the public domain that there was likely to be interference with
computers, 'hacking' being an ever more familiar activity, namely
interference with property by GCHQ (and see in particular the 1990
Hansard references ...), and that if it occurred it would be covered by
the Property Code. Use of it was thus foreseeable, even if the precise
form of it and the existence of its use was not admitted."
69
The Respondents submitted in paragraph 66 of their Skeleton Argument that:
"This applies with equal force to the present case where:
(a) although the use of s. 94 to obtain BCD had not been publicly
avowed, it was nonetheless foreseeable, because (i) GCHQ and MI5's
acquisition of communications data in more general terms was
publicly known (albeit pursuant to a warrant issued under s. 8(4) of
RIPA or by an authorisation under Part 1 Chapter II of RIPA). There
was therefore nothing secret about the essential activity of acquisition
of such data by those agencies; and (ii) s94 itself clearly extended to
requiring [PSENs] to provide BCD in the interests of national
security; and
(b) although the use by the SIA of Bulk Personal Datasets had not
been avowed, the acquisition of personal data in bulk was foreseeable
because (i) the Respondents' powers to obtain information clearly
extend to obtaining personal data; (ii) the acquisition of large
volumes of such personal information was also foreseeable, albeit
subject to statutory requirements of necessity and proportionality; and
(iii) the inclusion within such bulk personal data of information
relating to individuals who were unlikely to be of intelligence interest
(which would include, for instance, a telephone directory or electoral
roll) was also foreseeable, again subject to the requirement that any
acquisition of such data was necessary and proportionate; and
(c) in both cases, the use of BCD/BPD was foreseeable "even if the
precise form of it and the existence of its use was not admitted."
70
The situation here in our judgment is however quite distinct. In that case there
was a Property Code. In this case there were, at the relevant times, no Codes
of Practice relating to either BCD or BPD, or anything approximating to
them. Interception, even bulk interception, by warrant was sufficiently known
about, but this is a long way from BCD or BPD. At least in the case of BPD,
concern was expressed, emanating from the SIAs themselves, in the
Respondents’ own documents now disclosed during the course of
these proceedings, as to the absence of knowledge on the part of the public
about it:
(i) In a Review of Agency Handling of Bulk Personal Data dated
February 2010 by a Mr Hannigan, then of the Cabinet Office, he wrote
(a) at paragraph 6.2: “It is difficult to assess the extent to which
the public is aware of agencies' holding and exploiting inhouse personal bulk datasets, including data on individuals of
no intelligence interest.” and
28