4.3.3 Furthermore, each Intelligence Service is obliged to put in place the
following additional measures:
Access to BCD must be strictly limited to those with an appropriate
business requirement to use these data and managed by a strict authorisation
process;
Requests to access BCD must be justified on the grounds of necessity and
proportionality and must demonstrate consideration of collateral intrusion
and the use of any other less intrusive means of achieving the desired
intelligence dividend.
Intelligence Service staff who apply to access BCD must have regard to the
further guidance on the application of the necessity and proportionality tests
set out in paragraph 4.1.3 - 4.1.4 above.
Where Intelligence Service staff intend to access BCD relating to the
communications of an individual known to be a member of a profession that
handles privileged information or information that is otherwise confidential
(medical doctors, lawyers, journalists, Members of Parliament, Ministers of
religion), they must give special consideration to the necessity and
proportionality justification for the interference with privacy that will be
involved;
In addition, Intelligence Service staff must take particular care when
deciding whether to seek access to BCD and must consider whether there
might be unintended consequences of such access to BCD and whether the
public interest is best served by seeking such access;
In all cases where Intelligence Service staff intentionally seek to access and
retain BCD relating to the communications of individuals known to be
members of the professions referred to above, they must record the fact that
such communications data has been accessed and retained and must flag this
to the Interception of Communications Commissioner at the next inspection;
In the exceptional event that Intelligence Service staff were to seek access to
BCD specifically in order to determine a journalist’s source, they should only
do this if the proposal had been approved beforehand at Director level. Any
communications data obtained and retained as a result of such access must be
reported to the Interception of Communications Commissioner at the next
inspection;
Users must be trained on their professional and legal responsibilities, and
refresher training and/or updated guidance must be provided when systems or
policies are updated;
A range of audit functions must be put in place: users should be made
aware that their access to BCD will be monitored and that they must always
be able to justify their activity on the systems;
Appropriate disciplinary action will be taken in the event of inappropriate
behaviour being identified;
Users must be warned, through the use of internal procedures and
guidance, about the consequences of any unjustified access to data, which can
include dismissal and prosecution.
In the exceptional event that Intelligence Service staff were to abuse their
access to BCD – for example, by seeking to access the communications data of
an individual without a valid business need – the relevant Intelligence Service
must report the incident to the Interception of Communications Commissioner
at the next inspection.”
47