Consultation outcome

Investigatory Powers (Amendment) Act 2024: codes of practice and notices regulations (accessible)

Updated 24 March 2025

Ministerial foreword

The first duty of government is to keep the country safe – to defend our national security and protect our citizens from terrorism and serious crime.

In April this year, the Investigatory Powers (Amendment) Act 2024 received Royal Assent. The act makes targeted changes to the Investigatory Powers Act 2016 to enable intelligence agencies and law enforcement to continue to address a range of evolving threats in the face of new technologies and increasingly sophisticated threat actors.

The act seeks to ensure that the UK’s investigatory powers framework continues to protect our national security and to prevent, investigate, disrupt, and prosecute the most serious crimes. To achieve this, we need robust processes in place to ensure that our agencies can anticipate technological changes being developed by telecommunications operators and identify where these might negatively impact national security. To avoid retrospectively needing to mitigate threats, including from terrorists and child sexual abusers who may exploit such changes, it is essential we have established processes for constructive dialogue with relevant operators where necessary.

The investigatory powers regime is underpinned by important safeguards, ensuring that these powers are used in a necessary and proportionate way, and which places fundamental rights, such as respect for privacy, at their heart.

A core aspect of these safeguards is our oversight regime. The act has introduced measures which increase the resilience of the Investigatory Powers Commissioner’s Office (IPCO) to support the Investigatory Powers Commissioner to effectively carry out their functions. These changes enhance the robust independent oversight provided for in the Investigatory Powers Act 2016.

This consultation seeks views on three new codes of practice, which will provide further guidance on:

1. the operation of new Parts 7A (low / no bulk personal datasets) and 7B (third party bulk personal datasets) of the Investigatory Powers Act 2016.

2. consolidating all information on the operation of notices into a single code of practice.

3. proposed updates to five of the existing codes of practice – Bulk Personal Datasets under Part 7, Communications Data, Bulk Communications Data, Equipment Interference, and Interception – to implement changes made by the act, as well as wider updates to ensure that the codes remain fit for purposes. The codes set out how the powers should be exercised and set out the processes and safeguards governing their use, providing guidance to those using them.

This consultation provides the full text of the eight new and updated codes of practice. We wish to ensure that the powers operate as clearly and transparently as possible, and that those who make use of them understand their responsibilities. These codes have been developed in partnership with law enforcement and intelligence agencies who will be exercising the powers. IPCO, who support the Commissioner in his oversight of the regime, have also been part of the early engagement on the draft codes.

In addition to the new and amended codes, this consultation also seeks views on new regulations related to the notices regime. This is to ensure that the new measures are operationalised in an appropriate way for both those using the investigatory powers and those telecommunications operators who may be affected by the changes. 

It’s imperative that our intelligence and law enforcement agencies have the tools that they need to keep the country safe. The changes made by the Investigatory Powers (Amendment) Act 2024 help ensure this remains the case, and the new and updated codes of practice will ensure that there is the necessary clarity on the operation of investigatory powers which will give the public trust in their continued use.

We are grateful for your ongoing engagement and look forward to receiving your feedback to this consultation.

Dan Jarvis MBE MP

Security Minister

About this consultation

Representations are welcomed from public authorities who have powers under the Investigatory Powers Act 2016, organisations whose services could be affected by the Investigatory Powers (Amendment) Act 2024, professional bodies, interest groups, academia and the wider public.

Duration: from 14 October 2024 to 6 January 2025 (12 weeks).

Enquiries (including requests for the paper in an alternative format) to: ipaconsultation@homeoffice.gov.uk

Responses will be analysed and a consultation response document will be published.

All responses will be treated as public, unless stated otherwise.

How to respond

Representations can be submitted by email:

ipaconsultation@homeoffice.gov.uk

Or by post:

IPA codes of practice consultation
Fifth floor
Peel Building
Home Office
2 Marsham Street
London
SW1P 4DF

Background

This consultation covers one set of regulations and eight codes of practice.

The regulations covered within this consultation are The Investigatory Powers (Notification Notices, Review Periods and Technical Advisory Board) Regulations.

These regulations amend the existing Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018 to reflect the changes in the Investigatory Powers (Amendment) Act 2024 (the 2024 Act) and provide for the new notification notices.

