BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
United Kingdom Statutory Instruments |
||
You are here: BAILII >> Databases >> United Kingdom Statutory Instruments >> The Investigatory Powers (Technical Capability) Regulations 2018 No. 353 URL: http://www.bailii.org/uk/legis/num_reg/2018/uksi_2018353_en_1.html |
[New search] [Printable PDF version] [Help]
Statutory Instruments
Investigatory Powers
Made
8th March 2018
Coming into force in accordance with regulation 1
The Secretary of State, in exercise of the powers conferred by sections 253(3) and (5) and 267(1)(b) of the Investigatory Powers Act 2016(1), makes the following Regulations.
In accordance with section 253(4) of that Act, the Secretary of State considers that the obligations in the Schedules to these Regulations are obligations that are reasonable to impose on those relevant operators(2) to whom the obligations apply for the purpose of securing that it is (and remains) practicable to impose requirements on those relevant operators to provide assistance in relation to relevant authorisations(3), and that it is (and remains) practicable for those relevant operators to comply with those requirements.
In accordance with section 253(6) of that Act, before making these Regulations the Secretary of State has consulted the Technical Advisory Board, persons appearing to the Secretary of State to be likely to be subject to the obligations specified in these Regulations and those representing such persons, and persons with statutory functions in relation to persons appearing to the Secretary of State to be likely to be subject to the obligations specified in these Regulations.
In accordance with section 267(3)(i) of that Act, a draft of this instrument was laid before Parliament and approved by resolution of each House of Parliament.
1. These Regulations may be cited as the Investigatory Powers (Technical Capability) Regulations 2018 and come into force on the day on which section 253(1) of the Act (power of the Secretary of State to give technical capability notices) comes into force for all purposes.
2. In these Regulations-
"the Act" means the Investigatory Powers Act 2016;
"relevant postal operator" means a postal operator, or a person who is proposing to become a postal operator(4);
"relevant telecommunications operator" means a telecommunications operator, or a person who is proposing to become a telecommunications operator(5), but does not include a person who provides, or who is proposing to provide, a telecommunications service only in relation to the provision by that person of banking, insurance, investment or other financial services;
"secondary data" has the same meaning as in Part 2 of the Act (see section 16(4) of the Act).
3.-(1) The Schedules to these Regulations specify applicable obligations for the purposes of section 253 of the Act.
(2) Schedule 1 specifies obligations that may be imposed on a relevant operator for the purpose of securing that the operator has the capability to provide any assistance the operator may be required to provide in relation to warrants issued under Part 2 or Chapter 1 of Part 6 of the Act.
(3) Schedule 2 specifies obligations that may be imposed on a relevant operator for the purpose of securing that the operator has the capability to provide any assistance the operator may be required to provide in relation to authorisations or notices given under Part 3 of the Act and warrants issued under Chapter 2 of Part 6 of the Act.
(4) Schedule 3 specifies obligations that may be imposed on a relevant operator for the purpose of securing that the operator has the capability to provide any assistance the operator may be required to provide in relation to warrants issued under Part 5 or Chapter 3 of Part 6 of the Act.
4.-(1) Subject to paragraph (3), the obligations in Part 1 of Schedules 1 and 2 and in Schedule 3 may be imposed on a relevant telecommunications operator.
(2) The obligations in Part 2 of Schedules 1 and 2 may be imposed on a relevant postal operator.
(3) The obligations in Part 1 of Schedule 1 and in Schedule 3 may not be imposed on a relevant telecommunications operator who does not provide, and does not intend to provide, a telecommunications service to more than 10,000 persons.
Ben Wallace
Minister of State
Home Office
8th March 2018
Regulation 3(2)
1.-(1) To provide and maintain the capability to carry out the interception of communications or the obtaining of secondary data and disclose anything obtained under a warrant to the person to whom the warrant was addressed, or any person acting on that person's behalf, within one working day, or such longer period as may be specified in the technical capability notice, of the service of a copy of the warrant.
(1) "Within one working day", in relation to the service of a copy of a warrant, means within a period of 24 hours, not including any time that is not part of a working day.
2. To provide, modify, test, develop or maintain any apparatus, systems or other facilities or services necessary to provide and maintain the capability described in paragraph 1.
