approved by intelligence agency heads if urgent or if they fall into a category approved by a judicial commissioner. For urgent cases, judicial commissioners have three days to review the warrant.

BPD warrants will need to be renewed only after 12 months, instead of six, which seems sensible. Some functions can be delegated from heads of agencies to an official while maintaining overall responsibility. The Bill also ensures that third-party BPDs—mostly commercially held data—are regulated similarly to other BPDs. The double lock of the Secretary of State and the judicial commissioner would remain for all BPDs, apart from ones considered urgent by the Secretary of State. For urgent cases, a judicial commissioner would have three days to review the warrant. Again, much of that is very sensible and improves the current situation.

I tabled my amendments in the spirit of probing what the Government mean, and I will ask some questions for clarity. Amendment 1 probes why the definition of low-privacy datasets differs from existing data protection legislation. Being the sort of person I am, yesterday I read the relevant section of the Data Protection Act 2018. It differs from Clause 2, where the Minister lays out:

“Low or no reasonable expectation of privacy” for authorisations and the various factors to be taken into account. Given that the Data Protection Act also talks about access to data, about intelligence services having to have consent and about intelligence agencies having various conditions applied to them when seeking authorisations to access data, it would be helpful to the Committee to understand which applies to the authorisations and how the various pieces of legislation interact with each other. Otherwise, we have what is included in this Bill as well as what is included in the Data Protection Act 2018. Amendment 1 seeks to understand where and how the two relate to each other, whether one supersedes the other and whether the Data Protection Act is now irrelevant to the authorisations laid out in the Bill. It would be helpful for us to understand that.

My Amendment 16 seeks to ensure that the Intelligence and Security Committee is involved in the overall oversight of what is happening. The Government included in new Section 226DA in Clause 2 an annual report, so they have accepted the idea, which my amendment lays out, of having an annual report. But noble Lords will see that my amendment, rather than having the report going just to the Secretary of State as the Government propose in new Section 226DA, seeks to understand why the Government would not want such a report to go to the Intelligence and Security Committee as well. Indeed, my noble friend Lord West has put a similar amendment exploring the same point. It would be useful for the Committee to understand why the Government have excluded the Intelligence and Security Committee from such oversight.

The Minister will know that I was exercised by the role of the Intelligence and Security Committee with respect to the National Security Act during its passage. Again, it is important to understand what role the Government feel the Intelligence and Security Committee has with respect to the changes and amendments included in this Bill. Therefore, at this stage, my Amendment 16 simply probes that. It is a probing amendment; I just want to understand what the Government’s view of the Intelligence and Security Committee should be and how they have come to a view, in new Section 226DA in Clause 2, that they feel an annual report is important but that it will go only to the Secretary of State and not to the Intelligence and Security Committee. It seems a bit strange.

Again, because it is important for the Committee to understand what the Government’s definition of serious crime is, noble Lords will see that my Amendment 17 to Clause 5 would use the definition of serious crime as in Section 263 of the Investigatory Powers Act 2016. It is just to ensure that we understand the definition of serious crime that we are using in the Bill vis-à-vis the earlier Act. My understanding is that in Section 263 of the Investigatory Powers Act 2016, serious crime is defined as

“an offence for which a person who has reached the age of 18” in England and Wales, or 21 in Scotland or Northern Ireland,

“and has no previous convictions could reasonably be expected to be sentenced to imprisonment for a term of 3 years or more”, or if various other conduct such as violence is included. Can the Minister confirm that that is the definition to be used? While he does that, can he just underline whether there is any problem with the difference in age in Section 263—18 in England and Wales, and 21 in Scotland and Northern Ireland—with respect to this? For my own clarity—I apologise to noble Lords if it is obvious to everybody else—how does this Act apply to children under 18 and what are the consequences with respect to that for the changes there?

I have some other specific questions for the Minister. How does the Bill ensure that the sensitivity of information is central to whether a dataset is used, not just whether it has been made public? How does the Bill ensure—within it, not necessarily in guidance—that sensitive information such as facial images and medical information is correctly identified as sensitive information that should go through the double lock? Frankly, there are some questions to be asked about what the access should be to that anyway.

What measures are there to know whether an individual’s data has been made public? What will be considered “editorial control”? How can the intelligence community ensure that it does not rely on others to assess data sensitivity? Again, to help us with the definition, what will count as urgent when considering whether a bulk personal dataset should be approved without prior involvement of the judicial commissioner?

As I said to the Minister, we accept the changes the Bill is bringing forward; it will improve the situation. There are much-needed amendments in this group and the others we will discuss, but the clarifications I have asked for should help those who seek to interpret the Bill, and, indeed, those who will use the increased powers in it. With that, I beg to move.

Photo of Lord Fox Lord Fox Liberal Democrat Lords Spokesperson (Business) 3:30, 11 December 2023

I rise to speak to Amendment 2 and several others in this group in my name. This amendment probes the extent to which paragraphs (d) and (e) of proposed new Section 226A(3) depart from current privacy laws. Like the noble Lord, Lord Coaker, we seek clarification. Also like the noble Lord, as far as we are concerned the purpose of this Committee is to probe, get information and understand how the Government interpret some of the measures in the Bill.

Bulk personal datasets represent the largest part of the Bill, and this amendment primarily probes the differences in the definitions in the Bill and those set out in Schedule 10 to the Data Protection Act 2018. The Bill creates a new and essentially undefined category of information where there is deemed to be low or no reasonable expectation of privacy: so-called low/no datasets. This is a departure from existing privacy law, in particular data protection law. With regard to low-privacy bulk datasets, the relevant circumstance, in Schedule 10 to the DPA, is that

“information contained in the personal data has been made public as a result of steps deliberately taken by the data subject”.

This is a different standard from the expectation of privacy in the new BPD category, whereby information is considered low privacy according to

“the extent to which the data is widely known about” and if it

“has already been used in the public domain”.

As your Lordships will observe, there is a big difference between those two definitions. For example, whereas facial images from public CCTV may be considered low-privacy BPD under the Bill, they would be considered personal data and possibly subject to sensitive processing under the DPA. As the Minister knows, this is a contentious area of law, and a real-life example is Clearview AI’s database of 30 billion facial images harvested from social media platforms for highly facial recognition searches. Some could have been classified as low privacy, as the photos have already been made public by the individuals, but the Information Commissioner’s Office found Clearview AI in breach of the DPA.

Similarly, a database of all public Facebook or other social media posts could be argued to be a low-privacy database, despite the fact that it will be a comprehensive database of billions of people’s social networks, sexual orientations, political opinions, religion, health status and so on. Under the DPA, much of this data qualifies as sensitive personal data, incurring extra protections when it comes to retention and processing, regardless of whether the information can be considered to have been made public.

The DPA would still apply to the intelligence agencies in processing—at least, that is our view, and we would like to like the Minister to comment on that—but under the Bill as drafted the contradictory standards would also apply. How do these two standards work together? I assume the department has looked at the likelihood of possible challenges to this new category of data, and indeed the likelihood of such challenges being successful, so it would be helpful if the Minister could enlighten us in that regard.

Schedule 10 to the DPA sets out circumstances in which the agencies can conduct sensitive processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; data concerning health or sexual orientation; biometric or genetic data that uniquely identifies an individual; and data regarding an alleged offence by an individual. Does Schedule 10 apply in the case of data identified as “low” or “no” by the Bill?