Some of the detail is reflected within the regulations and some of it within the codes. This is because the two documents serve different purposes. We, therefore, ask that in responding to the consultation, both elements are taken into account.

Input provided by operational partners, telecommunications operators and parliamentarians during the passage of the 2024 Act has been taken into consideration when preparing the codes of practice and the regulations.

What are the codes of practice?

The codes of practice are primarily intended to guide those public authorities that exercise powers and perform duties under the Investigatory Powers Act 2016 (IPA).

The codes set out the processes and safeguards governing the use of the powers by public authorities, including the police and security and intelligence agencies. They give detail on how the powers should be exercised and duties performed, including examples of best practice. They are intended to provide additional clarity and to ensure the highest standards of professionalism and compliance with the legislation.

A code of practice issued under the IPA has statutory force and individuals exercising powers and performing duties to which the code relates must have regard to it. The code is admissible as evidence in criminal and civil proceedings and may be taken into account by any court, tribunal or supervisory authority when determining a question arising in connection with those powers and duties.

Why are we consulting?

Under the IPA, the Secretary of State is required to issue codes of practice about the exercise of powers and performance of duties under the act.

Prior to issuing any code, the Secretary of State must prepare and publish a draft of it. The Secretary of State must also consider any representations made about the draft revised code and may modify the draft accordingly.

This consultation fulfils that requirement. The revised codes come into force in accordance with regulations made by the Secretary of State and the statutory instrument containing such regulations must be laid before Parliament for approval.

What are the new codes of practice?

Three new codes of practice are being consulted on for regimes brought about by the 2024 Act. The first is a code for Part 7A (Bulk Personal Datasets with low or no expectation of privacy), the second is for Part 7B (Third Party Bulk Personal Datasets), and the third consolidates all existing content related to notices into a single code of practice, as well as providing further detail on new notices provisions introduced by the 2024 Act.

Further detail on each is outlined below.

Which codes of practice are being updated?

This consultation covers the updates to five existing codes of practice: Bulk Personal Datasets under Part 7, Communications Data, Bulk Communications Data, Equipment Interference, and Interception.

Previously, whilst national security notices had a standalone code, data retention notices and technical capability notices were covered within other relevant codes. We felt it was most appropriate for ensuring transparency and clarity on the notices regime to create one single code on all the notices, bringing together existing content and the updates necessitated by the 2024 Act. As such, all content on notices has been removed from the other codes we are consulting on here.

The codes of practice, both new and updated, can be found as Annexes to the consultation.

Codes of practice

We are consulting on eight new or updated codes of practice, which can be found at Annexes A to H. Below is a summary of what is covered by the new codes and the changes being made to the existing codes.

New codes of practice

Part 7A (Bulk Personal Datasets with a Low or No Expectation of Privacy)

A bulk personal dataset (BPD) is defined in Part 7 of the IPA as a set of information that includes personal data relating to a number of individuals where the nature of the dataset is such that the majority of the individuals are unlikely to be, or to become, of interest to the intelligence services, and that is retained electronically by an intelligence service and held for analysis in the exercise of its statutory functions.

The 2024 Act inserted a new regime into the IPA – Part 7A – enabling the intelligence agencies to make more effective and efficient use of datasets in respect of which individuals have a low or no expectation of privacy. This code of practice (which can be found at Annex A) sets out how this new regime should be implemented.

Part 7B (Third Party Bulk Personal Datasets)

A third party bulk personal dataset (3PD) is a dataset which would fall within Part 7 of the IPA if an intelligence service were to retain it, but which is instead held by a third party (such as government departments or commercial entities).

The 2024 Act inserted a new 3PD regime into the IPA – Part 7B – that would apply where an intelligence service has relevant access to the 3PD and examines it in situ (that is, on the third party’s systems) for the purpose of their statutory functions (see the Security Service Act 1989 and the Intelligence Services Act 1994). This code of practice (which can be found at Annex B) sets out how this new regime should be implemented.

Notices

Much of this code of practice is not new – previously, there was a code of practice for national security notices, whereas data retention notices and technical capability notices were covered within other relevant codes of practice (for communications data, interception, equipment interference and bulk communications data).

