66
IPCO Annual Report 2017
9.29
GCHQ carries out robust retrospective audit checks. The senior managers we interviewed
as part of the inspection process explained and demonstrated in some detail how the
audit processes work and the function of GCHQ’s Internal Compliance Team who carry out
random ex-post facto audit checks of the analysts’ justifications for the selection of bulk
communications data. In addition, GCHQ’s IT Security Team conducts technical audits to
identify and further investigate any possible unauthorised use. This year it was recommended
that GCHQ initiates work to update its systems to enable our inspectors to carry out a more
thorough audit similar to that facilitated at MI5 and which we describe below.
9.30
MI5 has a policy and procedure for accessing the bulk communications data, acquired and
retained by the agency as a consequence of s.94 directions, which substantially mirrors that
set out in Chapter 2 Part 1 RIPA and the code of practice for the Acquisition and Disclosure
of Communications Data.55
9.31
The investigator/analyst sets out in an application why it is necessary and proportionate
to access the data. A designated person (DP) of appropriate seniority in the organisation
considers whether to give authority for access to the data MI5 retains.
9.32
During inspections, our inspectors have access to the system used by investigators and
analysts at MI5 to apply to access the bulk communications data and we undertake random
sampling and run query-based searches on the system. For example, inspectors might use
the system to show us every application which included the word ‘journalist’. This means that
our inspectors can (i) evaluate the analysts and investigators’ necessity and proportionality
considerations; (ii) examine particular operations; and (iii) identify requests for more
sensitive data sets or those requiring data over longer time periods.
9.33
Overall we concluded that the MI5 applications we examined were submitted to a notably
high standard, and particularly they satisfied the principles of necessity and proportionality.
9.34
In the latter part of 2017 we undertook work in addition to the scheduled inspections, in
order to review the systems used to acquire, retain and manage access to BCD by MI5 and
GCHQ. These included the following topics:
• security governance arrangements;
• information security frameworks and policies;
• training and security awareness;
• physical security;
• access management for users (e.g. analysts);
• network access controls;
• system monitoring;
• the deletion of data from the systems; and
• logging, monitoring and audit trails.
9.35
This additional work will continue through 2018 and we will publish our findings in a report
to the Prime Minister.
55 See Chapter 3 – The General Rules on the Granting of Authorisations and Notices https://www.gov.uk/government/uploads/system/
uploads/attachment_data/file/426248/Acquisition_and_Disclosure_of_Communications_Data_Code_of_Practice_March_2015.pdf