shown case studies from which it was apparent that the use of bulk powers
(notably BPDs, but also communications data obtained by bulk interception and
bulk acquisition) was particularly valuable in enabling SIAs to identify an
individual from a partial identifier: A8/3,10; A9/1; A11/6,8-10.
8.24.
In its critique of the Operational Case, Liberty makes the entirely valid point that
some of the case studies provide insufficient detail for any useful analysis to be
conducted or conclusions drawn. But having questioned SIA staff and examined
the underlying documents, including intelligence reports, my informed view is
that the power is of real utility. It is right to say that in some instances
alternatives would be available, but they all had disadvantages, often of
slowness, cost, greater intrusiveness or risk to human agents.
Negative incidents and outcomes
238
8.25.
The IPT was told in March 2016 that between 1 June 2014 and 9 February 2016,
six instances of non-compliance with handling requirements were detected at
MI5. In three of those cases, a dataset was mistakenly left out of MI5’s BPD
review process, so that the necessity and proportionality of retention was not
reconsidered for between one and two years. In one further case, a dataset
which fell within the definition of a BPD had not been entered into the BPD
process. The final two instances were of individual acts of non-compliance by
staff members. Two members of staff had been disciplined.
8.26.
During the same period, five instances of non-compliance were detected at MI6.
Two involved BPDs being ingested into the system before they had been
authorised. In both cases, BPDs were removed as soon as the error (caused by
ambiguity within MI6’s IT systems) was detected. The remaining three errors
involved individual non-compliance. Three members of staff were disciplined.
8.27.
Two instances of non-compliance were detected at GCHQ during this time. In
the first, the retention of a dataset acquired and approved in 2012 was not
subsequently re-authorised. The second instance involved a BPD that was first
acquired in 2010 but not recognised as a BPD until 2015.238
8.28.
More broadly, there is no measurement of “failed searches” of BPD. But in each
SIA, there is ongoing review of BPDs that are held in order to determine whether
they are as valuable to operations as was envisaged when they were first
acquired. At retention reviews, some BPDs are deleted if their contribution to
operations has declined. This review of the relative value of BPDs informs
decision-making about future acquisition.
Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others,
Case No. IPT/15/110/CH, redacted Closed Response of the Respondents to the Claimants’
Request for Further Information and Disclosure, 30 March 2016.
115