Respondents’ Open Response as follows (underlining in the original signifies
the existence of gisting):
“Storage of and access to data
99ZK. GCHQ also has policies for storage of and
access to data obtained by CNE.
99ZL.
The section of the Compliance Guide
concerning “Review and Retention” states that
GCHQ treats “all operational data” (i.e.
including that obtained by CNE) as if it were
obtained under RIPA. It sets out GCHQ’s
arrangements for minimising retention of data
in accordance with RIPA safeguards. This is
achieved by setting default maximum limits for
storage of operational data.
99ZM. In addition GCHQ has a separate policy
specifically concerning data storage and
access. It defines different categories of data,
and importantly ascribes specific periods for
which different categories of data may he kept,
as well as explaining how different categories
of CNE data relate to the categories of
operational data set out in the Compliance
Guide.
99ZN. Where CNE analysts identify material as being
of use for longer periods than the stipulated
limits, it can be retained for longer, subject to
justification according to specific criteria.
99Z0.
Access to data is also subject to strict
safeguards, which are set out in the
Compliance Guide. CNE content may be
accessed by intelligence analysts, but they must
first demonstrate that such access is necessary
and proportionate by completing a Human
Rights Act (“HRA”) justification. HRA
justifications are recorded and made available
for audit. CNE technical data relating to the
conduct of CNE operations may only be
accessed by a team of trained operators
responsible for planning and running such
operations.
99ZP.
GCHQ’s policy on storage of and access to
data also requires GCHQ analysts who are not
in the CNE operational unit to justify access to
CNE data on ECHR grounds (particularly