81
We turn to BPD, in respect of which it is plain that it was determined as a result
of the 2010 report by Mr. Hannigan referred to in paragraph 70 above (and as
later recorded in the Introduction to the Joint Bulk Personal Data Policy of
November 2015), that there should then be an improvement in respect of its
oversight. Although there had been some oversight of BPD prior to 2010 by the
then I S Commissioner Sir Peter Gibson, and Sir Paul Kennedy as I C C
included consideration of BPD on his visits between January 2011 and May
2015, the major oversight of BPD was by Sir Mark Waller, Sir Peter Gibson's
successor, as from December 2010, on his bi-annual visits. There is a short
summary of his supervision in paragraph 56 of the Respondents’ Amended
Response to the Claimant's Supplemental Request for Further Information. This
does not adequately take into account (because it was prior to their disclosure in
open) the content of the Confidential Annexes to his Reports, particularly those
between 2011 and 2013, which we have read, and, for example, in the 2013
Annexe he referred to the nature of his oversight of BPD:
“*Firstly I require the services to provide me with a list of all data sets
held. What I am concerned to do is to assess whether the tests of the
necessity and proportionality of acquiring and retaining the data sets
has been properly applied in relation to decisions to acquire, retain or
delete those data sets. This is normally quite straightforward because
each service has an internal review body which considers the retention
of data sets on a regular basis and records the decision in writing.
These documents are available for me to inspect.
*I then consider how operatives and which operatives gain access to
the data sets and review how the necessity and proportionality (i.e. the
justification) of that intrusion is maintained.
*Finally I review the possible misuse of data and how this is
prevented. I consider this to be the most important part of my
oversight in that it seems to me that
*it is critical to that access to bulk data is properly controlled and
*it is the risk that some individuals will misuse the powers of access to
private data which must be most carefully guarded against."
We have considered the relevant parts of his recent Report of 8th September,
since the hearing, and the short written submissions of the parties in relation to
it, which we invited. It is apparent that he has continued a rigorous oversight,
and he will no doubt consider as such oversight continues, the important
suggestions which the Claimant makes.
82
Although the oversight by the I S Commissioner was not made statutory until
March 2015, as set out in paragraph 13 above, the careful recital was that:
"The Intelligence Services Commissioner must continue [our
underlining] to keep under review ..."
It was thus recognised that the supervision had previously existed. We are
satisfied that during the period of Sir Mark Waller's supervision the
independent oversight of BPD had been and continued to be adequate.
31