Part Iii: Investigation of Electronic Data Protected by Encryption Etc
Section 49: Notices requiring disclosure
255.This section introduces a power to enable properly authorised persons (such as members of the law enforcement, security and intelligence agencies) to serve notices on individuals or bodies requiring the disclosure of protected (e.g. encrypted) information which they lawfully hold, or are likely to, in an intelligible form.
Intelligible is defined in section 56(3)
256.Subsection (1) limits the information to which this power to serve notices applies. It does so by defining the various means by which the protected information in question has been, or is likely to be, lawfully obtained. By way of illustration, this could be material:
seized under a judicial warrant (e.g. under the Police and Criminal Evidence Act 1984 (PACE));
intercepted under a warrant personally authorised by the Secretary of State under Chapter I of Part I of this Act;
lawfully obtained under an authorisation given under Chapter II of Part I or Part II of this Act;
lawfully obtained by an agency under their statutory functions but not under a warrant (e.g. under the Customs and Excise Management Act 1979); or
which has lawfully come into the possession of an agency but not by use of statutory functions (e.g. material which has been voluntarily handed over).
257.Subsection (2) states that persons with the “appropriate permission” (see Schedule 2) may serve a notice imposing a disclosure requirement in respect of the protected information in question if there are reasonable grounds for believing:
that the key to the relevant protected information is in the possession of the person on whom the notice is being served;
that serving a notice imposing a disclosure requirement is necessary for the reasons set out in subsection (3), or necessary for securing the effective exercise or proper performance of any statutory power or duty of a public authority;
that imposing a disclosure requirement is proportionate to what is sought to be achieved by doing so; and
that an intelligible version of the relevant protected information cannot be obtained by any other reasonable means.
key is defined in section 56(1)
possession of a key is defined in section 56(2)
258.Subsection (4) explains the format which notices must take.
259.The effect of subsections (5) and (6) is that, where applicable, notices must be served on a senior officer within a corporate body or firm.
Senior officer is defined in section 49(10)
260.Subsection (7) states that the requirement in subsections (5) and (6) does not apply where there are special circumstances to the case which mean that the purposes for which a notice is given would be defeated if it was served on a senior officer in an organisation (e.g. where that senior officer is a suspect in a criminal investigation).
261.Subsection (8) specifies the persons to whom a disclosure may be made by the recipient of a notice.
262.Subsection (9) ensures that a key which has been used solely for the purpose of generating electronic signatures does not have to be disclosed in response to a notice.
electronic signature is defined in section 56(1)
263.The effect of Schedule 2, which is introduced by subsection (11), is to set authorisation levels (described in Schedule 2) for permission to serve a notice under section 49. The level of authority required will vary depending on the power under which the protected information was, or is likely to be, lawfully obtained.
Section 50: Effect of notice imposing disclosure requirement
264.This section explains the effect of serving a notice imposing a disclosure requirement in various circumstances.
265.Subsection (1) applies where a person has, at the time a notice is served, possession of the relevant protected information and a means of accessing it and of disclosing it in an intelligible form. This means that they have the password, in the case of material protected by a password; or the decryption key in the case of encrypted material; or both, in the case of material protected in both ways. In these circumstances, the effect of imposing a disclosure requirement is, first, that the recipient of a notice may use any key in their possession to access the information or to put it into intelligible form; and, second, that they must disclose it in accordance with the terms of the notice.
266.Subsection (2) allows a person who is required to disclosure information in an intelligible form to instead disclose a relevant key if they so choose to do so.
267.The effect ofSubsection (3) is that where a notice is served on a person who does not have the relevant protected information in their possession; or cannot access the information without use of a key which is not in their possession; or the notice contains a direction that a key must be disclosed (as to which, see section 51), that person must disclose any key to the information that is in their possession at a relevant time. But this duty is qualified by subsections (4) to (6).
268.The Act does not prevent the person giving a section 49 notice from giving the recipient access to the protected information, in order to allow then to produce plain text rather than disclose a key.
Relevant time is defined in section 50(10)
269.The effect of Subsections (4) and (5) is that where a person served with a notice is entitled or obliged to disclose a key, they need only provide those keys which are sufficient to access the relevant information and to put it into intelligible form. And Subsection (6) further provides that such a person may choose which keys to provide, so long as they suffice to access the information and render it intelligible.
270.Subsection (7) requires a person served with a notice to disclose every key to the relevant protected information that is in their possession, subject to the provisions in subsections (5) and (6). It means that a person need only provide those keys which suffice to access the information and render it intelligible, and that they may choose which keys to provide to achieve that end.
271.The effect of Subsection (8) is that where a person served with a notice no longer possesses a key to the relevant protected information, they are to disclose all information that is in their possession that would facilitate the discovery of the key.
Section 51: Cases in which key required
272.This section sets out the extra tests to be fulfilled if a key is required to be disclosed rather than the disclosure of protected information in an intelligible form.
273.Subsection (1) states that a notice may not contain a statement that it can be complied with only by disclosing a key unless a direction to this effect has been given by the person giving permission for the notice to be served.
274.The effect of Subsections (2) and (3) is that a direction that a key must be disclosed given by the police, HM Customs and HM Forces must be given expressly by a person of the rank set out in this subsection (namely, Chief Officer of police or equivalent).