An example highlighting the potential divergence is data that has been hacked and then leaked out. While not deliberately made public, as per the DPA requirement, it is arguably public and available in the public domain. What is the Minister’s view as to how the Bill regards that sort of data in a low/no context? To test this, the amendment seeks to strengthen the condition in proposed new Section 226A(3)(b) by aligning it with the test in the Data Protection Act for sensitive processing. Data protection law is currently constructed according to the sensitivity of information rather than the individual’s expectations of privacy concerning personal information. As we know, expectations differ greatly from reality, and from person to person. The central questions this poses are: why does the new Bill deviate from Schedule 10 to the DPA, and how will the DPA and the IP work together using the new definition of this Bill?

We are debating a small number of quite large groups today which, unfortunately, means that quite a number of my amendments appear one after another. I will speak as briefly as I can, but I am afraid there is quite a lot of detail coming up. I will speak first to Amendments 4, 5, 6 and 7. Amendment 4 probes the purpose for which bulk datasets will be used by the intelligence services. Amendments 5 and 6 probe the circumstances in which an authorisation is urgent and therefore not authorised in advance by a judicial commissioner. Amendment 7 would require the person granting an authorisation in urgent cases to immediately notify the judicial commissioner that they have done so.

These amendments are similar in purpose and spirit to Amendment 3 from the noble Lord, Lord Anderson, which I have co-signed and support. The basic explanation from the Government for proposed new Part 7A has been that these datasets are needed to train tools using machine learning and that they already exist and are being used in the commercial world, but the Part 7 process makes them difficult for the intelligence services to use. If training AI tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations.

In that regard, proposed new Section 226BC refers to a “relevant period” of three working days between the acquisition of the urgent data and the granting of full judicial approval, giving the relevant service three days to work with data and information that might eventually be ruled out of bounds by the judicial commissioner. All the amendments are intended to understand how Part 7A is to be used in operations, rather than tool training, and what urgent circumstances are envisioned that would negate the need for prior JC approval of an authorisation.

Amendment 4 seeks to restrict the application of Part 7A powers to training and learning functions of the intelligence services, meaning that operational purposes would be excluded. This is designed to get the Minister to explain the operational needs which define an urgent need.

Amendment 5 removes the ability of a person to grant an authorisation if there is an urgent need. Clearly, this gives the Minister a chance to justify why such data might be operationally needed. Amendment 6 provides a definition of what might be considered “urgent circumstances”. The Minister might want to contribute a different definition, but we feel the definition of “urgent” should be included in the Bill. Amendment 7 provides an additional safeguard by requiring a JC to be notified immediately where an authorisation has been granted in an urgent case. This essentially creates an opportunity to close the potential gap between when the data is deployed and when the JC rules on its admissibility—but not, of course, removing the gap entirely.

Amendment 8, also in my name, probes the meaning of “reasonably practicable”. We need an explanation from the Minister about the meaning of “reasonably practicable” in the context of new Section 226D(2). New Section 226D relates to circumstances where, during the course of the examination of bulk personal datasets, it becomes clear that the data is not in fact of a type where individuals could have no or low reasonable expectation of privacy in relation to the data. At that point, the head of the relevant intelligence service must, so far as is “reasonably practicable”, ensure that anything in the process of being done in relation to the bulk personal database stops as soon as possible. Quite simply, can the Minister please explain in what circumstance it would be possible to stop all activity in relation to that particular bulk personal dataset?

Amendment 9 takes that argument a little further. On the face of it, it is intended to ensure that, when an authorisation ceases to have effect or never had effect, the intelligence services must forget the information or knowledge acquired during the period the authorisation was done. This is connected with the previous amendment. As we have already discussed, using urgency as a reason, the new powers in Part 7A could lead to some bulk personal datasets with the lowest safeguards being used for at least three days before a JC rules the dataset out of scope.

So, in the circumstances described when discussing the previous amendment, where there is a realisation that the BPD being examined is not in fact of the kind where it could be authorised, how can we be sure that the intelligence services will essentially forget the information gleaned in the meantime—and similarly if the JC declines to warrant that activity? With this amendment we are giving the Minister a chance to tell us that of course there is no possible safeguard to ensure that the information or knowledge acquired during the time the authorisation was still in effect cannot be used or relied upon for anything once the authorisation ceases to have effect. In other words, once the information is in the consciousness of human beings, it is there and it is impossible to get rid of—so, at the very least, this means that the discussion we had over the preceding amendments is highly relevant. At worst, it indicates that we have an undefined urgency applied to a self-defined low/no dataset and therefore there is a wormhole in the rules allowing unwarranted datasets to be used for three days that would otherwise not qualify for a Part 7A warranty.

I am looking forward to hearing the noble Lord, Lord West of Spithead, on his amendments. In support of the third one, I will say that the latest ISC report into international partnerships recommends that the Prime Minister should provide the ISC with a full copy of the confidential annex of the annual report of the Investigatory Powers Commissioner. I believe this is probably pushing in that direction.

While we are discussing the ISC and a diversion from the Bill, we heard recently Dominic Raab admitting that while he was a Minister he ordered an intelligence-sharing activity that he knew opened up an individual to a real risk of torture elsewhere. I would be grateful if the Minister could confirm that this was the case and that the policy that excuses Ministers of the Crown when they do this is called the Fulford principle. Can he confirm that? Perhaps the Minister can explain to your Lordships’ House—as I say, either now or in writing—how this differs in substance from extraordinary rendition. Can he also explain how this self-confessed activity squares with the UK’s obligation under the convention on torture?

Returning to the Bill in hand, Amendment 11

“requires the annual report to include details of the number of authorisations sought and granted under new Part 7A”.

Bulk personal data appears to be widely used; 177 warrants were sought and approved in 2021. What is not clear is how many of these would qualify for the new 7A category of approval. It is also not clear from the Bill whether in future we will know the number of annual BPD warrants, as there is no explicit proposal for these to be included in the IPC’s annual report. This amendment seeks to make it explicit that they are reported in this way.

I am sure the Minister would agree that it is a reasonable—indeed, modest—request to understand how this permissive legislation is being used, not least because it seems that the application of the existing laws has not been totally smooth. In its most recent report, covering the period of 2020-21, the Investigatory Powers Commissioner’s Office, the IPCO, found that the Secret Intelligence Service had retained bulk personal datasets “in error” and “without a warrant”, and had “serious gaps” in its

“capability for monitoring and auditing of systems used to query and analyse BPDs”, involving

“several areas of serious concern”.

It also found that the agencies were responsible for 29 errors involving BPDs, the second highest area of the investigatory powers for errors. Errors can include, for example, officers accessing an individual’s record without reason.

We say again that Part 7A contains extensive new powers. We need appropriate oversight and transparency. This is a small but important amendment to which I hope the Minister would have no difficulty agreeing.

Amendment 14 deals with Clause 5 of the Bill, and relates to third-party bulk datasets, where

“the intelligence service has relevant access … to a set of information that is held electronically by a person other than an intelligence service”.

The definition of “relevant access” includes where

“the type and extent of the access available to the intelligence service is not generally available”.

With this amendment, we are simply asking the Minister to put on record a more detailed explanation of what type of information this might consist of, and what is meant by “not generally available”.

Amendment 18

“is intended to confirm that genomic and genetic data is included in the definition of sensitive data under this section”.

