Clause 11 - Personal data breaches

Investigatory Powers (Amendment) Bill [Lords] – in a Public Bill Committee at 2:00 pm on 7 March 2024.

Alert me about debates like this

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security) 2:00, 7 March 2024

I beg to move amendment 1, in clause 11, page 31, line 36, leave out “a court or tribunal” and insert “the Investigatory Powers Tribunal”.

This amendment is consequential on amendment 2.

Photo of Judith Cummins Judith Cummins Labour, Bradford South

With this it will be convenient to discuss the following:

Government amendment 2.

Clause stand part.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

Clause 11 will ensure that there is clarity for telecommunications operators operating within the IPA framework about which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner being notified of such breaches. Without this change, there will be confusion about personal data reporting obligations and a regulatory gap in respect of certain personal data breaches by telecommunications operators not being dealt with by the appropriate regulatory body. The clause also ensures that an individual affected by a personal data breach can be notified of the breach by the Investigatory Powers Commissioner, if the IPC deems to it to be in the public interest to do so. This will enable them to seek remedy from the Investigatory Powers Tribunal.

Government amendments 1 and 2 build upon the provisions already contained in clause 11 by providing a clear route to redress for those affected by personal data breaches committed by telecommunications operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about personal data breaches committed by TOs and grant a remedy. The IPT already has significant experience of considering complaints from individuals who believe they have been the victim of unlawful interference by public authorities. It is therefore the appropriate forum to consider complaints regarding certain personal data breaches.

Amendment 1 agreed to.

Amendment made: 2, in clause 11, page 32, line 19, at end insert—

‘(1A) In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—

(a) in subsection (2), after paragraph (b) insert—

“(ba) to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;”

(b) after subsection (4) insert—

“(4AA) The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.

(4AB) In subsection (4AA) “relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).”

(1B) In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—

(a) in subsection (1)(b), after “65(2)(b)” insert “, (ba)”;

(b) in subsection (5)—

(i) the words from “section” to the end become paragraph (a), and

(ii) after that paragraph insert “, or

(b) section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.”

(c) in subsection (6), for “reference” substitute “complaint or reference has been”.

(1C) In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—

“(8) In this section “relevant Commissioner” means—

(a) the Investigatory Powers Commissioner or any other Judicial Commissioner,

(b) the Investigatory Powers Commissioner for Northern Ireland, or

(c) the Information Commissioner.”’—(Tom Tugendhat.)

This amendment provides for the Investigatory Powers Tribunal to be the appropriate forum for complaints by individuals about certain personal data breaches reported to the Investigatory Powers Commissioner under section 235A of the Investigatory Powers Act 2016 (personal data breaches).

Clause 11, as amended, ordered to stand part of the Bill.