Investigatory Powers Act

The Investigatory Powers Act 2016 (IPA) is a UK legislation that governs the use of surveillance and investigatory powers by public authorities, including intelligence agencies, law enforcement, and various government departments.

The Act details how these bodies can collect communications data, interfere with equipment, and intercept communications for the express purpose of surveillance.

Nicknamed the “Snoopers Charter” by critics, the IPA is a controversial Act with many claiming it infringes on individual rights and civil liberties. On the other hand, its advocates argue it’s a critical tool for maintaining national security and fighting terrorism.

Businesses handling sensitive or customer data must understand the IPA for compliance purposes. Compliance is not only a legal necessity but also builds trust with customers by demonstrating commitment to data protection.

Cyera plays a key role in helping companies assess data risk and maintain compliance readiness in complex regulatory landscapes, including the IPA. 

Why Was the Investigatory Powers Act Introduced?

The IPA was introduced to modernize the UK’s surveillance laws, which had become outdated due to rapid advancements in communication technology over the past couple of decades.

Mobile phones, SMS messages, encrypted messaging apps, cloud storage, and internet browsing were not supported by the outdated security frameworks that existed at the time.

Authorities needed clearer and more comprehensive legislation to address the modern ways in which people communicate and store data.

Before the IPA was introduced, surveillance activities were governed by the Regulation of Investigatory Powers Act 2000 (RIPA) and various provisions under the Telecommunications Act 1984.

These laws lacked clarity and the scope to cover new digital technologies. Therefore, the IPA was created to consolidate and expand these legacy laws into one unified framework.

Essentially, the IPA's goals are to:

• Equip law enforcement and intelligence agencies with the right tools to prevent and respond to national security threats.
• Create formal authorization and oversight mechanisms, including the role of the Investigatory Powers Commissioner, to increase accountability and uphold the lawful use of surveillance powers.
• Address gaps in digital data interception and internet connection records. This centers around the interception of online communications and the retention of internet connection records and metadata.

Core Provisions and Powers Under the IPA

It should be understood that the IPA's powers are broad and far-reaching, extending into UK businesses, households, and even entities outside the UK.

The main provisions under the IPA are:

• Targeted interception of communications (with the Secretary of State and judicial approval), such as phone calls, emails, and other methods.
• Bulk collection of metadata and personal datasets, including records of individuals who aren’t under direct suspicion.
• Mandatory retention of Internet Connection Records (ICRs) by Communication Service Providers (CSPs), tracking websites and services accessed by users.
• Equipment interference (aka lawful hacking), including remote access to computers, phones, and networks.

‍

CSPs are legally required to support investigations, including through Technical Capability Notices, which may involve decrypting data or enabling real-time interception to assist authorities. 

Oversight and Safeguards: How Is IPA Controlled?

Given the far-reaching powers of the IPA, several layers of oversight have been established to maintain accountability and the lawful use of its provisions.

The most intrusive surveillance methods are subject to a double lock approval process where a Secretary of State and a Judicial Commissioner must each independently review and approve the decision before it takes effect.

The Investigatory Powers Commissioner conducts regular audits of public authorities’ use of IPA powers, reporting annually to Parliament on compliance issues or misuse to maintain transparency.  

Additional protections apply when surveilling sensitive professions, such as journalists, lawyers, or Members of Parliament, to protect fundamental rights like free speech and legal privilege.

It’s important to note that, in 2024, the IPA was updated to give oversight bodies more flexibility in reviewing surveillance decisions, keeping pace with technological advances and changing global circumstances.

Who Can Access Data Under the IPA?

Those who can access data under the IPA are primarily involved in national security, crime investigations, and law enforcement.

For example, UK intelligence agencies have investigatory powers, including:

• MI5: UK security service
• MI6: UK secret intelligence
• GCHQ: UK government communications

All UK police divisions can request data to aid criminal investigations, as can the National Crime Agency, a central body for tackling organized crime and cybercrime.

HM Revenue & Customs can request data to aid investigations related to tax evasion and customs fraud. The Home Office can use IPA powers for immigration enforcement and border security purposes. The Department for Work and Pensions can access data for investigating benefit fraud and related offenses, and the Ministry of Defence requires surveillance powers for military security, counter-intelligence, and protection of defense assets.

Additional organizations with varying levels of access include the Financial Conduct Authority, the Serious Fraud Office, local authorities for specific purposes, and various regulatory bodies investigating serious crimes within their jurisdiction.

