power for the purpose of retaining or examining a BPD unless this is
authorised by the issue of a warrant under Part 7 of the [Bill].”110
The power to acquire BPDs continues to exist, where acquisition is necessary
and proportionate to the SIAs’ statutory functions, under SSA 1989 and ISA 1994
(known as the information gateway provisions).
2.73.
Personal data is defined for the purposes of Part 7 as data relating to an
individual who can be identified from those data, or from those data and other
information which is in the possession or, or likely to come into the possession
of, the data controller (in this case, the relevant SIA).111
2.74.
This power to retain and use BPDs differs from the other powers under review:
for though (like them) the power in the Bill is exercisable only by the SIAs, the
reality is that the NCA, police forces and other bodies also obtain, retain and use
BPDs outside the scope of the Bill, and will continue to do so. Indeed it is well
known that the analysis of bulk data is already conducted at a high degree of
sophistication both within Government and, especially, in the private sector.112
How BPDs are obtained and used
110
111
112
2.75.
BPDs are acquired both through overt and through covert channels. As
recorded in the Operational Case (10.3), they are used on a daily basis, in
combination with other capabilities, across the range of the SIAs’ operations.
2.76.
Two types of warrant are provided for in the Bill: class BPD warrants (which
authorise the retention and use of a particular class of BPD) and specific BPD
warrants. Because even a single BPD is likely to contain data on persons not
currently targets, even the grant of a specific BPD warrant for the retention and
use of a single BPD is considered for the purposes of this Review to be a bulk
power.
2.77.
A draft Code of Practice on the SIAs’ retention and use of BPDs, very much fuller
than the Code of February 2015, was published alongside the Bill on 1 March
2016. This sets out the detail of warrant applications, authorisation and approval
of warrants, authorisation of the retention and use of BPDs falling within a
warrant and safeguards.
Draft Code of Practice, Security and intelligence agencies’ retention and use of bulk personal
datasets, March 2016, 3.2.
Clause 182(2), building on the definition in the Data Protection Act 1988.
A flavour of this is given in AQOT 8.65-8.83 and the RUSI report 1.35-1.39 and 1.66-1.79: see
further Big Data: seizing opportunities, preserving values (Executive Office of the [US]
President, May 2014), and The big data dilemma, House of Commons Science and Technology
Committee Fourth Report of Session 2015/16, HC 468, February 2016.
43