28
IPCO Annual Report 2017
Intelligence agencies and MOD:
Complex surveillance authorisations
4.26
MI5 conduct a range of complex surveillance activities under each separate authorisation.
We have questioned whether the full range of that activity is adequately reflected within
the surveillance authorities, including the renewal documents, and we suggested MI5
should review its approach to the directed surveillance records to ensure that the necessity,
proportionality and intrusion considerations are clearly set out for all the relevant activity.
We will scrutinise this with particular care over the next 12 months.
Directed surveillance errors
4.27
We were concerned by a comparatively high number of errors at MI5 under this heading,
and we criticised their failure to recognise the adverse issues in this area which we identified,
and which appear to stem from a persistent focus on the authorisation process rather than a
review of internal practice. In some cases these errors originated from a lack of appropriate
internal controls in key areas. We have pressed MI5 to resolve this deficiency and to facilitate
a wider review of their directed surveillance activity, along with the adequacy of the current
internal controls. We are confident, however, that they have reported all the identified errors
where the lack of internal controls has led to a breach of an individual’s right to privacy.
SIS and GCHQ
4.28
SIS and GCHQ undertake relatively little surveillance in the UK because of their international
focus. We are confident that all the UK-based surveillance by both agencies is adequately
captured, but we concluded that GCHQ did not always set out the scale of the planned
surveillance sufficiently and therefore the likely level of intrusion was sometimes unclear.
This is an area for improvement.
MOD
4.29
We expressed a concern that the MOD conducted directed surveillance under intrusive
surveillance authorisations, which would be contrary to s.28 RIPA. However, the MOD
indicated that this practice applied only to overseas surveillance and no directed surveillance
had been conducted in the UK without a specific directed surveillance authorisation. It is of
general note in this context that there is a mistaken belief that directed surveillance is simply
a lesser, rather than a different, type of surveillance. It is reassuring that the MOD will ensure
that all combined directed and intrusive surveillance authorisations state clearly that both
types of surveillance will be conducted.
Product handling arrangements
4.30
In his 2016 report, Sir Mark Waller raised the importance of setting out clearly in an
application how any unwanted product would be handled. We noted that surveillance
casework at the MOD did not provide details as to how unnecessary information was to be
treated. It is essential that the authorisation is clear in this regard, particularly when there
is risk of a high level of intrusion. Appropriate handling arrangements are a key method of
managing and mitigating intrusion. It follows that the authorising officer should have a clear
understanding of how the product will be handled, whether or not it is of intelligence value.
Again, this is an area that calls for improvement.