It is a simple probing amendment, intended to ensure that our understanding of the Bill is correct. I suggest that the upcoming data Bill will also deal with this, so there are some cross-references we need to establish here before the next Bill arrives. In the Bill, “sensitive personal data” is defined under Section 202(4) of the 2016 Act, which in turn cross-references Section 86(7) of the Data Protection Act 2018. Section 86 of the DPA lists

“genetic data for the purpose of uniquely identifying an individual” as sensitive personal information, so this amendment seeks to confirm that genomic and genetic data is included in the definition of sensitive personal data that might be included in health records, and that, as such, an application to examine any third-party dataset must explicitly state this.

In conclusion, Amendment 19

“requires the Secretary of State granting an authorisation in urgent cases to immediately notify a Judicial Commissioner that they have done so”.

This amendment is similar in intention to an amendment tabled to Clause 2, but this time regarding the powers in new Part 7B. Again, we are trying to understand what the urgent circumstances might be that would require examination of a third-party dataset without waiting for approval from a judicial commissioner, and therefore, as a safeguard, we would like the JC to be immediately notified that an authorisation has taken place. We have debated this to some extent under Part 7A, and I can imagine the crossover, but it would be useful to know if there are any differences between how Part 7A approval and Part 7B approval would be taken under these two circumstances.

Photo of Lord Anderson of Ipswich Lord Anderson of Ipswich Crossbench 3:45, 11 December 2023

My Lords, I welcomed this Bill at Second Reading, and the warmth of my welcome has not diminished. However, I am pleased to see so many amendments down to Part 1. As the noble Lord, Lord Fox, has said, the new rules for certain bulk personal datasets do not displace or dilute the currently applicable protections under the Data Protection Act, but they are probably the most operationally significant of the changes that we are looking at, and therefore can only benefit from careful scrutiny of the kind that noble Lords have so enthusiastically invited.

I have one general comment. Despite some of the kind words that were said about my report at Second Reading, I was not asked to design this Bill from scratch, nor to comment on anything as precise as a provisional text. Rather, my task was to assess proposals that were put forward by government and that in some cases evolved during the currency of my review. Although I did run a consultation as part of my review, its value was reduced by the rather limited amount I was able to say about the Part 1 proposals and some of the others. So although I did receive a handful of very helpful responses, there will certainly be points that did not occur to me and to which others were not able to alert me. The Bill is also, of course, in some respects more detailed than my recommendations. I look forward to hearing the Minister’s response to the various amendments in this group.

I will say a quick word about each of the amendments in my own name; there are only two. My probing Amendment 3 I offer to the Government as a Christmas present, as I thought it might suit them. If for any reason they do not like it—and I suspect they may not—then that is up to them; we can hardly force it on them. The background is this: it seemed to me that the question of whether individuals have a low, or no, expectation of privacy might depend in part on the use to which the datasets will be put. If, for example, an agency were prepared to commit to using a dataset only for training a large language model and not for operational purposes, perhaps that might be one of the factors pointing towards a low/no classification. The agencies and the Government politely explained to me—if I paraphrase correctly—that this was not a very practical suggestion, so I did not push it further, save to mention the point in paragraph 3.51 of my report.

Sure enough, the anticipated use of a dataset is not one of the factors listed in new Section 226A(3), where the factors are set out. But turn over the page to new Section 226BA, which deals with category authorisations, and there you see in subsection (3) that a category authorisation may describe a category of BPDs by reference to—among other things—

“the use to which the data will be put”.

My question to the Minister is simply this: if the use to which a dataset will be put can be relevant to the formulation of a category of low/no datasets, then why is it not relevant to the assessment of an individual dataset as low/no or otherwise? The Minister’s answer may be that the list in new Section 226A(3) is not exhaustive and that there is no reason why intended use should not be one of the circumstances taken into account under subsection (2) when considering whether a BPD is low/no. In that case, can he explain why intended use is not mentioned in new Section 226A when it is mentioned in new Section 226BA?

Is there a risk—I look here at the legal Benches—that the omission from new Section 226A of a factor that is included elsewhere might imply to whoever may have to interpret this new Act that we in Parliament did not wish intended use to be considered under new Section 226A? If we had, the argument would go, surely we would have said so, as we do later. As I said, I am probing only, but I would be glad for anything the Minister could say to help make this clear.

My Amendment 15 is a very minor one. It relates to the third-party bulk dataset regime—what will become Part 7B of the 2016 Act. The effect of Clause 5 of the Bill is to introduce a degree of regulation where there was none before in circumstances where an intelligence agency has relevant access to a third-party bulk dataset. My only point is that I am not clear why that access has to be electronic, as provided for in new Section 226E(2)(c) on page 14 of the Bill. That appears to mean that, if the third-party were to print the dataset off and press it into the eager hands of the intelligence agencies, there would be no relevant access and therefore no regulatory constraints.

Perhaps the Minister will tell me that this is very old-fashioned and that, in practice, in the modern world, access to an electronic dataset will always be electronic. Indeed, the Minister is nodding. In that case, surely my point still stands. If access is always electronic, why is it necessary to specify that access must be electronic before the safeguards kick in? Surely paragraph (c) on page 14 implies that access may be non-electronic and disapplies the safeguards in those circumstances. I am still a bit puzzled. If there is a point in the last line of new Section 226E, I hope the Minister will explain what it is.

Photo of Lord West of Spithead Lord West of Spithead Labour 4:00, 11 December 2023

My Lords, if I suddenly fall over, it is not excitement over my amendments but that I have a brand new starboard knee, which is still slightly wobbly, so I might look a little wobbly at times.

Noble Lords will recall that the Investigatory Powers Act was introduced as a result of the Intelligence and Security Committee of Parliament’s 2015 report, Privacy and Security, which recommended that a new Act of Parliament be created to

“clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required”.

However, as the noble Lord, Lord Anderson, recognised in his recent report, which he referred to, there have been a number of changes since the Act was introduced. We now face a very different threat picture from that which we did in 2016, with an increased threat from state actors such as China, Russia and Iran, and a significant rise in internet-enabled crime, including ransomware and child exploitation. The pace of technological change has been incredible. Developments in the fields of data generation, cloud services, end-to-end encryption, artificial intelligence and machine learning have all created challenges, as well as opportunities, for law enforcement and the intelligence community.

The Intelligence and Security Committee, of which I am a member, therefore welcomes the introduction of this Bill. The ISC has considered classified evidence relating to the Bill and questioned all parts of the intelligence community and Ministers on the need for change. However, as ever, the devil is in the detail. The committee considers that there are several areas in which the Bill must be improved and, in particular, safeguards strengthened.

Parliament must ensure that the balance between privacy and security is appropriate, and that there is sufficient independent oversight of the work of the intelligence community, given the potential intrusiveness of its powers. The Bill seeks an expansion in the investigatory powers available to the intelligence services. While this expansion is warranted, any increase in investigatory powers must be accompanied by a concomitant increase in oversight. I have previously spoken about the refusal of the Government to update the remit of the ISC, or to provide the necessary resources for its functioning, such that it has

“oversight of substantively all of central Government’s intelligence and security activities to be realised now and in the future”,—[Official Report, Commons, Justice and Security Bill Committee, 31/1/13; col. 98.] as was the commitment given by the then Security Minister in the other place during the passage of the Justice and Security Act.