3. To provide and maintain the capability to ensure the interception, in their entirety, of all communications and the obtaining, in their entirety, of all secondary data authorised or required by a warrant.
4. To provide and maintain the capability to ensure, where reasonably practicable, the transmission of communications and secondary data, as near to in real time as is reasonably practicable, to a hand-over point as agreed with the person to whom a warrant is addressed.
5. To provide and maintain the capability to disclose, where reasonably practicable, only the communications the interception of which, or the secondary data the obtaining of which, is authorised or required by a warrant.
6. To provide and maintain the capability to disclose intercepted communications and secondary data in such a way that communications and secondary data obtained from those communications can be unambiguously correlated.
7. To ensure that any hand-over interface complies with any appropriate industry standard, or other requirement, specified in the technical capability notice.
8. To provide and maintain the capability to-
(a)disclose the content of communications or secondary data in an intelligible form where reasonably practicable;
(b)remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data where reasonably practicable, or
(c)to permit the person to whom a warrant is addressed to remove such electronic protection.
9. To provide and maintain the capability to simultaneously intercept, or obtain secondary data from, communications relating to a number of the persons to whom the telecommunications operator provides the telecommunications service to which the communications relate which is equal to-
(a)1 in 10,000 of the persons in the United Kingdom to whom the telecommunications operator provides that service, or
(b)such smaller number as is specified in the notice.
10. To ensure that any apparatus, systems or other facilities or services necessary to carry out the interception of communications or obtaining of secondary data are at least as reliable as any telecommunication system by means of which the communication that is intercepted, or the communication from which secondary data is obtained, is transmitted.
11. To ensure that the capability to intercept communications or obtain secondary data may be audited so that-
(a)it is possible to confirm that the communications that are intercepted, or from which secondary data is obtained, are those described in a warrant, and
(b)the integrity of the communications and data is assured so far as reasonably practicable.
12.-(1) To comply with the other obligations imposed by a technical capability notice in such a manner that the risk of any unauthorised persons becoming aware of any matter within section 57(4) of the Act is minimised, in particular by ensuring that apparatus, systems or other facilities or services, as well as procedures and policies, are developed and maintained in accordance with security standards or guidance specified in the notice.
(2) For the purpose of this paragraph, a person is an unauthorised person in relation to a matter within section 57(4) of the Act if, were the matter disclosed to that person by a person to whom section 57 applies, that disclosure would be an unauthorised disclosure.
13. In order that the capability to intercept communications and obtain secondary data may be maintained, to put in place and to maintain arrangements, agreed with the Secretary of State, to notify the Secretary of State, within a reasonable time, of-
(a)proposed changes to telecommunications services or telecommunication systems to which obligations imposed by a technical capability notice relate;
(b)proposed changes, to existing telecommunications services or telecommunication systems, of a description specified in the notice, and
(c)the development of new telecommunications services or telecommunication systems.
14.-(1) To provide and maintain the capability to carry out the interception of, or the obtaining of secondary data from, communications transmitted by means of a postal service and to disclose anything obtained under a warrant to the person to whom the warrant is addressed or any person acting on that person's behalf within one working day, or such longer period as may be specified in the technical capability notice, of the service of a copy of the warrant.
(2) "Within one working day", in relation to the service of a copy of a warrant, means within a period of 24 hours, not including any time that is not part of a working day.
15. To provide and maintain the capability to open, copy and reseal any postal item.
16.-(1) To comply with the other obligations imposed by a technical capability notice in such a manner that the risk of any unauthorised persons becoming aware of any matter within section 57(4) of the Act is minimised, in particular by ensuring that apparatus, systems or other facilities or services, as well as procedures and policies, are developed and maintained in accordance with security standards or guidance specified in the notice.
(2) For the purpose of this paragraph, a person is an unauthorised person in relation to a matter within section 57(4) of the Act if, were the matter disclosed to that person by a person to whom section 57 applies, that disclosure would be an unauthorised disclosure.
Regulation 3(3)
1. To provide and maintain the capability to obtain and disclose communications data without undue delay, and within a period specified in the technical capability notice or agreed between the telecommunications operator and the Secretary of State, following the telecommunications operator being informed that obtaining or disclosing the communications data has been authorised under the Act.
