72
IPCO Annual Report 2017
agencies must ensure that any sensitive casework is explained in full and that it is adequately
protected. Sensitive information should be assessed in accordance with a clear and
consistent policy. Finally, records should be clear on where a dataset is to be retained, and
that the data within it will be deleted after a defined length of time, to be replaced by more
up-to-data material. These recommendations do not reflect systematic failings but instead
result from a need for a consistent approach. It is recognised that the present paperwork
does not necessarily reflect the extent of the present storage and access arrangements and
we are aware of the work being undertaken to implement our recommendations.
10.21
We have also made recommendations in relation to the review process. Each agency has an
independent panel which systematically reviews the justification for all BPDs. This process
typically relies on a case for retaining the data that is drafted and presented by the ‘data
sponsor’, supported by an analysis of the statistics concerning the use of the specific dataset.
We have recommended that the intelligence agencies revise their approach to capturing
and documenting ’value’, providing specific examples of use, to ensure that this is clear and
consistent on review. We have recommended that they take and keep fuller minutes of the
decisions of the independent panels, including the reasons for approving or rejecting the
request to retain the data. This process should be used to review the access restrictions on
any BPD the intelligence agencies hold, and to help determine whether they need to retain
the entire dataset. They should record the reason for deleting any data. This process will,
in future, feed into any applications to renew the retention, or retention and examination
of a BPD under the JC double-lock procedure.
Assessment of necessity and proportionality
10.22
The intelligence agencies have demonstrated that BPDs are important in enabling them to
perform their statutory functions. We are persuaded of the necessity and proportionality
for retaining BPDs in general, and particularly in respect of those cases we reviewed in 2017.
However, we were not fully satisfied with the adequacy of records kept in relation to BPDs,
especially as to retention and use.
10.23
From our discussions with analysts and authorising officers, we were afforded evidence that
they gave a high level of consideration to necessity and proportionality in relation to the
use and retention of this data. We made a number of recommendations in this area and
throughout 2017 observed these being implemented either in general working practices
or by way of the design work for the IPA regime. The intelligence agencies’ engagement
was impressive; SIS, which holds the highest number of datasets, was notable in this respect.
10.24
One key area to consider on BPDs is how to the intelligence agencies articulate their
approach to collateral intrusion of privacy. The systems each agency uses are designed
to limit intrusion and they have live audit processes to ensure officers are accessing data
appropriately. However, we were not content with the manner in which they articulate
these intrusion considerations. In particular, we were not persuaded that GCHQ officers
had demonstrated an adequate understanding of the intrusive nature of their work. It is
necessary that officers set out their understanding of the impact that retaining and using
BPDs has on the right to privacy, even when all appropriate steps are taken at an operational
level to limit intrusion to that which is strictly necessary for the particular task.