After consideration, we decided that rather than create a further separate code of practice for notification notices and then reflect within the other codes the other changes from the 2024 Act, it was most appropriate for ensuring transparency and clarity on the regime to create one single code on all notices.

The code of practice being consulted on is, therefore, a combination of text from the existing codes of practice, which has itself been previously consulted on as required by the IPA, and new text covering the amendments made to the notices regimes in the 2024 Act.

The most significant new elements proposed within the code of practice relate to the changes from the 2024 Act. Within the code these are:

• 2.1: Telecommunications operator and postal operator. This change reflects the revised definition of a telecommunications operator.    
• 12.3 and 12.6-12.9: Referral of a data retention, technical capability or national security notice for review. These changes reflect the amendments to the notice review process in the 2024 Act.
• 14.31-14.34: Renewal of data retention, technical capability and national security notices. These new paragraphs explain the new renewal process for notices.
• Chapter 7: Notification notices. This new section covers:
  • relevant changes that could be in scope of a notification notice
  • confirms the position taken throughout the 2024 Act’s Parliamentary passage that security patches are not in scope of a notification notice
  • explains the process of consultation and the giving of a notification notice, including the factors for consideration by the Secretary of State; and
  • explains the process for notification once a notice is in place and the variation and revocation of a notification notice

There are also changes within the code to reflect the adjustments necessary to bring the language from the previous codes together – these are consistency amendments rather than ones of substance. For example, ensuring all relevant notices are covered by certain paragraphs by including data retention notices alongside technical capability notices and national security notices. As the text in the previous codes was near identical, these changes have not introduced new process or changed the previous application of the code.

It should be noted that Chapter 8 regarding oversight is a reflection of the other codes (where the language will also remain) to ensure that the oversight regime is sufficiently clear when the code is read.

Updated codes of practice

Part 7 (Bulk Personal Datasets)

Updates are being made to the Part 7 code (which can be found at Annex C) both to reflect changes to the IPA made by the 2024 Act and to make small changes to other aspects of the code to ensure it continues to provide comprehensive guidance on the application of the powers and for consistency across codes.

The 2024 Act amended the IPA to allow for the extension of a BPD warrant from 6 to 12 months, and to make clear that agency heads can delegate certain existing functions in relation to BPD warrants.

Bulk Communications Data

The Bulk Communications Data Code, which can be found at Annex D, is being updated to reflect an amendment made to the IPA by the 2024 Act which makes provision for the Investigatory Powers Commissioner (IPC) to notify affected individuals of serious personal data breaches relating to warrants issued under the IPA, if the IPC determines it is in the public interest to do so. The Communications Data, Interception, and Equipment Interference codes are also being updated to reflect this change.

Communications Data

Updates are being made to the Communications Data Code (which can be found at Annex E) both to reflect changes to the IPA made by the 2024 Act and to make changes to other aspects of the code to ensure it continues to provide comprehensive guidance on the application of the powers and for consistency across codes.

The code is being updated to reflect the following amendments made by the 2024 Act:

• Changes to section 11 IPA, firstly to define ‘lawful authority’ for the purposes of the section 11 offence of acquiring communications data without lawful authority, and secondly to remove from the scope of section 11 the sharing communications data between public authorities where the public authority providing the communications data is also a telecommunications operator.
• Changes to section 12 IPA to restore regulatory and supervisory information gathering powers to public authorities listed on Schedule 4 and new Schedule 2A of the IPA.
• Changes to section 261 IPA to remove any potential ambiguity by setting out that subscriber and account data amount to communications data when it is to assist in the identification of an entity.
• Adding new condition D to the existing list of conditions A to C for the use of Internet Connection Records (ICRs) at section 62 IPA.

Equipment Interference and Interception

Updates are being made to the Interception (Annex F) and Equipment Interference (Annex G) codes both to reflect changes to the IPA made by the 2024 Act and to make small changes to other aspects of the codes to ensure they continue to provide comprehensive guidance on the application of the powers and for consistency across codes.

