(b) The Secretary of State (and the Judicial Commissioner on review) must be
assured that the warrant is necessary in the interests of national security, or
for the purposes of preventing or detecting serious crime, or in the interests
of the economic well-being of the UK, so far as relevant to the interests of
national security (clauses 185(3)(a), 186(5)(a)).
(c) They must similarly be assured that examination of the BPD is or may be
necessary for the specified Operational Purposes, that examination of the
BPD for each purpose is necessary on any of the grounds in (b) above and
that the conduct authorised by the warrant is proportionate (clauses
186(5)(b)(c)).
(d) If a dataset is assessed to contain a significant component of intrusive data,
applying the draft Code of Practice, it will have to be authorised by a specific
BPD warrant rather than a class BPD warrant.
(e) Provisions for the handling, retention, destruction and audit are set out in the
draft Code of Practice (section 7), and will be subject to audit by the IPC,
including its technical inspectorate (draft Code of Practice, section 9).
(f) Additional safeguards apply for health records (clause 187) and sensitive
professions (draft Code of Practice, 7.8-7.10).
2.84.
It has come to my attention that some BPDs may contain material that is
comparable to the content of communications, and in rare cases even material
subject to LPP. In the light of these facts I have already recommended to the
Home Office that consideration be given to the introduction of additional
safeguards to the Bill and Code of Practice.
2.85.
The acquisition, retention and use of BPDs is subject to the oversight of the
IsComm, and will be overseen by the IPC in future.
Criticism of BPDs
2.86.
In the ongoing IPT case on BPDs and s94, Privacy International drew attention in
its Statement of Grounds to what was described as:
(a) the large size of some BPDs (e.g. the fact that there are 19 million Nectar
cardholders, the details of whom might be held in a BPD);
(b) the ability of analysts to link BPDs together so as to find all relevant
information from one search query;
(c) “minimal oversight” and “no clear legal regime” in the past;
45