104
IPCO Annual Report 2017
Property interference and intrusive surveillance
14.75
All 7 errors relating to property Interference and Intrusive surveillance were reported by
MI5. Of these, five were the result of human error whilst two were the result of technical
failures. In one case property was interfered with where the individual had the same surname
as the intended target of the operation. In another case a small number of operational
deployments were not subject to scrutiny by senior managers as laid out in MI5 internal
guidance and agreed with the Home Secretary. There is no concern that the operation
was improperly planned or carried out. To prevent recurrence MI5 has conducted training
workshops and issued further guidance to staff. In addition they plan to build additional
validation checks into the relevant IT systems to prevent further failures of this kind. In other
cases staff have been reminded of the correct processes to follow and, in one case, the wider
investigative community has been made aware of a technical issue that could result in
the targeting of incorrect IP addresses. Overall we are satisfied that appropriate action
has been taken or is underway to mitigate the likelihood of similar errors occurring in
the future.
Bulk personal datasets
14.76
Breaches are a significant concern in any area of agency work but they are particularly
notable in this area because they point to potential failures in training and the understanding
of officers who have access to sensitive data. We received briefings from each agency on
their protective monitoring and audit processes. The methodology of this monitoring is
highly classified within each organisation.
14.77
Early this year, SIS reported a higher than usual number of breaches relating to access to
BPDs. These had fallen by the time of the December inspection.
14.78
An SIS officer must conduct searches on internal systems in order to view existing records
before interrogating any BPD, in order to prevent unnecessary intrusion. Broadly, although the
breaches reported related to a legitimate business use of the data, officers had not conducted
appropriate checks on less intrusive systems before conducting searches against a BPD. We
probed this issue at the December inspection, to understand the steps taken by SIS to improve
compliance in this area. This had involved a ‘refresh’ of the protective monitoring process,
to gain a clearer snapshot of potential breaches, and an office-wide compliance training
programme was undertaken, to ensure that all staff were aware of the appropriate standards.
We were content from the statistics that this programme was proving successful but we will
continue to monitor this throughout 2018.
14.79
GCHQ and MI5 reported a low level of breaches, which strongly indicates that there is no
deliberate or systemic abuse of data.
Consolidated guidance
14.80
The Consolidated Guidance does not make any provision for what is to occur in the event
of non‑compliance. It does not address how breaches are to be identified and reported.
It is necessary, therefore, for IPCO to explain the approach that we will take as part of
our oversight responsibilities. Most critically, non-compliance will include any substantive
failure to apply the Guidance appropriately, including: (i) continuing to pass or receive
intelligence relating to a detainee when the assessment of the risk of mistreatment,
including the utility of any mitigation, has changed to the extent that a review is necessary;
(ii) failing to take appropriate action when in possession of information relating to a serious
risk of torture or CIDT; (iii) failing to inform a Minister when it is known or believed, or
there is an unmitigated serious risk, that torture or CIDT is taking place; and (iv) failing