2. To provide, modify, test, develop or maintain any apparatus, systems or other facilities or services necessary to provide and maintain the capability described in paragraph 1.
3. To ensure that any apparatus, systems or other facilities or services necessary to obtain and disclose communications data are of a reliability specified in the notice or agreed between the operator and the Secretary of State.
4. To provide and maintain the capability to ensure the obtaining and disclosure, in their entirety, of all communications data to which an authorisation or warrant relates.
5. To ensure the transmission of the communications data to a hand-over point in accordance with levels of service specified in the notice or agreed between the telecommunications operator and the Secretary of State.
6. To provide and maintain the capability to disclose communications data in such a way that it is clear to which request or requirement to disclose communications data the data relates.
7. To ensure that any hand-over interface complies with any appropriate industry standard, or other requirement, specified in the technical capability notice.
8. To provide and maintain the capability to disclose, where reasonably practicable, only the communications data the obtaining of which is authorised by an authorisation or warrant.
9. To provide and maintain the capability to-
(a)disclose communications data in an intelligible form where reasonably practicable;
(b)remove electronic protection applied by or on behalf of the telecommunications operator to the data where reasonably practicable, or
(c)to permit a person authorised to obtain the communications data, or the person to whom a warrant was addressed, to remove such electronic protection.
10. To install and maintain any apparatus provided to the operator by or on behalf of the Secretary of State for the purpose of enabling the operator to obtain or disclose communications data, including by providing and maintaining any apparatus, systems or other facilities or services necessary to install and maintain any apparatus so provided.
11. To ensure that the capability to obtain and disclose communications data may be audited so that-
(a)it is possible to confirm that the obtained communications data are those described in an authorisation or warrant which authorised the obtaining of the communications data, and
(b)the integrity of the data is assured so far as reasonably practicable.
12.-(1) To comply with the other obligations imposed by a technical capability notice in such a manner that the risk of any unauthorised persons becoming aware of any matter within section 82(1)(a) or (b) of the Act or the existence or contents of a warrant is minimised, in particular by ensuring that apparatus, systems or other facilities or services, as well as procedures and policies, are developed and maintained in accordance with security standards or guidance specified in the notice.
(2) For the purpose of this paragraph, a person is an unauthorised person in relation to-
(a)a matter within sections 82(1)(a) or (b) of the Act if, were the matter disclosed to that person by a telecommunications operator, or any person engaged for the purposes of the business of a telecommunications operator, that disclosure would, if made without reasonable excuse, be an disclosure prohibited by section 82(1) of the Act;
(b)the existence or contents of a warrant if, were the existence or contents of the warrant disclosed to that person, the disclosure would be prohibited by section 174(1).
13. In order that the capability to obtain communications data may be retained, to put in place and to maintain arrangements, agreed with the Secretary of State, to notify the Secretary of State within a reasonable time of-
(a)proposed changes to existing telecommunications services or telecommunication systems to which obligations imposed by a technical capability notice relate;
(b)proposed changes, to existing telecommunications services or telecommunication systems, of a description specified in the notice, and
(c)the development of new telecommunications services or telecommunication systems.
14. To provide and maintain the capability to ensure that communications data in relation to communications transmitted by means of a postal service can be disclosed to a person authorised under section 61 of the Act to obtain it.
15. Where, in the course of their normal business, the postal operator keeps records of who sent which item, to provide and maintain the capability to ensure that communications data in relation to postal items sent by identified persons can be disclosed to a person authorised under section 61 of the Act to obtain the data.
16.-(1) To comply with the other obligations imposed by a technical capability notice in such a manner that the risk of any unauthorised persons becoming aware of any matter within section 82(1)(a) or (b) of the Act, is minimised, in particular by ensuring that apparatus, systems or other facilities or services, as well as procedures and policies, are developed and maintained in accordance with security standards or guidance specified in the notice.
(2) For the purpose of this paragraph, a person is an unauthorised person in relation to a matter within sections 82(1)(a) or (b) of the Act if, were the matter disclosed to that person by a postal operator, or any person engaged for the purposes of the business of a postal operator, that disclosure would, if made without reasonable excuse, be an disclosure prohibited by section 82(1) of the Act.