The House has made known its views on this long-standing failure during debates on several recent national security Bills, including the National Security and Investment Act, the Telecommunications (Security) Act and the National Security Act. However, despite repeated attempts by this House to ensure effective oversight, this has been ignored by the Government. The Government cannot continually expand and reinforce the powers and responsibilities of national security teams across departments and not expand and reinforce parliamentary oversight of those teams as well. The committee expects the Government to take this opportunity to bolster the effective oversight they say they value. If they do not, then they should expect that Parliament will. I therefore call upon the Government once more to update the ISC’s memorandum of understanding to ensure sufficient oversight of all intelligence and security activities across government. Indeed, this was the quid pro quo that Parliament expected during the passage of the Justice and Security Act 2013, and I trust that Parliament will take the same view now.

I turn to Amendment 10, which is designed to close a gap in oversight. Proposed new Section 226DA requires that each intelligence service provide an annual report to the Secretary of State detailing the individual bulk personal datasets that they retained and examined under either a “category authorisation” or an “individual authorisation” during the period in question. My amendment would ensure that there is independent oversight of this information, rather than just political oversight. The amendment would provide that the annual report be sent also to the Intelligence and Security Committee of Parliament and the Investigatory Powers Commissioner. IPCO has a degree of oversight included in the Bill already, since judicial commissioners approve both individual and category authorisations at the point of issue and approve the renewal of any authorisations after 12 months. This is not full oversight. Further, there is currently no democratic oversight at all of category authorisation, which is not appropriate. My amendment would ensure that IPCO and the ISC have oversight of the overall operation of this new regime.

Noble Lords will note that I have also tabled an amendment to notify IPCO of any new individual datasets that are added to category authorisations by the intelligence services. That amendment would work alongside this, and the ISC considers that the combination would provide an appropriate balance of real-time and retrospective oversight for these new powers. It is vital that the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation are not watered down by the changes under this new Bill. Instead, they must be enhanced in line with the increasing investigatory powers. This is what the ISC seeks to achieve by the amendments I have tabled today.

Amendment 12 is consequential on the amendments that I have just talked about.

I speak now to Amendment 13. Part 7A of the Bill provides for a lighter-touch regulatory regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of the data is deemed to have a low or no reasonable expectation of privacy. Approval to use such a dataset may either be sought under a category authorisation—which encompasses a number of individual datasets that have similar content or may be used for a similar purpose—or by an individual authorisation, where the authorisation covers a single dataset that does not fall neatly within a category authorisation or is subject to other complicating factors. In the case of a category authorisation, a judicial commissioner will approve the overall description of any category authorisation before it can be used. A judicial commissioner will also approve any renewal of a category authorisation after 12 months and the relevant Secretary of State will receive a retrospective annual report on the use of all category and individual authorisations.

This oversight is all retrospective. What is currently missing from the regime is any form of real-time oversight. Under the current regime, once a category authorisation has been approved, the intelligence services then have the ability to add any individual datasets to that authorisation through internal processes alone, without any political or judicial oversight. This would mean relying on the intelligence service to spot and rectify any mission creep, whereby datasets might be added to a category authorisation in a way that was not consistent with the definition of the original authorisation, which lasts up until the 12-month marker for renewals.

While we have every faith in the good intentions of the intelligence services—and I do not mean that in a joking way, because we have been amazingly impressed by them—no legislation should be dependent on the good will of its subjects to prevent misuse of the powers granted therein, particularly where those powers concern national security. The ISC therefore seeks to fill that very worrying gap.

My amendment proposes a new section in Clause 2—proposed new Section 226DAA—which would ensure that the IPCO was notified whenever a new individual bulk personal dataset was added by the agencies to an existing category authorisation. Notification would simply involve the agencies sending to the Investigatory Powers Commissioner the name and description of the specific bulk personal dataset as soon as reasonably practicable after the dataset was approved internally for retention and examination by the intelligence services.

The amendment would require not that the use of the dataset be approved by the IPCO but merely that the commissioner be notified that it had been included under the authorisation. It therefore does not create extra bureaucracy or process. Indeed, it provides for a flow of real-time information between the intelligence services and IPCO, to allow for the identification of any concerning activity or trends in advance of the 12-month renewal period. Any such activity could then be investigated by the commissioner as part of its usual inspections. The ISC believes that this amendment strikes the right balance between protecting the operational agility of the intelligence services and safeguarding personal data at any level of sensitivity.

Noble Lords have already considered my related amendment, to provide the annual report to the IPCO and the ISC, as well as to the Secretary of State. The committee believes that this combination of real-time oversight through the notification stipulated in this amendment and retrospective oversight, through the involvement of judicial and political oversight bodies, is necessary to provide Parliament and the public with the reassurance that data is being stored and examined in an appropriate manner by the intelligence services.

I repeat my entreaty to the House: the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation must not be watered down by the changes under this new Bill; they must be enhanced in line with the increasing investigatory powers.

Photo of Lord Hope of Craighead Lord Hope of Craighead Judge

My Lords, I have added my name to Amendments 3 and 15 in the name of the noble Lord, Lord Anderson. I have nothing to add to what he said in support of Amendment 15, but I shall add a word about Amendment 3, which was the subject of the Christmas present of the noble Lord, Lord Anderson. It requires one to look a little more carefully at proposed new Section 226A(2), which provides as follows:

“In considering whether this section applies to a bulk personal dataset, regard must be had to all the circumstances, including in particular the factors in subsection (3)”.

What the noble Lord, Lord Anderson, is seeking to offer the Minister the invitation to include is the use to which the datasets are to be put. He draws strength for that proposition from what one finds in new Section 226BA(3), in which express reference is made to the use to which the datasets will be put. It can be said in support of this proposal that it seems a little strange not to include the use to which the datasets are to be put, if they are mentioned expressly in new Section 226BA(3). I suppose that one could say that, since new Section 226A(2) is very widely phrased and includes all the circumstances, that the Christmas present of noble Lord, Lord Anderson, is already there as already there as one of the circumstances, but it is probably happier to include it expressly, just for the avoidance of doubt. It is for the avoidance of doubt that the strength can be found in the proposal that he has put forward.

To return to Amendment 1, what the noble Lord, Lord Coaker, was doing with it, as he explained, was to draw attention to a difference in the wording in Clause 2: the wording to be found in new Section 226A(3)(b) does not follow precisely what we find in Schedule 10 to the Data Protection Act. I respectfully suggest that the wording in the Bill unpacks the wording of the schedule that the noble Lord, Lord Coaker, has reproduced in his amendment. I think that unpacking it in the way that the Bill does is helpful: it identifies two situations in which one could say that the data subject has taken a step, deliberately, to make the information public. One is where the individual does so himself, and the other is where the individual consents to the data being made public.

I think that the Bill achieves greater clarity than did Schedule 10 to the Data Protection Act, and therefore I respectfully suggest that, while the noble Lord, Lord Coaker, is absolutely right to draw attention to the difference in the wording, what we see is improved wording and I would support the wording of the Bill rather than that in the amendment which he has put forward. I hope he will not mind my suggesting that, but it is very helpful that he has drawn our attention to it. To be able to congratulate the Bill on improving on wording is something worth noting.

Photo of Lord Murphy of Torfaen Lord Murphy of Torfaen Labour 4:15, 11 December 2023

My Lords, I support my noble friends Lord Coaker and Lord West with regard to the Intelligence and Security Committee amendments. In 2005, when I became the chair of the Intelligence and Security Committee, nearly two decades had passed since the committee originally started life, when people did not really understand what it was all about. It had not been accepted, particularly, by agencies or by the Government, but over those 20 years, it became accepted. After I left, in 2007, even more changes to the powers and responsibilities of the committee were made, to such an extent that the ISC is now a significant and serious part of our constitutional landscape. But I fear that, over the last number of years, that has slightly declined.

