The Minister of State, Home Office (Lord Hanson of Flint) (Lab)

- Hansard -

Copy Link

- - Excerpts

My Lords, it is a pleasure to be here today to bring forward these regulations. The Government have published an Explanatory Memorandum alongside them, and I shall begin with some brief background as to how we have got to where we are.

The Investigatory Powers Act 2016, known as the IPA, provides a framework for the use and oversight of investigatory powers by the intelligence services, law enforcement and other public authorities. I recall it well, having served on the Bill, in both draft and original form. It never fails to surprise to me that it is almost 10 years ago since the Act came into being. It helps to safeguard people’s privacy by setting out stringent controls over the way in which the powers are authorised and overseen. The IPA is considered to be world-leading legislation that provides unprecedented transparency and substantial protections for privacy.

The IPA was intentionally drafted in a technologically neutral manner, to ensure that public authorities could continue to acquire operationally relevant data as technology evolved. While this approach has largely withstood the test of time, a combination of new communication technologies and the changing threat landscape continues to challenge the effective operation of the Act.

The Investigatory Powers (Amendment) Act 2024 was introduced by the previous Government and received Royal Assent in April last year. To ensure that the legislative regime remains fit for purpose, the 2024 Act made a series of targeted changes to the IPA to enable our law enforcement and intelligence agencies to tackle a range of evolving threats in the face of new technologies and increasingly sophisticated terrorist and criminal groups.

That gives rise to the purpose of these regulations. The regulations before us bring into force three new and five revised codes of practice, which provide operational guidance for public authorities to have regard to when exercising their functions under the IPA. As well as including minor updates and changes to ensure consistency, the codes of practice have been revised to reflect various changes made by the 2024 Act under the previous Government.

The new codes on bulk personal datasets with a low or no reasonable expectation of privacy and third-party bulk personal datasets relate to new regimes introduced by the 2024 Act. The new code on the notices regime consolidates guidance from various existing codes into one place. The regulations also contain several provisions relating to the IPA’s notices regime, including defining “relevant change” for the purpose of the new notification notices. They also introduce timelines for the review of technical capability, data retention and national security notices, and amend existing regulations in relation to membership of the technical advisory board.

The regulations and code of practice have been informed by a 12-week public consultation which closed in January 2025. The Government received responses from a range of stakeholders, including interest groups, public authorities, technology companies, trade associations and members of the public. We made several changes following that consultation, including stylistic changes, further clarity on processes and changes to the technology advisory board’s membership requirement. A copy of the Government’s response to the consultation has been published and, should Members wish to see it, is available online or it will be at a future date.

To sum up, these regulations are a crucial step in implementing the 2024 Act. They will ensure that the UK’s investigatory powers framework continues to protect our national security and to prevent, investigate, disrupt and prosecute the most serious crimes. I commend the SI to the Committee.

Lord Davies of Gower (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, I thank the Minister for introducing these regulations. These regulations implement key provisions of the Investigatory Powers Act 2024, which was passed by the previous Conservative Government. These regulations introduce three codes of practice and revise five existing ones.

The new codes provide a framework for two regimes introduced by the 2024 Act— the treatment of bulk personal datasets where there is a low or no reasonable expectation of privacy, and the authorisation of access to third-party datasets. A third new code consolidates guidance on the notices regime, including the operation of notification notices and what constitutes a relevant change—a key test for when telecoms operators must inform the Secretary of State of technical updates.

The revised codes also enhance oversight and safeguards by clarifying the conditions for lawful access to data, strengthening protection for journalistic material and requiring notification of serious data breaches where it is in the public interest. These regulations also make important structural updates to the technical advisory board, expanding its membership and adjusting its quorum rules to ensure it can operate effectively when dealing with complex or concurrent reviews.

We welcome these provisions and, with that in mind, I raise several broader points. First, on legislative responsiveness, these regulations reflect the speed at which both threats and the technologies behind them are evolving. The 2024 Act rightly introduced flexible tools for handling internet connection records and bulk data. But agile legislation should not rely solely on periodic amendments. Can the Minister confirm whether the Government plan to conduct regular reviews of the framework and whether a structured timetable has been established to ensure that the legislation continues to meet operational needs?

Secondly, on stakeholder engagement, the Government’s consultation included contributions from technology companies, civil liberties organisations and public bodies. Although this engagement is welcome, several respondents raised concerns, particularly regarding the practical implications of notification notices and the definition of “relevant change”. Given that, can the Minister outline how the Government intend to maintain an open and ongoing dialogue with stakeholders as these codes are implemented?

Finally, on oversight and accountability, the powers under discussion are significant. Their legitimacy depends on effective safeguards; this is especially true for third-party bulk datasets, where individuals may not reasonably expect their data to be protected. Can the Minister confirm that the revised codes provide the Investigatory Powers Commissioner with the necessary clarity and authority to ensure that these powers are exercised lawfully and proportionately?

The 2024 Act was designed to safeguard national security in a rapidly evolving digital world. However, the use of investigatory powers must always be lawful, properly overseen and proportionate in its impact. Although these reforms offer practical steps to modernise the existing framework, we must ensure that these powers are used responsibly, reviewed regularly and held accountable, balancing security with our democratic values.