‘proportionality’ requirement, staff must balance (a) the level of interference
with the individual’s right to privacy, both in relation to subjects of interest
who are included in the relevant data and in relation to other individuals who
are included in the data and who may be of no intelligence interest, against (b)
the expected value of the intelligence to be derived from the data. Staff must be
satisfied that the level of interference with the individual’s right to privacy is
justified by the value of the intelligence that is sought to be derived from the
data and the importance of the objective to be achieved. Staff must also
consider whether there is a reasonable alternative that will still meet the
proposed objective - i.e. which involves less intrusion.
4.5 These can be difficult and finely balanced questions of judgement. In
difficult cases staff should consult line or senior management and/or legal
advisers for guidance, and may seek guidance or a decision from the relevant
Secretary of State.”
40. A formal procedure must be followed prior to any acquisition or use as set out
at §§4.6 to 4.7:
“4.6 Before a new dataset is loaded into an analytical system for use, staff in
each Intelligence Service must consider the factors set out in paragraph 4.2
based on the information available to it at the time. Each Agency has a
rigorous formal internal authorisation procedure which must be complied
with, except in those cases where the acquisition is already authorised by a
warrant or other legal authorisation issued by a Secretary of State.
4.7 Staff in each Intelligence Service must always complete the formal internal
authorisation procedure before the dataset is loaded into an analytical system
for use. The authorisation procedure involves an application to a senior
manager designated for the purpose which is required to set out the following:
a description of the requested dataset, including details of the personal data
requested, and any sensitive personal data;
the operational and legal justification for acquisition and retention,
including the purpose for which the dataset is required and the necessity and
proportionality of the acquisition;
an assessment of the level of intrusion into privacy;
the extent of political, corporate, or reputational risk;”
41. Thus, the need to consider the key matters set out at §4.2 of the BPD Handling
Arrangements, and explained at §§4.3-4.3, is built into the formal
authorisation procedure.
42. There is a requirement to consult the legal advisers of the relevant Intelligence
Service “on all new BPD acquisitions” and to have “confirmed the legality of
the acquisition and its continued retention before authorisation to use the
dataset is given.” (§4.8)
43. A record of the application for authorisation must be kept:
64