The codes are being updated to reflect the following amendments made by the 2024 Act:

• Making provision for the Prime Minister to select a cadre of five Secretaries of State who will be empowered to exercise the Prime Minister’s power to provide for the authorisation of targeted interception (TI), targeted examination or targeted equipment interference (TEI) warrants which would provide for access to the communications of a member of a relevant legislature, where the Prime Minister is incapacitated or unable to access secure communications.
• Adding a deputy director general of the National Crime Agency to the list of law enforcement chiefs who are able to delegate the function of considering TEI applications under section 106 IPA, to appropriate delegates (as described in the table in Part 1 of Schedule 6 IPA) in urgent cases.
• Changing the processes associated with the removal of a subject from a TEI warrant which would have the effect of removing the requirement to notify the Secretary of State at the point of the removal of the subject.
• Minor changes to Schedule 3 to allow parole commissioners for Northern Ireland the opportunity to review intercepted materials in certain circumstances and enable coroners and legal advisors conducting inquests and inquiries into deaths in both Northern Ireland and Scotland to access intercepted materials.
• Strengthening the safeguards for confidential journalistic materials in the bulk equipment interference regime, requiring prior independent authorisation by the IPC before criteria (for finding confidential journalistic material or identifying a journalistic source) can be used for selection for examination.

Further changes being made to the code, to add clarity, which are not related to the 2024 Act include:

• updates to the definition of spiritual counselling to ensure that it represents all types of religion and belief
• strengthening the safeguards for confidential journalistic materials in the bulk interception regime
• updates to the process for authorising urgent EI warrant applications for law enforcement chiefs and their appropriate delegates
• updates to the process regarding the duration of a warrant when one part of a combined warrant is cancelled
• further clarity to the codes about the statutory basis and requirements for lawful postal interception
• providing details about the ‘host nation authority’ process for the authorisation of equipment interference warrants engaging or overseas equipment

Regulations

What are regulations?

Regulations are a type of secondary legislation. Secondary legislation is law created by ministers (or other bodies) under powers given to them by an Act of Parliament (in this case the IPA, as amended by the 2024 Act).

Secondary legislation fills in the details of acts. These details provide practical measures that enable the law to be enforced and to operate effectively. 

The IPA (as amended by the 2024 Act) requires the draft regulations being consulted on to subsequently go through the affirmative procedure. This means a debate and vote on them in each of the Houses of Parliament is required before they can be made and come into effect. When the regulations are laid in Parliament an explanatory memorandum will be published alongside them.

The amendments made by the 2024 Act to the IPA provide the power to the Secretary of State to make regulations relating specifically to notification notices. This power includes a power to specify in regulations what a ‘relevant change’ is that may be subject to a notification notice given by the Secretary of State to a telecommunications operator.  The power to specify these changes includes the power to “specify changes by reference to the impact of the changes on the capability of a relevant operator to provide any assistance which the operator may be required to provide in relation to any warrant, authorisation or notice issued or given under this act.”

The Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018

The current Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018 (SI/2018/354) set out the period and circumstances in which a person given a notice under the 2016 Act can refer that notice to the Secretary of State for review. These regulations also set out what the membership of the technical advisory board (TAB) must be.

Review of technical capability, data retention and national security notices

If the Secretary of State wishes to give an operator a notice, they are first legally obliged to consult the operator. Following this consultation, assuming there is still a requirement to give a notice, the notice is ‘double-locked’ (i.e. the decision is made by the Secretary of State to issue the notice and that decision is then approved (or not) by a judicial commissioner). Once the judicial commissioner has approved the Secretary of State’s decision, the notice is then formally given to the operator. At this point, the notice comes into effect.

Once the notice has been given to the operator, if dissatisfied they have 28 days to request a review of the notice by the Secretary of State, either in whole or in part. There is no requirement for the operator to request a review of a notice, it is entirely at their discretion.

The process for the review of a notice is laid out in the IPA. It states that a judicial commissioner (in practice this will be a different one from the judicial commissioner who was part of the original double-lock) must consider the proportionality of the notice. The TAB (explained in more detail in the section below) must consider the technical requirements and financial consequences of the notice.

