compliance as to create a contravention of Article 8. This Tribunal sees it as
an important by-product of the exercise of its statutory function to encourage
continuing improvement in the procedures adopted by the Intelligence
Agencies, and their publication (and indeed such improvement took place as
a consequence of our judgments in Liberty/Privacy No 1, Liberty/Privacy No
2 and Belhadj), but it does not conclude that it is necessary, every time an
inadequacy, particularly an inadequate publication, is identified, to conclude
that that renders all previous conduct by the Respondents unlawful."
63
We are in this case addressing the issue of collection of personal data or
communications data in bulk. Contrary to the view set out by Sir Swinton
Thomas in the 2004 correspondence with the Home Office referred to in
paragraph 54 above, Article 8 is engaged by the transfer and storage of
communications data even if it is not accessed.
64
We have resolved the challenge to the domestic legality of BCD. There has
been no challenge to the domestic legality of the collection of BPD.
The relevant underlying statutory provisions apart from s.94 (ss 5 and 7 of ISA
1994 and ss 5, 8, 28, 29 and 43 of RIPA) both provide for and incorporate
safeguards, and there are relevant codes of practice (Covert Human
Intelligence Sources Codes of Practice (2002, 2010 and 2014), Covert
Surveillance and Property Interference Codes of Practice (2002, 2010 and
2014), the Equipment Interference Code of Practice (2016) and the
Interception of Communications Codes of Practice (2002 and 2016).
65
The ISC described the position as to BPD in its March report:
"Internal controls.
161. The [SIAs] have told the Committee that the acquisition and use
of Bulk Personal Datasets is tightly controlled and that the HRA 'triple
test' (i.e. for a lawful purpose, necessary and proportionate) is
considered both at the point of acquisition, and also before any
specific searches are conducted against the data (which is when they
consider the principal intrusion into an individual's privacy to occur).
162. Senior staff are responsible for authorising the acquisition of
Bulk Personal Datasets. The Director General of MI5 explained:
" ... there are datasets that we deliberately choose not to reach for,
because we are not satisfied that there is a case to do it, in terms of
necessity and proportionality."
The [SIAs] each have a review panel, chaired by a senior official,
which meets every six months to review the Bulk Personal Datasets
currently held by the Agency. Within MI5 each Bulk Personal Dataset
has a different review period, depending on the level of intrusion and
corporate risk it carries. Datasets that are found not to have sufficient
operational value are deleted.
163. The [SIAs] have said that they apply strict policy and process
safeguards to control and regulate access to the datasets ... these
26