46. §§4.6.1-4.6.2 concern internal oversight. A senior member of an Intelligence
Service’s internal review panel (see paragraph 44 above) must keep that
Service’s Executive Board apprised of BCD holdings (§4.6.1). In addition
internal audit teams must monitor use of IT systems:
“4.6.2 Use of IT systems is monitored by the audit team in order to detect
misuse or identify activity that may give rise to security concerns. Any such
identified activity initiates a formal investigation process in which legal,
policy and HR (Human Resources) input will be requested where appropriate.
Disciplinary action may be taken, which in the most serious cases could lead
to dismissal and/or the possibility of prosecution under the Computer Misuse
Act 1990, the Data Protection Act 1998, the Official Secrets Act 1989 and
Misfeasance in Public Office depending on circumstances.”
47. All reports on audit investigations are made available to the Interception of
Communications Commissioner (§4.6.3).
48. §§4.6.4 to 4.6.7 address oversight by the Interception of Communications
Commissioner:
“4.6.4 The Interception of Communications Commissioner has oversight of:
a) the issue of Section 94 Directions by the Secretary of State enabling the
Intelligence Services to acquire BCD;
b) the Intelligence Services’ arrangements in respect of acquisition, storage,
access, disclosure, retention and destruction; and
c) the management controls and safeguards against misuse which the
Intelligence Services have put in place.
4.6.5 This oversight is exercised by the Interception of Communications
Commissioner on at least an annual basis, or as may be otherwise agreed
between the Commissioner and the relevant Intelligence Service.
4.6.6 The purpose of this oversight is to review and test judgements made by
the Secretary of State and the Intelligence Services on the necessity and
proportionality of the Section 94 Directions and on the Intelligence Services’
acquisition and use of BCD, and to ensure that the Intelligence Services’
policies and procedures for the control of, and access to BCD are (a) are
sound and provide adequate safeguards against misuse and (b) are strictly
observed.
4.6.7 The Interception of Communications Commissioner also has oversight of
controls to prevent and detect misuse of data acquired under Section 94, as
outlined in paragraph 4.6.2 and 4.6.3 above.”
49. The Secretary of State and the Intelligence Services must provide the
Interception of Communications Commissioner with “all such documents and
information as he may require for the purpose of enabling him to exercise the
oversight described…” (§4.6.8)
50