controls include: (i) training, audit and disciplinary procedures ... (ii)
heightened safeguards for sensitive categories of information."
66
The Respondents in the April Response set out what they submit to be the
adequate safeguards by way of protection against arbitrary conduct. As to both
BCD and BPD they recite the following: -(a) Detailed internal guidance on the requirements of necessity and
proportionality (having regard to the privacy of those whose data is
contained in the BPD) including the need to consider other, less
intrusive, methods of obtaining the information;
(b) Specific consideration of sensitive data and confidential data;
(c) A clear policy on the storage of and access to BPD;
(d) Specific retention periods and retention/deletion policies which
apply to BPD;
(e) Policies on the handling and disclosure of BPD;
(f) Clear guidance on the serious consequences of failure to comply
with the Handling Arrangements, which include disciplinary action,
including potentially dismissal, and prosecution;
(g) Training;
(h) Oversight, both internal and external."
Prior to avowal
67
The two significant questions to be asked in relation to the period prior to
avowal, in the light of the principles of ECHR jurisprudence which we have
set out, are as follows:
(i) Given that there were ‘under the waterline’ rules and arrangements,
was there sufficient foreseeability or accessibility, or ‘signposting’, to
comply with the requirements which we have set out above, as to (a)
the existence of BCD and BPD, (b) the nature of the controls over
them?
(ii) Whereas in Kennedy the ECtHR , and in Liberty/Privacy and
Greennet the Tribunal, was satisfied as to the degree and effectiveness
of oversight by independent Commissioners, does the same apply here,
or if there be an inadequacy of supervision, what is the effect on our
conclusion?
Foreseeability
68
As to foreseeability, we refer to what we said in Greennet with regard to
Computer Network Exploitation (CNE):
"81 ... [I]t is clear that prior to February 2015 there was no admission
that property interference by GCHQ (governed by the Property Code)
extended to CNE by the use of a s. 5 warrant ... Nevertheless it was
quite clear that at least since 1994 the powers of GCHQ have extended
to computer interference (under s. 3 of ISA). It was thus apparent in
27