42
IPCO Annual Report 2018
Non-compliance investigation
6.44
As noted above, we were informed in February 2019 of serious compliance risks associated
with certain technology environments in use by MI5. The information initially supplied
to IPCO suggested there were serious deficiencies in the way the relevant environment
implemented important IPA safeguards, particularly the requirements that MI5 must limit
to the minimum necessary the extent to which warranted data is copied and disclosed, and
that warranted data must be destroyed as soon as there are no longer any relevant grounds
for retaining it.
6.45
IPCO began a detailed investigation with assistance from members of the Technology
Advisory Panel (TAP). Whilst the environment could only be accessed by appropriately
cleared MI5 personnel, we identified a number of serious deficiencies, in particular an
inconsistent approach to controls around the extent to which users were able to copy data
and place it into storage areas within the environment.
6.46
Following this investigation, and on the basis of detailed information from MI5 on the
mitigations it had put in place in response to our initial findings, the IPC determined
in April 2019 that MI5 was capable of handling warranted data in compliance with the
IPA’s safeguards. However, the IPC also directed that MI5’s use of the environment
must be subject to further, detailed inspection as some of the mitigations were yet to
be fully implemented. MI5’s use of the relevant technology environments is therefore
subject to ongoing, detailed scrutiny during 2019 and we will report further in the next
Annual Report.