275.Subsection (4) provides that a person may only give a direction requiring the disclosure of a key if he believes that there are special circumstances to the case making this necessary; and that giving such a direction is proportionate to what is sought to be achieved by doing so.
276.Subsection (5) specifies that in deciding whether it is proportionate to require that a key be disclosed, consideration must be given to the sort of other information also protected by the key in question and any potential adverse impact on a business that might result from requiring that a key be disclosed.
277.The effect of Subsections (6) and (7) is that any direction to disclose a key given internally by the police, HM Customs or HM Forces must be notified, within 7 days, to the Intelligence Services Commissioner or the Chief Surveillance Commissioner, as appropriate.
Section 52: Arrangements for payments for disclosure
278.This section allows for payment arrangements to be made in order to compensate persons required to disclose information following service of a notice under section 49.
279. .Section 53: Failure to comply with a notice
280.This section creates an offence of failing to comply with the terms of a notice served under section 49.
281.Subsection (1) states that a person served with a notice is guilty of an offence if he knowingly fails to comply with the disclosure requirement contained in that notice.
282.The effect of Subsections (2) and (3) is that in proceedings against a person for an offence under this section, where it is shown that a person has been in possession of a key, that can lead to a conviction, but only if the person fails to raise some doubt as to whether he still had the key when the notice was given.
283.Subsection (4) allows a defence to a person who shows that it was not practicable to comply with the disclosure requirement placed upon him by the time he was required to do so but that he did what was required as soon as was reasonably practicable.
284.Subsection (5) specifies the maximum sentence for the offence of failing to comply with a notice. As regards financial penalties, there is no upper limit to fines set in the Crown Court (on conviction on indictment). In a Magistrates Court (on summary conviction) the maximum fine is £5,000.
Section 54: Tipping-off
285.This section creates an offence where the recipient of a notice (but only one which explicitly contains a secrecy requirement), or a person that becomes aware of it, tips off another that a notice has been served, or reveals its contents. This is designed to preserve, where necessary, the covert nature of an investigation by, for example, a law enforcement agency. It outlines various statutory defences.
286.Subsection (1) limits this offence to occasions where the notice served explicitly demands secrecy.
287.Subsection (2) specifies that the inclusion of a secrecy requirement in a notice must be authorised by the person giving permission for such a notice to be served (or where such a person has himself permission to serve a notice - e.g. a Superintendent in certain cases).
288.Subsection (3) places restrictions on the instances when such a requirement may be imposed.
289.Subsection (4) specifies the maximum sentence for the tipping-off offence. On conviction in the Crown Court, the maximum term of imprisonment is five years. The financial penalties are as for the offence set out in section 53.
290.Subsection (5) provides a defence where the tipping-off occurred entirely as a result of software designed to give an automatic warning that a key had been compromised and where, in addition, the defendant was unable to stop this from taking place after receiving the notice.
291.Subsections (6) and (7) provide a defence where a disclosure is made to or by a professional legal adviser as part of advice about the effect of the provisions of this part of the Act given to a client or his representative; or where a disclosure was made by a legal adviser in connection with any proceedings before a court or tribunal.
292.The effect of Subsection (8) is that the protection in Subsections (6) and (7) will not apply where a professional legal adviser tips off a client with a view to furthering any criminal purpose.
293.Subsection (9) provides a statutory defence where the disclosure is made to a Commissioner or authorised by:
a Commissioner;
the terms of the notice;
the person who gave the notice, or someone on his behalf; or
a person who is in possession of the data to which the notice relates, as described in section 49.
294.The effect of Subsection (9) is to ensure that, for example, persons within an organisation may be informed about a notice in order to give effect to the notice (e.g. accessing a key or plain text) without this falling foul of the tipping off offence.
295.Subsection (10) provides a statutory defence for a person told about a notice but not about the fact that there was a requirement for secrecy.
Section 55: General duties of specified authorities
296.This section describes the safeguards that must be in place for the protection of any material (e.g. a decryption key) handed over in response to the serving of a notice under this Act.
297.Subsection (1) ensures that the safeguard requirements apply to all those who may have responsibility for organisations that will handle material provided in response to a written notice. In the case of the security and intelligence agencies for example, this will mean the Secretary of State.
298.Subsection (2) places an onus on those identified to ensure that:
any material disclosed is used only for a purpose for which it may be required;
the uses to which the material is put are reasonable;
the use and any retention of the material are proportionate;
the requirements of subsection (3) are complied with;
that keys are stored in a secure manner; and
the material is destroyed as soon as it is no longer needed.
299.Subsection (3) specifies that the material is shared with the minimum number of people possible.
300.Subsection (4) imposes a civil liability in instances where seized keys are compromised by a failure of the safeguards arrangements in this section. There are two elements to this. Subsection (4)(a) is in respect of a person who fails to ensure that adequate arrangements are in place for the protection of keys. Subsection (4)(b) applies to where a person does not comply with those arrangements properly and compromises a key.
301.Subsection (5) describes the persons who may bring an action under the terms of this section. These are limited to persons who have made a disclosure in pursuance of a notice under section 49 or those whose protected information or key has been disclosed by some other person in pursuance of a notice.
Section 56: Interpretation of Part III
302.This section provides for the interpretation of various terms used in Part III of the Act.