In considering these matters, both the judicial commissioner and the TAB must give the operator and the Secretary of State the opportunity to make representations to them before reaching their conclusions. These conclusions are then considered by the Secretary of State as they decide whether to vary, revoke or give the notice. That decision on the notice is then double locked again, either by approval by the Investigatory Powers Commissioner or delegated to one of the assigned deputies, in circumstances where the Commissioner is unable to do so. In the latter scenario, approval would be by a different judicial commissioner (who is also a deputy investigatory powers commissioner) to either of the other two previously involved in the notice process.

The 2024 Act introduced some amendments to the review process. These provide that the notice has effect during the review period and give the judicial commissioner direction making powers to manage the representations made to them by the telecommunications operator and the Secretary of State as well as the power to disregard representations made outside the timelines set out in the directions.   

Additionally, section 90(5A) and (11A) and section 257(4A) and (10A) of the IPA, which were inserted by the 2024 Act, introduce new regulation-making powers.  These powers enable the Secretary of State to amend the existing regulations ^{[footnote 1]} relating to a review of a notice under sections 90(1) and 257(1) of the IPA, to specify the periods of time which various stages in the review process can take.

The first of these periods is ‘the review period’ ^{[footnote 2]}. The review period is defined in the draft regulations as the point at which an operator requests the Secretary of State to review a notice, up until the point the Secretary of State, having received the reports from both the TAB and the judicial commissioner, decides whether to revoke, vary or give the notice confirming its effect. The review period can only be extended by the agreement of the Secretary of State, the judicial commissioner and the operator. The draft regulations propose this period is set at 180 calendar days.

This would mean that, if the review period needed to be extended beyond 180 days, for example, if the judicial commissioner still required further representations from the operator and the Secretary of State due to the complexity of the issue, then by agreement of the three parties, the review period could be extended. The length of this extension is left at their collective discretion given the unique nature of each review. Further extensions can also be agreed where necessary.

The second of these periods is ‘the relevant period’. The relevant period is a subsection of the review period and is defined by the draft regulations as the point at which the Secretary of State receives reports from both the TAB and the judicial commissioner, up until the point they decide whether to revoke, vary or give the notice. The draft regulations propose to set this period at 30 calendar days.

This relevant period can be unilaterally extended by the Secretary of State in exceptional circumstances (examples of which are provided in the code: for example, a change of holder of the office of Secretary of State or where there is a terrorist incident or other national security emergency). However, if this extension would exceed the review period, then the extension cannot be unilateral, and the agreement of the judicial commissioner and the operator is required.

This would mean that, if the Secretary of State received the two reports at 110 calendar days, without extension, the review would need to be concluded at 140 calendar days. If the Secretary of State wanted to extend the review, due to exceptional circumstances, they could do so up to 180 calendar days unilaterally (which in this example would be a 40-day extension). However, if it was necessary for the relevant period to go beyond that point, they would need to seek agreement from the judicial commissioner and the operator.

A diagram is provided at the end of this section of the document to illustrate these two periods further.

Technical advisory board (TAB)

The TAB is a non-departmental public body which was first established under the Regulation of Investigatory Powers Act 2000 and is now maintained under the IPA, with members appointed by the Secretary of State. The IPA requires that the membership of the TAB includes persons able to represent the interests of those on whom obligations may be imposed by virtue of the notices, those able to represent the interests of persons entitled to apply for warrants under the IPA, and any further appropriate persons. Section 245 of the IPA specifies that details regarding the TAB (e.g. relating to membership) may be laid down in regulations.

Under the Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018, the TAB currently must consist of at least thirteen members but no more than fifteen members.

Six of these members (and no more) must be a person on whom obligations may be imposed by virtue of retention notices, national security notices and technical capability notices (or a person representing the interests of such persons), known informally as ‘Industry members’. Six of these members (and no more) must be a person entitled to apply for warrants under the IPA (or a person representing the interests of such persons), known informally as ‘government members’.

One member (and two further members may be appointed) must be independent to either of these groupings, to whom neither of these characteristics apply, informally known as ‘Independent members’.

All members of the TAB must hold appropriate security clearance.

Under the existing regulations, quorum for the TAB consists of three members from Industry, three members from government and one independent member (3:3:1). Taken with the overall minimum for the TAB of thirteen members, this means the TAB cannot currently consider concurrent reviews, unless more than one independent member is appointed.  