I understand, for example, that the ISC has not met a Prime Minister—there have been lots of them, of course—over the last number of years, nearly a decade. Certainly, when I chaired it, we met the Prime Minister every year or so. It is an indication, I suspect, of what the Government think about it if they do not see it as so important as to meet the head of the Government now and again. I hope that is wrong, but I am sure the Minister will enlighten the House later as to what he and the Government think about the importance of the ISC. It is hugely significant; it is serious.

I shall move briefly on to the significance of the ISC with regard to the passage of the original Investigatory Powers Act, some years ago now, in 2015-16. I had the privilege of chairing the Joint Committee of both Houses on that Bill, and the ISC simultaneously was taking a huge interest in what it contained. For example, I met the then chair of the ISC, Dominic Grieve KC, and the committee itself produced a report on how it thought the original Act could be improved. I just hope that this small but important Bill—which I entirely support, by the way—mirrors what happened to the original Bill, so that the Government can indeed meet the ISC, at a ministerial level and at an official level, and have a proper dialogue as to how they see the ISC working after the Bill goes into law. I hope I can get some assurances from the Minister that that will happen.

It is an important Bill, the ISC is an important body, and they should operate together in a very special way. I wholly support the Bill, but I support the amendments from my two noble friends.

Photo of Lord Carlile of Berriew Lord Carlile of Berriew Crossbench

My Lords, it is a pleasure to follow the noble Lord, Lord Murphy, who has served with such distinction on the issues we are discussing this afternoon. I do not want to repeat what I said at Second Reading; I spoke in support of the Bill in general terms, and I remain in support of it. The only additional thing I would say is that we should not allow unnecessary amendment of the Bill to create a sort of legislative game of Dungeons and Dragons in which a bureaucratic labyrinth would be created which can be met in a much more practical way. On the whole, the Bill is pretty practical about a modern problem—a more modern problem than existed, say, 10 years ago—which has to be addressed in real time and sometimes with great urgency in that real time.

I want to say something that follows from what the noble Lords, Lord Murphy and Lord West, said about the ISC. I hope that we can tease a little more information out of the Minister, who has been extremely helpful to all of us who are interested in the Bill. I can see, and I would be grateful if the Minister would tell us, that there might be some practical problems relating to national security in the way in which the ISC was informed about problems arising under the provisions in the Bill when it becomes an Act. It would be helpful to the Committee if the Minister were to say from the Dispatch Box that the Government certainly do not exclude the involvement of the ISC in the consideration of the Bill. I should also be very grateful if he would say that the Home Secretary would regard it as a duty to inform the ISC on his personal responsibility if issues arose which ought, in the national interest, to be the subject of information to the ISC. Thus, the ISC might be able to report on these issues without too much bureaucracy being involved and any arguments about what is or is not disclosable in a wider way concerning national security.

Photo of Baroness Manningham-Buller Baroness Manningham-Buller Chair, Conduct Committee, Chair, Conduct Committee

My Lords, I do not know whether I can help the noble Lord, Lord Fox, on his question of urgency. One of the things that the Security Service and the other intelligence agencies do is deal with matters of life and death, of imminent terrorist threats, of states pursuing one of their dissidents. There is many an occasion when moving at vast speed outside the hours when IPCO is available is necessary and proportionate. I am out of date, so it is hard to give lots of current examples, but many a time there is an urgent need to move fast to try to save life.

On the point from the noble Lord, Lord Murphy, about the ISC—we will come on to look at these amendments in more detail—as far as my service is concerned, we did not need to get used to the ISC in that we had been demanding its creation for a number of years, with resistance from the Prime Minister of the day until it actually came into being. And when it did, we very much welcomed it.

I have hardly had more pleasure since I have been in this House than from the amendment in the name of the noble Lord, Lord Fox, on seeking to forget stuff. Like some noble Lords, I have difficulty in remembering things—I am sorry, I should speak only for myself—but if I was legislated to forget something, it is almost certain that I would be capable of remembering it.

Photo of Lord Sharpe of Epsom Lord Sharpe of Epsom The Parliamentary Under-Secretary of State for the Home Department

My Lords, I am grateful for the contributions to this debate, which have been very interesting. I thank all noble Lords for the points raised. I shall do my very best to address all of them and apologise in advance for going into significant detail. I also thank everyone in the Committee for their broad support for the Bill.

I will start with the low/no privacy factors on bulk personal datasets, which I will henceforth call BPDs, and the various amendments relating to the test set out in Clause 2, to be applied when an intelligence service is considering whether a particular dataset is one that can be retained, or retained and examined, under new Section 226A in the new Part 7A. This test requires that regard must be had to all the circumstances, and that particular regard must be had to the factors set out in new subsection (3). The list of factors is not exhaustive and other factors may be considered, where relevant.

Schedule 10 to the Data Protection Act is related to Section 86 of that Act, which is concerned with sensitive processing of personal data by the intelligence services. Schedule 10 sets out a list of conditions which must be met for such processing to be lawful for the purposes of the Data Protection Act. There is a risk that applying these words here, in a different context and for a different purpose, may be seen to create a link, albeit fallacious, between the type of datasets that will be retained and examined under new Part 7A and sensitive processing under the Data Protection Act. For that reason, their inclusion here risks doing more harm than good, as the noble and learned Lord, Lord Hope of Craighead, noted.

In any case, the safeguards in new Part 7A are already sufficient to ensure due regard for privacy. Every dataset proposed to be retained, or retained and examined, must be individually authorised. In addition to the test at new Section 226A, as new Section 226B makes clear, an individual authorisation may be granted only if it is both necessary and proportionate.

The factors have been chosen because they are most relevant to the context in which the test will be applied and have been drawn from existing case law. They provide a guide to the decision-maker in reaching a conclusion as to the nature of the dataset. Furthermore, a form of prior judicial approval will apply to all authorisations so that there is independent oversight of the conclusions reached.

Amendment 1, tabled by the noble Lord, Lord Coaker, seeks to replace factor (b) with language drawn from Schedule 10 to the Data Protection Act 2018. Factor (b) is concerned with the extent to which an individual has made public the data in the dataset, or has consented to the data being made public. The Government do not consider the amendment necessary. I am sure the noble Lord’s aim is to improve the safeguards in the Bill, and he has drawn inspiration from existing precedent to do so in an effort to bring consistency across statute. However, the amendment fails to achieve that aim, and risks creating an unclear and unnecessary link between this Bill and the Data Protection Act, which I have already explained. I will return to the Data Protection Act in due course.

Amendment 2, tabled by the noble Lord, Lord Fox, probes the inclusion of factors (d) and (e), relating to publicly available datasets that are already widely known about or are already used in the public domain—for example, in data science or academia. As I mentioned, the test in new Section 226A is one in which

“regard must be had to all the circumstances”.

The removal of factors from new subsection (3) would not, therefore, fundamentally change the test; it would mean simply that the decision-maker would not be bound to have particular regard to the absent factors. This amendment would, in fact, result in less transparency in the considerations the intelligence services apply when assessing expectation of privacy in relation to Part 7A authorisations.

