that it is securely handled” or have received satisfactory assurances from the
intended recipient with respect to such arrangements (§4.4.5). This applies to
all disclosure, including to other Agencies (§4.4.6), and whether disclosure is
of an entire BCD, a subset of a BCD or an individual piece of data from a
BCD (§4.4.6).
43. Disclosure of the whole or subset of a BCD may only be authorised by a
Senior Official (equivalent to a member of the Senior Civil Service) or the
Secretary of State (§4.4.1).
Retention/review/deletion
44. The requirement on each of the Intelligence Services to review the
justification for continued retention and use of BCD is set out at §§4.5.1-4.5.2:
“4.5.1 Each Intelligence Service must regularly review, i.e. at intervals of no
less than six months, the operational and legal justification for its continued
retention and use of BCD. This should be managed through a review panel
comprised of senior representatives from Information
Governance/Compliance, Operational and Legal teams.
4.5.2 The retention and review process requires consideration of:
- An assessment of the value and use of the dataset during the period under
review and in a historical context;
- the operational and legal justification for ongoing acquisition, continued
retention, including its necessity and proportionality;
- The extent of use and specific examples to illustrate the benefits;
- The level of actual and collateral intrusion posed by retention and
exploitation;
- The extent of corporate, legal, reputational or political risk;
- Whether such information could be acquired elsewhere through less
intrusive means.
4.5.3 Should the review process find that there remains an ongoing case for
acquiring and retaining BCD, a formal review will be submitted at intervals of
no less than six months for consideration by the relevant Secretary of State. In
the event that the Intelligence Service or Secretary of State no longer deem it
to be necessary and proportionate to acquire and retain the BCD, the
Secretary of State will cancel the relevant Section 94 Direction and instruct
the CNP concerned to cease supply. The relevant Intelligence Service must
then task the technical team[s] responsible for Retention and Deletion with a
view to ensuring that any retained data is destroyed and notify the
Interception of Communications Commissioner accordingly. Confirmation of
completed deletion must be recorded with the relevant Information
Governance/Compliance team.”
Oversight
45. The Section 94 Handling Arrangements also set out provisions in relation to
internal and external oversight.
49