Regulation 3(4)
1. To provide and maintain the capability for interference with equipment to be carried out, for the purpose of obtaining communications, equipment data or any other information, within such period of the service of a warrant as may be specified in the technical capability notice in accordance with section 253(7) of the Act.
2. To provide and maintain the capability to ensure the obtaining of any communications, equipment data or other information which is authorised by a warrant, and to disclose anything obtained under a warrant, within such a period as may be specified in the technical capability notice.
3. To provide and maintain the capability to enable the transmission to the person to whom a warrant is addressed of any data of a type specified in the technical capability notice required to secure equipment interference.
4. To provide, modify, test, develop or maintain any apparatus, systems or other facilities or services necessary to provide and maintain the capabilities described in paragraphs 1 to 3.
5. To provide and maintain the capability to disclose, where reasonably practicable, only the communications, equipment data and other information the obtaining of which is authorised by a warrant.
6. To provide and maintain the capability to-
(a)disclose the communications, equipment data and other information in an intelligible form to standards specified in the notice where reasonably practicable;
(b)to remove electronic protection applied by or on behalf of the telecommunications operator to those communications, equipment data or other information where reasonably practicable, or
(c)to permit the person to whom a warrant is addressed to remove such electronic protection.
7. To provide and maintain the capability to disclose communications, any equipment data falling within section 100(2) of the Act and other information in such a way that the equipment data can be unambiguously correlated with the communication or other item of information it was comprised in, included as part of, attached to or logically associated with.
8. To ensure that any hand-over interface complies with any appropriate industry standard, or other requirement, specified in the technical capability notice.
9. To ensure that the capability to interfere with equipment may be audited so that-
(a)it is possible to confirm that the communications, equipment data or other information obtained are those to which a warrant relates, and
(b)that the integrity of the communications, equipment data or other information is assured so far as reasonably practicable.
10.-(1) To comply with the other obligations imposed by a technical capability notice in such a manner that the risk of any unauthorised persons becoming aware of any matter within section 132(4) of the Act is minimised, in particular by ensuring that apparatus, systems or other facilities or services, as well as procedures and policies, are developed and maintained in accordance with security standards or guidance specified in the notice.
(2) For the purpose of this paragraph, a person is an unauthorised person in relation to a matter within section 132(4) of the Act if, were the matter disclosed to that person by a person to whom section 132 applies, that disclosure would be an unauthorised disclose.
11. In order that the ability to interfere with equipment may be maintained, to put in place and to maintain arrangements, agreed with the Secretary of State, to notify the Secretary of State within a reasonable time of-
(a)proposed changes to telecommunications services or telecommunication systems to which obligations imposed by a technical capability notice relate;
(b)proposed changes, to existing telecommunications services or telecommunication systems, of a description specified in the notice, and
(c)the development of new telecommunications services or telecommunication systems.
(This note is not part of the Regulations)
These Regulations set out the obligations which may be contained in a technical capability notice given by the Secretary of State under section 253 of the Investigatory Powers Act 2016 (c. 25). A technical capability notice imposes obligations on a relevant operator in order to ensure that the operator has the capability to provide assistance in relation to interception warrants, equipment interference warrants, or warrants or authorisations for the obtaining of communications data. A "relevant operator" means a postal operator, a telecommunications operator, or a person who is proposing to become either.
Regulation 3 introduces the obligations which may be imposed by a technical capability notice. Schedule 1 sets out obligations in relation to bulk and targeted interception warrants; Schedule 2 sets out obligations in relation to authorisations for the targeted acquisition of communications data or warrants for the bulk acquisition of communications data, and Schedule 3 sets out obligations in relation to bulk or targeted equipment interference warrants.
Regulation 4 provides that certain obligations may be imposed on postal operators and certain obligations on telecommunications operators. No obligations may be imposed on a telecommunications operator which provides a telecommunications service only in relation to providing banking, insurance, investment or other financial services. Further, obligations in relation to interception or equipment interference warrants may not be imposed on a telecommunications operator who does not provide, or intend to provide, a service to more than 10,000 customers.
A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sectors is foreseen.
"Relevant operator" is defined in section 253(3) of the Act.
"Relevant authorisation" is defined in section 253(3) of the Act.
"Postal operator" is defined in section 262(6) of the Act.
"Telecommunications operator" is defined in section 261(10) of the Act.