United Kingdom: Code of Practice for handling bulk personal datasets with low or no reasonable expectation of privacy entered into force

On 6 June 2025, the Code of Practice for handling bulk personal datasets with low or no reasonable expectation of privacy entered into force. The Code provides guidance to the Security Service, Secret Intelligence Service, and Government Communications Headquarters, referred to as the intelligence services, regarding procedures for exercising powers under Part 7A of the Investigatory Powers Act 2016. Specifically, it addresses the collection, retention, and examination of bulk personal datasets (BPDs) where individuals have a low or no reasonable expectation of privacy. A BPD is defined as a large set of electronically held information containing personal data from numerous individuals, where the majority are not of intelligence interest and manual processing is unfeasible. Intelligence services may opt for Part 7A when dealing with publicly available datasets, including professionally published news articles. Authorisation for the retention or examination of such datasets is mandated under Part 7 or Part 7A of the Act, with Part 7A requiring an individual authorisation, typically subject to prior Judicial Commissioner approval, unless specific exceptions apply. The determination of a low or no reasonable expectation of privacy is a context-specific judgment considering factors such as the data's nature, its public dissemination, the presence of editorial control, its status in the public domain, and prior public use. Safeguards for datasets retained or examined under Part 7A include adherence to lawful, specified, and legitimate purposes, necessity and proportionality, proportionate security measures, and diligent record-keeping, with the Code also containing provisions on oversight and error reporting. The Investigatory Powers Commissioner is responsible for monitoring compliance and conducting audits, and intelligence agencies must submit annual reports to the Secretary of State, who will inform Parliament's Intelligence and Security Committee. The discovery of information of particular sensitivity within a dataset post-authorisation necessitates specific handling protocols, which may include cancelling the existing authorisation or pursuing re-authorisation under Part 7.