The Government consider it important that particular regard is had to these factors. I know that noble Lords particularly enjoy the example of the “Titanic” manifest. It is a useful example of where such factors would be relevant, as it is a dataset that is widely known about and widely used, and contains real data about real people who would, unfortunately, no longer have an expectation of privacy. I also point to the helpful example in the independent review by the noble Lord, Lord Anderson: the Enron corpus. This is a large dataset of emails that came into the public domain following the investigation into the collapse of the Enron Corporation. Although initially sensitive, the dataset has been available in various forms for almost 20 years and is widely used in data science. It is right that such datasets are in scope of the new regime.

The noble Lord, Lord Fox, asked specifically about the extent to which these factors depart from existing privacy laws. The law concerning the reasonable expectation of privacy is likely to develop over time, and new Section 226A is intended to be sufficiently flexible to accommodate future changes. Rather than departing from the law, new Section 226A is intended to ensure that the intelligence services can continue to apply the law as it develops.

On Amendment 3, I thank the noble Lord, Lord Anderson, for tabling this helpful probing amendment. I am afraid the Government do not think it is necessary in order to achieve what we understand the intended effect of the amendment to be. The amendment does, however, provide an opportunity to better explain the difference between what the Bill calls “individual authorisations” and “category authorisations”. An individual authorisation will authorise the retention, or retention and examination, of a dataset under the new Part 7A being inserted into the Investigatory Powers Act—which I will henceforth refer to as the IPA—by this Bill.

All datasets that are to be retained under Part 7A must have an individual authorisation. Individual authorisations are subject to prior approval by a judicial commissioner unless the dataset described falls within an existing category. A category authorisation will not authorise the retention, or retention and examination, of a dataset. Instead, it is a mechanism through which a judicial commissioner’s permission may be sought in order to depart from the normal rule on prior approval, but only in respect of datasets that meet a particular description.

The description of a category may set out the use to which the datasets will be put to assist the judicial commissioner in making their assessment. Once approved, this description is called a “category authorisation”. So, as your Lordships will see, although the nomenclature of each type of authorisation is similar, they serve quite different functions.

The noble Lord’s amendment is concerned specifically with the test in the new Section 226A. As is clear from the jurisprudence, the test to be applied when determining whether an individual has a reasonable expectation of privacy—and therefore whether a dataset could be authorised under Part 7A—is one that takes into account all circumstances. There is no one-size-fits-all test, but this language ensures that thorough consideration is given to all relevant information in support of each individual authorisation, as reflected in the wording of subsection (2) of new Section 226A.

Of course, the law does not stand still and the jurisprudence in this area will certainly change as society’s expectations change. New Section 226A is therefore intended to encapsulate the essence of the jurisprudence while remaining flexible enough to accommodate future changes. That is why the factors are a non-exhaustive list.

I assure the noble Lord, Lord Anderson, that the fact that a relevant consideration does not explicitly appear within the list of factors in subsection (3) does not mean that it cannot and should not also be considered. In fact, quite the opposite is true: subsection (2) of Section 226A makes it clear that regard must be had to all the circumstances, as noted by the noble and learned Lord, Lord Hope. That will include, so far as is relevant, the use to which the intelligence services intend the dataset to be put once it is authorised. Further detail on this is set out in the draft code of practice which was published on GOV.UK last week. I believe that it will be found in paragraphs 4.11 to 4.20.

It is not the case that the Government disagree with the noble Lord’s amendment, simply that our view is that the amendment is not necessary for the reasons I have outlined. I trust this has provided the clarity that the noble Lord sought. I ask him to not move his amendment, but I am open to discussing the Government’s position further should he not be satisfied by my explanation.

The noble Lord, Lord Fox, via Amendment 4, seeks to probe the purposes for which the datasets—with which Part 7A is concerned—will be used by the intelligence services. It is no secret to say that bulk personal datasets, or BPDs, are used by the intelligence services in multiple ways to support their statutory functions. For example, BPDs play an important role in investigations, notably as “building block” intelligence, where analysts can pull together an assessment of the possible meanings of disparate pieces of fragmentary intelligence.

It is also envisaged that Part 7A will better enable our intelligence services to use BPDs for the purpose of developing the capabilities they need to be able to continue to do their important work, such as the training of machine-learning models, as the noble Lord noted. I note that the review by the noble Lord, Lord Anderson, sets out the many important uses to which BPDs are put.

The amendment proposed would severely and unnecessarily curtail the use to which the datasets may be put and would unnecessarily impede the intelligence services in their ability to carry on their work should the regime not allow for the authorisation of datasets that support the full range of the agencies’ functions.

The noble Lord asked about editorial control and public versus private. The question of whether a dataset meets the low or no reasonable expectation of privacy test will be assessed on a case-by-case basis, having regard to all circumstances, including the factors set out in the Bill. The draft code of practice sets out further detail on this, with paragraph 4.16 stating:

“This might be relied upon if the dataset consists of a set of news articles where a level of responsible review and scrutiny has already been applied to the dataset”.

Other than that, it would be inappropriate for me to speculate as to how a particular dataset might be dealt with under the proposed regime.

The noble Lord also asked what happens if an officer examining a BPD discovers that it contains more sensitive data. Section 226D of the low/no regime contains a mechanism to ensure that any information of that type or particularly sensitivity is handled appropriately. The code of practice sets out that in the event of an analyst discovering sensitive data, the relevant intelligence service must take certain steps. First, the head of the intelligence service must ensure that anything in the process of being done in relation to that data is stopped as soon as is reasonably practicable—I will come back to that. The intelligence service must then treat that part of the low/no BPD as if the relevant authorisation has been cancelled. The relevant information must be removed from the low/no dataset and either deleted or a Part 7 warrant sought in respect of that information.

I now turn to Amendments 5 to 9 and 19, tabled by the noble Lord, Lord Fox. Proposed new Section 226 (6B) in Clause 2 of the Bill enables the head of an intelligence service to grant an individual authorisation in respect of Part 7A without prior judicial approval, in circumstances in which there is an urgent need to do so. I am sure noble Lords will understand that there are circumstances in which our intelligence services must act urgently, as the noble Baroness, Lady Manningham-Buller, has just noted. There are existing urgency provisions throughout the IPA for that reason. The circumstances in which an authorisation is considered urgent are set out in the draft 7A code of practice, which the Government published on GOV.UK last week. They include where there is a threat to life or of serious harm, or if there is an urgent intelligence or investigative opportunity. These circumstances are well understood in the operational world and there is no need to depart from the established criteria here.

Part 7B, the third-party bulk personal dataset regime, is intended to mirror the well-established urgency circumstances and the Part 7 processes, to the extent possible. To be clear, the urgency provision is not a means by which scrutiny can be avoided or safeguards weakened. As set out at proposed new Section 226B in Clause 2 of the Bill, with further detail in the draft code of practice for Part 7A, a judicial commissioner must review an authorisation within three working days and decide whether to approve the decision to grant it. Of course, it is envisaged that the circumstances in which a Part 7A authorisation is required will be rare. However, as the noble Lord, Lord Anderson, noted in his report, there are operational circumstances where urgent co-operation might be necessary, and it may not be possible to seek prior judicial authorisation in the operational window available, as the noble Lord, Lord Carlile, also observed. We discussed one such case at Second Reading, in which the MoD were co-located with the intelligence services in a hostile environment and were unable to fully collaborate due to the existing restrictions in Part 7. I hope I have set out clearly how the urgency procedures operate and that there may of course be circumstances in which they prove necessary.

