2 The content of the obligation imposed by the seventh data protection
principle is further elaborated in §§9-12 of Part II of Sch. 1 to the DPA.
7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.”
25. Accordingly, when the Respondents obtain any information which amounts to
personal data, they are obliged:
(a) not to keep that data for longer than is necessary having regard to the
purposes for which they have been obtained and are being retained / used; and
(b) to take appropriate technical and organisational measures to guard against
unauthorised or unlawful processing of the data in question and against
accidental loss of the data in question.
The OSA
26. A member of the Intelligence Services commits an offence if “without lawful
authority he discloses any information, document or other article relating to
security or intelligence which is or has been in his possession by virtue of his
position as a member of any of those services”: s. 1(1) of the OSA. A
disclosure is made with lawful authority if, and only if, it is made in
accordance with the member’s official duty (s. 7(1) of the OSA). Thus, a
disclosure of information by a member of any of the Respondents that is e.g.
in breach of the relevant “arrangements” (under s. 4(2)(a) of the ISA) will
amount to a criminal offence. Conviction may lead to an imprisonment for a
term not exceeding two years and/or a fine (s. 10(1) of the OSA).
27. Further, a member of the Intelligence Services commits an offence if he fails
to take such care, to prevent the unauthorised disclosure of any document or
other article relating to security or intelligence which is in his possession by
virtue of his position as a member of any of those services, as a person in his
position may reasonably be expected to take. See s. 8(1) of the OSA, as read
with s. 1(1). Conviction may lead to an imprisonment for a term not exceeding
three months and/or a fine (s. 10(2) of the OSA).
Internal Handling Arrangements from 4 November 2015 to the date of the
hearing and as at the date of the hearing
28. The Section 94 Handling Arrangements, which came into force on 4
November 2015, apply to bulk communications data obtained under section 94
of the Telecommunications Act 1984. They are mandatory and required to be
followed by staff in the Intelligence Services. Failure to comply may lead to
disciplinary action, which can include dismissal and prosecution (§§1.1-1.3).
29. The Section 94 Handling Arrangements expressly relate to communications
data which is limited to “traffic data” and “service use information” (§2.2).
These terms are defined at §3.5.1 and §3.5.2 by reference to s.21(4) and (6) of
RIPA:
43