As TAB members are publicly appointed and not remunerated for their work (save the Chair) they have to balance work and obligations outside of the TAB alongside their work on the review. This means that, while the TAB (constituted with more one independent member) may undertake two reviews at the same time, it is unlikely under current rules that they would feasibly be able to do so due to insufficient membership.

When further taking into the account the impact of the changes to the timeline of a review, as introduced by the 2024 Act and explained above, it is clear that there is a need to provide the TAB with greater resilience and to ensure that there are no adverse effects on operators due to the current limitation of its membership capacity. The draft regulations, therefore, propose removing the requirement that the TAB should be limited to a maximum of fifteen members. This would allow the TAB to increase appointments of members with legal and technical expertise.

We also propose removing the minimum number of thirteen members. The minimum requirements of the TAB review board (3:3:1) will remain in the quorum requirement, so this adjustment will not affect the balance of those conducting a review - it will simply provide greater flexibility for the TAB and its ability to conduct reviews, should members withdraw from membership altogether at short notice.

Lastly, the draft regulations propose to alter the specific quorum requirement of 3:3:1. We would maintain this ratio as the minimum requirement for quorum, but also introduce a broader requirement that quorum must be balanced. This would allow for ratios with a larger membership pool, if it were deemed necessary for the purpose of a particular review (e.g. 4:4:1, 5:5:1 etc.). We believe this change is beneficial not only to the TAB but to all those involved in the process by ensuring the appropriate expertise can be brought to bear during a review.

Notice review timeline

Steps of a review

Review period

1. Operator requests the Secretary of State review all, or part, of a notice.

2. Judicial commissioner and the technical advisory board prepare their reports. Both the operator and Secretary of State are able to make representations to them as part of their evidence gathering process.

3. The Investigatory Powers (Amendment) Act amended the judicial commissioner’s powers for this part of the process allowing them to give directions to both parties and to disregard representations made outside the timelines laid out in the directions.

4. On receipt of the two reports, the Secretary of State makes the decision to vary, give or revoke the notice.

End of review period.

The review period can only be extended if the Secretary of State, the operator and the judicial commissioner agree to the extension.

The relevant period can only be extended in ‘exceptional circumstances’ by the Secretary of State. However, this extension cannot exceed the total time of the review period without the required extension agreement for that.

5. The Investigatory Powers Commissioner provides the final double lock (if required).

6. The Investigatory Powers (Amendment) Act amended this to allow the two deputy Investigatory Powers Commissioners to also make this final determination in circumstances where the Investigatory Powers Commissioner is unable or unavailable to fulfil this function.

What is covered on notification notices in the draft regulations?

The notification of proposed changes is an obligation that can be placed on relevant operators that provide, or may be expected to provide, lawful access of significant operational value, to inform the Secretary of State of technical changes that they are intending to make which could affect lawful access capabilities.

The 2024 Act introduces a delegated power for the Secretary of State to set out in regulations further details regarding relevant changes and associated thresholds that may trigger the Secretary of State to issue a notification notice to an operator under section 21.

During the passage of the 2024 Act, we published a policy statement on draft regulations for the notification of proposed changes to telecommunication services. These regulations build on that policy statement.

The regulations set out details of the changes which could amount to a ‘relevant change’ and so be the subject of a notification notice under section 258A of the IPA. An operator will only be required to notify the Secretary of State of these changes if they impact lawful access capabilities of the services or systems set out in the confidential specification. As each notification notice will be unique to the operator in question, it is possible that only some of these changes will be covered in a notice and there is no requirement for them all to be within a notice. This is to ensure the necessity and proportionality of the notice.

We anticipate that notification notices will be issued to a very small number of those operators in scope of the IPA.

Finally, the regulations lay out that when conducting this assessment, the criteria that must be considered includes, but is not limited to:

• the current or expected number of warrants, authorisations or requests issued to the operator under the IPA
• the operational importance of the data provided under the previous bullet
• the types of services the operator provides
• the customer base of the operator
• the market share of the operator

Footnotes

1. Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018 (SI 2018/354) ↩

2. See regulation 6 of the draft regulations. ↩