acquisition of the BCD the identity of the individuals will be unknown), both in
relation to subjects of intelligence interest and in relation to other individuals
who may be of no intelligence interest, against (b) the expected value of the
intelligence to be derived from the data. Staff must be satisfied that the level of
interference with the individual’s right to privacy is justified by the value of
the intelligence that is sought to be derived from the data and the importance
of the objective to be achieved. Staff must also consider whether there is a
reasonable alternative that will still meet the proposed objective - i.e. which
involves less intrusion.”
36. Once made, a Section 94 Direction must be served on the CNP concerned in
order that the relevant Agency can receive the requested dataset (§4.2.1).
37. Safeguards against unauthorised access are set out at §4.2.2:
“4.2.2 It is essential that any BCD is acquired in a safe and secure manner
and that Intelligence Services safeguard against unauthorised access.
Intelligence Services must therefore adhere to the controls outlined in the
CESG6 Good Practice Guide for transferring and storage of data
electronically or physically.”
Access/Use
38. The Section 94 Handling Arrangements emphasise the importance of data
security and protective security standards, confidentiality of data and
preventing/disciplining misuse of such data:
“4.3.1 Each Intelligence Service must attach the highest priority to
maintaining data security and protective security standards. Moreover, each
Intelligence Service must establish handling procedures so as to ensure that
the integrity and confidentiality of the information in BCD held is fully
protected, and that there are adequate safeguards in place to minimise the risk
of any misuse of such data and, in the event that such misuse occurs, to ensure
that appropriate disciplinary action is taken.”
39. As with BPD, specific, detailed measures are also set out which are designed
to limit access to data to what is necessary and proportionate, to ensure that
such access is properly audited, and to ensure that disciplinary measures are in
place for misuse:
“4.3.2 In particular, each Intelligence Service must apply the following
protective security measures:
Physical security to protect any premises where the information may be
accessed;
IT security to minimise the risk of unauthorised access to IT systems;
A security vetting regime for personnel which is designed to provide
assurance that those who have access to this material are reliable and
trustworthy.
46