United Kingdom: Home Office adopted Code of Practice for Intelligence services’ use of third party bulk personal datasets

On 5 June 2025, the UK Home Office adopted the Intelligence Services' Use of Third-Party Bulk Personal Datasets Code of Practice, which provides procedural guidance for intelligence services on accessing and examining bulk personal datasets held by third parties. This code of practice relates to functions conferred by Part 7B of the Investigatory Powers Act, as inserted by section 5 of the Investigatory Powers (Amendment) Act 2024. A bulk personal dataset (BPD) is defined as a collection of personal data concerning numerous individuals, where the majority are not, and are unlikely to become, of intelligence interest. Part 7B applies when an intelligence service has 'relevant access' to a BPD held electronically by a third party, allowing in situ examination after an initial inspection. Applications for third-party bulk personal datasets (3PD) warrants are submitted to the Secretary of State by or on behalf of the Director General of the Security Service, the Chief of the Secret Intelligence Service, or the Director of the Government Communications Headquarters (GCHQ). Warrants require the Secretary of State's personal decision and Judicial Commissioner approval, unless urgent. Requisite safeguards ensure compliance with human rights protections, particularly Article 8 of the European Convention on Human Rights, which protects the right to privacy. The Code also mandates record-keeping, oversight, and reporting mechanisms, including the role of the Investigatory Powers Commissioner in auditing compliance and addressing errors. Furthermore, special provisions are detailed for sensitive information, such as legally privileged material, journalist sources, and communications involving members of a relevant legislature.