Amendment 8 seeks to probe the meaning of the expression

“so far as is reasonably practicable” in Clause 2, under proposed new Section 226D(2). This form of words is not novel. It is a well-known expression that appears elsewhere on the statute book, including at several places in the 2016 Act. These are important words because without them, the head of the intelligence service would be legally obliged to put a stop to anything that is being done both immediately and without any regard to the consequences of doing so.

Given the nature of the work that our intelligence services do to keep our country safe, I am sure noble Lords will appreciate that there are circumstances in which immediately stopping something that is already in train may not be possible, and if it is possible, it may not be safe to do so. The heads of our intelligence services are accountable for the actions of their respective organisations, as I explained earlier. They are best placed to make decisions of this kind, and it is important that they be able to do so. However, that does not give them carte blanche to do as they please. As I also explained, the Investigatory Powers Commissioner will be obliged to keep Part 7A under review, including compliance with proposed new Section 226D.

Turning to Amendment 9, I am sure noble Lords were as surprised as I was to hear that the noble Lord thinks that the intelligence services ought to “forget” intelligence they have gathered, creating a clear risk that could jeopardise national security and be contrary to their statutory functions, as well as Article 2 of the Human Rights Act, on the right to life.

Photo of Lord Fox Lord Fox Liberal Democrat Lords Spokesperson (Business) 4:30, 11 December 2023

If the Minister and indeed the noble Baroness had listened to what I said, they would know that I do not think it is forgettable; I just wanted the Minister to confirm that point.

Photo of Lord Sharpe of Epsom Lord Sharpe of Epsom The Parliamentary Under-Secretary of State for the Home Department

Thank you; point taken.

Section 226D provides a mechanism to achieve what I understand the intent of the amendment to be. It is clear that remedial action must be taken if it is discovered that Section 226A does not apply or no longer applies to part of a dataset authorised under Part 7A. Anything in the process of being done must be stopped as soon as possible, and that part of the authorisation is treated as cancelled. The effect of that part of the authorisation being treated as cancelled is that the data to which it relates must be deleted unless there is some other lawful basis for its retention. It may well be that it is appropriate for the intelligence service to continue to retain the data. That is why subsection (3), in effect, puts that part of the dataset back into the decision-making machinery in Section 220 of Part 7 of the IPA—so that such a decision can be made. We provide a fuller explanation of that in the draft code of practice for Part 7A, at paragraphs 4.26 and 5.39.

In conclusion on this amendment, if the noble Lord is suggesting that any actionable intelligence that has been identified while the agency was operating on the basis of that retention and examination being lawful under Part 7A should not be acted on, I am afraid I must playfully suggest that it is he who ought to forget his amendment.

I turn now to the various amendments on reporting on BPDs, including several that seek to amend the provisions set out in Clause 2, under Section 226DA, which require the heads of the intelligence services to provide an annual report on Part 7A to the Secretary of State. The first amendment proposed by the noble Lord, Lord Fox, Amendment 11, seeks to mandate that certain statistical information in a given year—specifically, the numbers of authorisations sought and granted—be provided to the relevant Secretary of State. This amendment is not necessary or appropriate. First, those Secretaries of State who are politically accountable for the intelligence services will have in place arrangements to that end and may demand of the relevant intelligence service any additional information he or she feels necessary. This may go beyond the level of detail the noble Lord has proposed be included in the annual report and may be more frequent. This is not a matter for the Bill, because the exact information the Secretary of State requires may evolve over time. Secondly, if this sort of specific reporting requirement is found to be necessary or desirable, it is more appropriate for inclusion in a code of practice, rather than being in the legislation. Indeed, the draft code of practice for Part 7A sets out some relevant details under paragraph 7.4.

I turn now to Amendments 10 and 12, proposed by the noble Lord, Lord West, and I take this opportunity to reassure him and the noble Lord, Lord Murphy. On behalf of the Security Minister, we thank them for their valuable work on the ISC and for the constructive engagement with the Bill Committee to date. I am pleased to see the noble Lord, Lord West, in his place today, and I am glad that he is on a more or less even keel.

The amendments the noble Lord has tabled would require the intelligence services to provide the same annual report that they provide to their Secretary of State, on the operation of Part 7A, to the ISC and the Investigatory Powers Commissioner. I do not believe that this additional requirement would provide the enhanced oversight of the regime that the amendments purport to provide. The annual reporting requirement is a formal statutory mechanism by means of which the Secretaries of State will receive information from the intelligence services about their use of Part 7A on an annual basis. This is a mechanism intended to ensure effective political oversight by the Secretary of State.

The ISC is a committee of Parliament. Oversight by the ISC is neither of the same nature as, nor a replacement for, the oversight of the Secretary of State. The ISC, as a committee of Parliament, already has a long-standing and well-established role in the oversight of the intelligence services to which these provisions will apply, and that role will continue here.

Sending the annual report to the Investigatory Powers Commissioner will not increase the level of independent oversight provided, for the following reasons. First, the Investigatory Powers Commissioner will be required to keep this new regime under review, as he does with the current Part 7 regime, and he will continue to report annually on his findings. Secondly, the information these amendments seek to include in the annual report is already information that the draft code of practice will require the intelligence services to keep, as is clear from paragraphs 7.1. and 7.2. The commissioner, and anyone acting on his behalf, has access to all locations, documentation and information systems as necessary to carry out a full and thorough inspection regime. The intelligence services are legally obliged to provide all necessary assistance to the commissioner, or anyone acting on his behalf, including by providing documents and information.

The noble Lords, Lord Fox, Lord Murphy and Lord West, asked about the continued engagement with the ISC. On both the policy proposals informing the Bill and the Bill itself, through a combination of ministerial, operational and official engagement, we have maintained continual engagement, which includes recent sessions with the Security Minister and the agency heads. As I said earlier, we are grateful to the committee for its engagement and scrutiny of the Bill. We will continue to involve it throughout the Bill’s passage, and I am more than happy to take the noble Lords’ comments back to the Home Office and make sure they are widely understood.

Amendment 13 would see the intelligence agencies notify the Investigatory Powers Commissioner every time an individual authorisation is granted in reliance on a category authorisation. I have already set out the distinct processes for individual and category authorisations under new Part 7A. As I set out earlier, categories will be authorised only with the prior approval of a judicial commissioner. IPCO inspectors will then be able to review the individual authorisation granted in reliance on a category authorisation during their regular inspections of the intelligence services throughout that time. Category authorisations will expire at 12 months and will then need to be renewed and that decision reapproved by a judicial commissioner.

It is important to remember that the Government are delivering these reforms to ensure that the services have the operational agility they need to effectively carry out their statutory functions. The safeguards in new Part 7A are calibrated to reflect the level of intrusion associated with the dataset to which new Section 226A applies. The intelligence services do not presently notify IPCO when they add a new dataset to a class warrant under the existing Part 7 regime. The Investigatory Powers Commissioner’s Office reviews these additions on inspection as part of routine oversight, so there is no need for a more onerous dataset-by-dataset approach here. It would therefore not be appropriate to place greater restrictions where the data in question under the new Part 7A would have a lower expectation of privacy.