These entities do not need a warrant to access ICRs. The request simply requires approval by a "designated senior officer" within the organization, and the purpose for access must be related to:

• Detecting or preventing serious crime
• Protecting national security
• Locating missing persons

Controversies and Public Debate

While the UK government views the IPA as essential for public safety, civil liberties groups have raised serious concerns over mass surveillance of innocent individuals and authority overreach.

The main concern of critics is the erosion of fundamental rights, including the right to privacy and freedom of expression.

In 2018, the UK High Court ruled that parts of the Act violated EU law, especially regarding access to retained communications data without approval. 

As a result, the Act was amended to comply with legal standards. Since the UK exited the EU in 2020, these amendments have been rolled back somewhat, causing further concern.

Widespread public backlash against the Act has resulted in petitions for reform or repeal, media investigations, and campaigns by civil society groups who advocate for more transparency and oversight.

On the other side, supporters of the Act claim that the IPA enhances transparency and oversight of practices occurring under the legacy laws, arguing it equips authorities to protect society in a digital age where threats are increasingly complex.

Recent Amendments: What Changed in 2024?

In 2024, the IPA went through another reform and introduced several significant updates. These included:

• New notice requirements for tech companies, such as network providers and communication services. They must now notify the UK government before introducing certain changes to their services, especially if they affect their ability to comply with requests under the IPA.
• Communication providers must notify the IPC of any personal data breaches.
• Intelligence agencies now have expanded powers that include broader access to bulk data sets, especially where individuals have a low or no expectation of privacy. For example, data that is already public or easily available.
• The expanded powers also include broader access to ICRs.

‍

Importantly, there has been a clarification that overseas companies serving UK users are considered “telecommunications operators” and are now subject to IPA compliance requirements regardless of where they are based.

Other amendments have created widespread concern, particularly over the following:

• The removal of the double-lock safeguard in certain cases.
• Reduced judicial oversight of certain government-issued orders or notices.
• A high concentration of power is given to the Secretary of State, potentially reducing accountability.

Why Should Businesses and Security Teams Care?

The IPA directly impacts any business that handles data and digital communications. Since compliance is mandatory, all organizations have to be prepared if they are requested to hand over access to information under the IPA.

Companies may be required to:

• Assist or hand over sensitive data. This includes intercepting communications, disclosing stored data, and installing surveillance technologies.
• Balance IPA demands with data security compliance obligations under GDPR and other global laws, creating complexity around maintaining compliance.
• Manage reputational and operational risks if customers are made aware of any surveillance practices, especially tech and cloud providers.
• Maintain clear visibility into data flows and third-party risks through automated controls and audits.

Best Practices for Organizations Navigating IPA Requirements

To operate under IPA compliance, organizations must proactively manage data risk and the Act’s legal requirements.

Relying on reactive measures is not enough. Instead, businesses should implement consistent processes supported by tools that promote data governance and audit preparedness. 

These processes include:

• Conducting regular data risk assessments to map sensitive data.
• Maintaining clear governance over encryption, access controls, and lawful access requests.
• Maintaining an audit trail of compliance activities.
• Educating staff on data handling obligations and escalation procedures.
• Continuously monitoring and adapting to changes in UK, EU, and global regulations.
  
  

Using a data security platform like Cyera simplifies compliance by automating data classification, monitoring access points, and tracking user activity in real time. 

The centralized compliance dashboards flag risk and audit readiness, while policy enforcement aligned with IPA obligations is embedded into the system.

How Cyera Supports Organizations Facing IPA Challenges

With the right system in place, tackling IPA requirements is significantly easier. 

Cyera was built to:

• Classify, govern, and protect sensitive data across cloud and hybrid environments.
• Provide visibility into access requests and third-party data movements.
• Automate compliance monitoring and alerting for potential violations.
• Equip teams with tools to build adaptable, resilient compliance frameworks.

‍

With Cyera, organizations gain the ability and control needed to respond confidently to IPA requirements without compromising data security or operational standards.

Make Privacy and Compliance a Competitive Advantage

It’s not enough to simply be aware of the IPA and other regulatory and compliance frameworks. 

Organizations have to take a proactive stance and implement systems that meet current standards while adapting to regulatory changes.

We invite you to experience Cyera’s solutions for privacy, security, and compliance firsthand.

Schedule a demo today and run a free data risk assessment to see how your organization can benefit from a proactive approach to compliance.