IPCO Annual Report 2018
6. MI5
Overview
6.1
We conducted regular inspections at MI5 during 2018, across the range of investigatory
powers they use, speaking to a variety of senior staff, legal and technical officers and, to
a lesser extent, practitioners. Compared with previous years, we adjusted the proportion
of warrant applications and internal authorisations (such as directed surveillance
authorisations) that we reviewed, favouring more in-depth conversations with subjectmatter experts and demonstrations of MI5’s complex IT infrastructure. We believe this
model of scrutiny establishes an enhanced understanding of MI5’s operational work and of
how covertly obtained data is used and retained.
Findings
6.2
In general, we concluded that MI5’s use of investigatory powers available under the
Investigatory Powers Act 2016 (IPA), Intelligence Services Act (ISA) and the Regulation
of Investigatory Powers Act 2000 (RIPA) were compliant with the statutory provisions,
the Codes of Practice (CoP) and internal policies that we have seen. Importantly, in
2018, we were not informed of serious compliance risks in relation to certain technology
environments used by MI5 to store and analyse data. We judge that, by January 2018
(indeed, most probably considerably earlier), MI5 had a clear understanding of the principal
compliance risks associated with these technology environments, to the extent that they
should have carefully considered the legality of continuing to store and exploit operational
data in those systems. The risks were also sufficiently clear that they should have been
communicated to the Investigatory Powers Commissioner (IPC), who was not briefed by
MI5 on the issue until February 2019.
6.3
It is a matter of serious concern that MI5 did not bring these compliance issues to the
attention of the Investigatory Powers Commissioner’s Office (IPCO) attention at an earlier
stage. Having been briefed, we immediately began working closely with MI5 to understand
the level of risk, which was continuing, in relation to warranted data in particular and to
scrutinise the measures implemented and planned to remedy the risks. Further detail of
this is provided at paragraph 6.44-6.46 below. This also means that our findings in relation
to MI5’s use of specific investigatory powers, set out below, are based on the inspections
conducted during 2018, prior to our being made aware of these significant problems.
Covert Human Intelligence Sources (CHIS)
6.4
MI5 authorise UK agent and undercover operations under RIPA. Some overseas operations
do not require RIPA authorisation but are nevertheless subject to detailed operational
assessments. The quality of the applications is generally high and the records of the agent
handlers, controllers, authorising officers and legal and security advisors providing the
explanation for the decisions taken in these complex cases is of a very high standard.
35