(b) at paragraph 36: "Although existing legislation allows
companies and UK Government Departments to share personal
data with the agencies if necessary in the interests of national
security, the extent to which this sharing takes place may not be
evident to the public."
(ii) In the (then unpublished, but now disclosed) MI5 Policy for Bulk
Data Acquisition, Sharing, Retention & Deletion issued on 19 October
2010 it was stated: "The fact that the Service holds bulk financial,
albeit anonymised, data is assessed to be a HIGH corporate risk, since
there is no public expectation that the Service will hold or have access
to this data in bulk. Were it to become widely known that the Service
held this data, the media response would most likely be unfavourable
and probably inaccurate."
In any event it seems difficult to conclude that the use of BCD was foreseeable
by the public, when it was not explained to Parliament; and several
opportunities arose when legislation or Codes of Practice were being
introduced or amended (and particularly in 2000 when s.80 of RIPA was
passed), when the government of the day did not avow the use of s.94.
71
The Respondents attached helpful Appendices to their Skeleton Argument,
setting out, by reference to the disclosed evidence (some of it redacted), the
detailed rules and arrangements which related to BCD (GCHQ and MI5) and
BPD (all three SIAs) during the period since at least 2010. However, none of
those rules or arrangements were previously disclosed or signposted, prior to
the publication of the Handling Arrangements in November 2015.
Supervision/Oversight
72
This is the other underlying question, and it is not a straightforward picture.
We shall consider the position separately in respect of BCD and BPD.
73
What is clear is that, as set out in the Agreed Facts in paragraph 19 above,
there was no statutory oversight of BPD prior to March 2015, when the Prime
Minister gave his Direction as set out in paragraph 13 above, and that there
has never been any statutory oversight of BCD, save in respect (in both cases)
of data obtained under RIPA, which would fall under the responsibility of the
I C C under ss.57 and 58 of RIPA, or under the ISA 1994, in which case the I
S Commissioner had responsibility for its oversight under ss.59 and 60 of
RIPA.
74
Mr. de la Mare submits that any but statutory supervision is wholly
ineffective, because of the absence of the statutory powers and duties
contained in those sections. We are not persuaded that that is a sufficient
answer to the Respondents’ case that there was in fact effective independent
oversight by the Commissioners which indeed led to the disclosure of errors
from time to time, which they caused to be remedied. It is necessary to look at
what in fact occurred.
29