IPCO Annual Report 2017
and policies, as well as specific consideration of more complex datasets. Independent
of this, the intelligence agencies provided a series of detailed briefings on their plans
to develop the BPD regime in order to achieve compliance with the IPA.
10.13
In practice at inspections we (i) look at the authorisation paperwork, which differs at each
agency; (ii) speak to the operational leads who use and ‘sponsor’ the data; (iii) review the
minutes from the data retention panel meetings; and (iv) speak to the analysts who run tasks
and searches on the data.
10.14
We identified three areas of particular note concerning the policies and procedures for using
and disclosing BPDs.
10.15
First, we were concerned that GCHQ was not clearly identifying all the BPDs held. We probed
this at the December inspection and briefing sessions.
10.16
Second, we reviewed how the intelligence agencies identify and record sensitive personal
data. Section 202(b) of the IPA stipulates that an agency may not retain a bulk personal
dataset under a class authorisation if a substantial proportion of it consists of sensitive
personal data. This means that whenever the dataset contains a substantial proportion of
sensitive personal data, it must be authorised individually under a specific warrant. We
have been briefed by the intelligence agencies as to how they will ensure that any sensitive
personal data is appropriately identified and the risks assessed carefully. We will review this
process with particular care during our 2018 inspections.
10.17
Third, building on specific ‘sharing’ inspections, we plan to conduct a detailed review of how
the intelligence agencies work with parties acting on their behalf. This potentially includes
contractors, industry partners and academics to understand the role these individuals play
and any access they are afforded to sensitive data.
Findings
Assessment of record-keeping
10.18
We are content that GCHQ is working to capture all its bulk data holdings, and will in due
course provide more clarity on the nature of the complex BPDs, and how they are handled,
at future inspections. It is worth noting that GCHQ does not operate distinct safeguards for
BPDs. It handles BPD using the same techniques as for other sensitive information they hold.
It is vital that there is an accurate understanding of the BPDs that are held by the intelligence
agencies and that appropriate warrants issued under the IPA are in place to retain and access
the information.
10.19
Previous Intelligence Services Commissioners have been satisfied with the records kept on
BPDs. However, we have made a number of recommendations to improve the clarity of the
records. During the inspections, the documentation is not viewed in isolation and the staff
briefings and interviews have led us to conclude that this sensitive data is being held and
used appropriately. Nonetheless, the documentation should be a reliable, free-standing
source of information in order to demonstrate that the relevant issues have been properly
considered as regards the retention, investigation and handling of this data. There are
improvements to be made in this area.
10.20
Our recommendations aim to standardise the record-keeping, so that the authorisation
paperwork is uniformly clear on what is being retained and its potential use. We have
suggested that the documentation sets out the restrictions on access. The intelligence
71