Amendment 16, proposed by the noble Lord, Lord Coaker, seeks to insert an annual reporting requirement into the Part 7B regime. Noble Lords will be aware from reading Clause 5 that, as with the rest of the existing Act and the Bill, the Part 7B regime will be subject to stringent and robust oversight by the Investigatory Powers Commissioner. For new Part 7B, this includes the application of the judicial double lock for warrants under this part. The Part 7B regime will also be included within the Investigatory Powers Commissioner’s annual report, which will provide further transparency and accountability. To add an extra requirement in the Part 7B regime for a similar report to be produced by the intelligence services for the Investigatory Powers Commissioner and the ISC would be unnecessary and duplicative. For these reasons, the proposed amendments do not provide additional meaningful oversight, and therefore I invite the noble Lord not to move them.

Amendments 14, 15, 17 and 18 all relate to third-party BPDs. The Government cannot agree with Amendment 15, tabled by the noble Lord, Lord Anderson of Ipswich, on the basis that it would damage the overall efficacy of the third-party BPD regime and impair the operational agility of the intelligence services. The Bill introduces safeguards regarding the intelligence services’ examination of third-party BPDs on the system of third parties. These safeguards are designed to mirror, to the extent possible, the existing IPA Part 7 regime. Under the existing Part 7 regime, a BPD exists only if it is available electronically for analysis, and it is the general rule that any examination of a BPD would also happen electronically. It does not follow that in this day and age an intelligence service would seek to examine a BPD in hard copy. Such an approach would be astonishingly inefficient given the sheer scale of the data available. It could also increase the intrusion on privacy and would prohibit the intelligence service from overlaying the results against other electronically retained datasets, which in turn would risk intelligence failure and general operational inertia. This is also true of third-party BPDs, as the access and examination of a third-party BPD will always take place electronically, and this concept needs to be clearly reflected in the third-party BPD regime to ensure clarity and consistency around when the third-party BPD regime is engaged and when it is not.

On Amendment 14, tabled by the noble Lord, Lord Fox, as noble Lords are aware, the proposed regime is designed to ensure that the intelligence services’ access and examination of third-party BPDs are clearly defined and underpinned by the appropriate level of safeguards and oversight. The inclusion of “not generally available” within the proposed regime sets clear guard-rails for the intelligence services to follow in respect of what does and does not constitute a third-party BPD. For example, if a third party sold or provided access to a dataset to the general public but offered a smaller customer base, such as Governments or law enforcement agencies, the ability to query or access extra data fields, this additional activity would clearly fall within the scope of the third-party BPD regime, as the access is not generally available. Removing this clear test from the proposed regime would seriously inhibit and impede the conduct and operational agility of the intelligence services, as it would bring into scope a much broader range of datasets that would be available to the general public, even going as far as requiring a warrant to undertake activity such as browsing the internet.

I thank the noble Lord, Lord Coaker, for tabling Amendment 17 and am happy to explain why the Government cannot support it. Section 263 of the IPA contains the definition of serious crime that is relied on by the majority of the powers contained in the Act, such as the interception and equipment interference provisions. It is this same definition of serious crime that is relied on in the Part 7B regime. It has been explicitly clear since the IPA came into operation that the definition of serious crime contained in Section 263 applied to the relevant provisions of the Act unless otherwise stated. It would therefore be inconsistent to explicitly reference the Section 263 definition in the Part 7B regime, when the rest of the IPA relies merely on the general definition of Section 263. This would create confusion and inconsistent interpretations around which serious crime definition is being applied.

On Amendment 18, tabled by the noble Lord, Lord Fox, the current definition of “sensitive personal data” contained in Clause 5 draws on the definition of sensitive personal data contained in the existing Part 7 BPDs regime, which in turn relies on provisions in the Data Protection Act 2018. It is therefore illogical to introduce a different definition in one section of the proposed third-party BPD regime in respect of sensitive personal data and to diverge from the Data Protection Act in this way. I also point out that the relevant provisions in the Data Protection Act already refer to genetic data where it is processed for the purposes of identifying an individual. Therefore, it is not necessary to reference it explicitly in Clause 5.

Finally on the subject of the age of children, my understanding is that this relates to the difference in the age of criminal responsibility in the relevant legislature for each devolved area, but I will confirm and write to the noble Lord if that is not correct.

I hope that my rather lengthy explanations—for which I apologise—have provided reassurance to noble Lords. There may be further conversations to be had on certain areas, but I hope that I have given a clear rationale to noble Lords for the Government’s position and that they will not seek to press their amendments.

Photo of Lord Coaker Lord Coaker Shadow Spokesperson (Defence), Shadow Spokesperson (Home Affairs), Opposition Whip (Lords) 4:45, 11 December 2023

My Lords, that was an extremely helpful response from the Minister and shows the importance of tabling probing amendment sometimes: to get things read into Hansard that can be referred to.

With respect to the point around children, I would be grateful for the letter to be made available to other Members of the Committee. Again, that was a helpful point and helpful clarification, should it be needed. I also very much agree with him—to show my point about the importance of things being read into Hansard—about my Amendment 17, but it was helpful for the Minister to read into the record the definition of serious crime to be used throughout the Bill, so that there is no ambiguity with respect to that.

I totally agree with what the noble and learned Lord, Lord Hope, said about my Amendment 1. I think the wording in the Bill is better than that contained in Schedule 10 to the Data Protection Act 2018, but I wanted that to be read into the record so that we had it there. I agree with his criticism of my Amendment 1, but the reason I tabled it was exactly to get the point that he made in criticising my amendment, which the Minister reinforced—if the noble and learned Lord understands my logic.

The points made by the noble Lord, Lord Anderson, with respect to Amendment 3 raise an issue. The Minister’s response to that was, “Well, it’s a non-exhaustive list so it’s not necessary, but I’m happy to talk to the noble Lord about it”. One wonders where that will get to. It will be interesting for the Committee to see the outcome of that. I thought that Amendment 3, of all the various amendments, was particularly useful and again drew out whether the factors listed in Clause 2 are the right ones, or whether they need adding to. It was important that the Minister clarified that it is not an exhaustive list.

There is one area that I think may need to be looked at further, as mentioned by my noble friends Lord Murphy and Lord West, and the noble Lord, Lord Carlile, if I understood his remarks properly. We need to clarify the role of the Intelligence and Security Committee. I note the Minister’s reassurances, but what is its role? The clear point of difference between what I would say and what my noble friends Lord Murphy and Lord West and others would say is that we are talking here about parliamentary oversight. The Government have an annual report which goes to the Secretary of State. That is political oversight of a sort but it is not parliamentary oversight. The whole point of the ISC being set up was to give parliamentary oversight to all these sorts of matters. We have a Bill before us called the Investigatory Powers (Amendment) Bill, which deals with all sorts of issues of national security and the powers that the intelligence agencies and others should have on our behalf. It is only right and proper that the Intelligence and Security Committee should have a role that is properly defined within the legislation before us. That is one aspect that I need to reflect on and discuss with other Members of your Lordships’ House and with my noble friend Lord West, as our member of that committee.

That is the one area where, to be honest, I was not satisfied with what the Minister had to say. Notwithstanding Amendment 3, and all the other points made to the noble Lord, Lord Fox, and many others, the definitions the Minister has helped clarify and the various ways he has sought to ensure that people understand the Government’s intent have been extremely helpful to the Committee. With that, I seek leave to withdraw the amendment.

Amendment 1 withdrawn.

Amendments 2 to 13 not moved.

Clause 2 agreed.

Clauses 3 and 4 agreed.

Clause 5: Third party bulk personal datasets

Amendments 14 to 19 not moved.

Clause 5 agreed.

Clauses 6 to 10 agreed.

Clause 11: Offence of unlawfully obtaining communications data