104
IPCO Annual Report 2018
17. Errors and breaches
Overview
17.1
For the first time, in 2018, all errors arising from the use of investigatory powers have been
reported to, and investigated by, the same organisation (the 2017 Annual Report shows an
amalgamation of reporting both to the Investigatory Powers Commissioner’s Office, IPCO,
and its predecessor organisations). The errors that we investigate range from small-scale
human errors to broader systemic failings. Irrespective of the scale of the error, we consider
the human impact in our assessment of its seriousness; in the majority of cases the subject
of the error will be unaware that their right to privacy has been affected.
17.2
Section 231(9) of the Investigatory Powers Act 2016 (IPA) defines a ‘relevant error’ as
an error:
a) by a public authority in complying with any requirements which are imposed on it by
virtue of this Act or any other enactment and which are subject to review by a Judicial
Commissioner; and
a) of a description identified for this purpose in a code of practice under Schedule 7.
17.3
Based on this description, IPCO has been preparing new guidance that will define ‘relevant
errors’ and ‘serious errors’ more clearly for public authorities and those who may be
affected. This guidance should shortly be available on the IPCO website; it will include some
examples of the types of activity in each category and is intended to help to ensure that
reporting is consistent across all public authorities.
Reporting and investigation
17.4
When a relevant error has occurred, the public authority must notify the Investigatory
Powers Commissioner (IPC) as soon as reasonably practicable and no later than ten
working days (or as agreed with the Commissioner) after it has been established that a
relevant error has occurred. The overwhelming majority of errors are reported timeously
by members of staff within the relevant authorities and most are dealt with quickly by the
IPCO team. Where a matter is identified as potentially serious, the report will be assigned
to one of the Inspectors for a detailed investigation for consideration by the IPC. Because
of their sensitivity, all error reports of the UK Intelligence Community (UKIC), and those for
the intercepting agencies, are handled individually by an Inspector.
17.5
There are occasions when unreported errors are identified during the course of an
inspection but it is pleasing to note that the strong culture of self-reporting identified in
previous Annual Reports continues. Given the nature of the recent MI5 IT compliance issue,
which was reported to IPCO in February 2019 and is covered in more detail in paragraphs
6.44 -6.46, the IPC raised legitimate questions about whether IPCO should itself have
identified the compliance risks earlier or whether the reliance on self-reporting puts the
oversight regime at risk of manipulation by those we inspect. Having reviewed the matter