46
IPCO Annual Report 2018
Bulk Personal Datasets (BPD)
7.15
SIS holds datasets covering a wide variety of mission areas. We worked closely with SIS
throughout 2018, in advance of IPA implementation, to understand the nature of their bulk
data holdings and how this data would continue to be used and handled under the new
authorisation framework. For this reason, we have a high level of confidence in how SIS
safeguards data and have no concerns in this area.
7.16
The IPA has required the UK Intelligence Community (UKIC), and SIS in particular, to
overhaul documentation in relation to BPD. Each warrant application must set out in
general terms the nature of the data being held, how and why it will be retained and
how long the data is expected to be valuable to analysts for the specified purpose. This
information is typically clarified in relation to individual datasets on internal approval
documentation. This process has meant that there has been a significant improvement in
the clarity of records which we expect to continue.
7.17
The categorisation of a dataset as a BPD relies on the assessment that the data within the
set relates to a majority of individuals who are not, and are not likely to become, of interest
to the intelligence agency in the pursuit of its statutory functions. In some cases, datasets
will be held where the data is ‘targeted’, in other words the data relates to individuals
who are, in the majority, assessed to be of intelligence interest. In this instance, the BPD
authorisation process does not apply. We have been impressed by the rigorous process
in place to assess and approve the categorisation of data internally and have welcomed
discussions on a sample of targeted data. We have reviewed minutes of relevant panel
meetings and interviewed senior officers responsible for these decisions. This has given us
a good level of confidence that data is being appropriately categorised and handled. We
have encouraged SIS to ensure that this is an iterative process and that they should remain
aware of changes in the nature of their data holdings and how that data is being accessed
and analysed by their officers. This is an area which we will continue to inspect carefully to
ensure this very sensitive data is appropriately protected.
7.18
Due to the sensitivity of the data, we are not able directly to access the data holdings or
analytical systems. In both cases, these are subject to access controls. We have received
live demonstrations from analysts, showing how data is queried both manually and
automatically and how it is used for specific intelligence aims. In previous years, we have
looked at protective monitoring around these systems and have questioned individual
analysts about a sample of searches conducted through the year. This continues to be a key
element of our inspections and provides a basis of confidence for the value statements set
out by SIS in both authorisation paperwork and internal review documents.
7.19
We noted in 2017 that SIS intended to ‘refresh’ their protective monitoring process. UKIC
initiated a Strategic Protective Monitoring (SPM) project which was to amalgamate SIS,
MI5 and GCHQ protective monitoring systems to enable a single UKIC team as well as
provide some new analytics. However, the project was formally closed and a new project
or programme will be started once requirements have been assessed. This is a sensitive
area of work which needs to be handled carefully to establish a consistent and appropriate
mechanism to ensure that protective monitoring continues to be fit for purpose as next
generation systems are implemented. We will therefore continue to engage with UKIC on
this matter.
7.20
In previous years, we have noted concerns that bulk datasets had not been ingested into
SIS’s analytical systems. We note that the IPA does not establish any specific requirements
in terms of the ingestion of data, provided a relevant warrant is in place to authorise the
retention and examination of that data. However, we would not expect UKIC to apply to