IPCO Annual Report 2018
renew an authorisation to retain and examine a bulk dataset which was not available for
analysis if steps were not being taken actively to resolve any data ingestion issues. Our
discussions with UKIC have identified that each agency’s review panel regularly considers
any datasets that have not been fully ingested and, in some cases, has refused to reauthorise datasets which have not been ingested into relevant systems. We will continue to
review any relevant notes from these panels and on a case-by-case basis may in the future
challenge unnecessary delays if they do occur.
7.21
As mentioned above, the IPA introduces safeguards for sensitive personal data. Any BPD
comprising a substantial proportion of sensitive data must be retained under a specific,
not class, authorisation. Our inspection at SIS identified that any relevant data is being
appropriately marked and authorised. Our inspections considered why certain categories
of sensitive personal data might be necessary for the discharge of SIS’s functions. We were
persuaded by the documented justification in all cases reviewed.
Operational purposes
7.22
As above, we are satisfied that the responsive nature of SIS’s work necessitates the
retention of the vast majority of its warranted BPDs for all current operational purposes. SIS
has not made any modifications under section 215 of the IPA in 2018. We would not expect
this approach to change in 2019.
7.23
We did not inspect SIS’s records in relation to selection for examination of BPD material
in 2018 because our inspection was conducted during the transition period after the
implementation of BPD warrants. We intend to inspect these records in 2019 and anticipate
that this safeguard will enable us to confirm that data is being accessed appropriately by
officers with a clear business need to do so.
Section 7 of the Intelligence Services Act (ISA)
7.24
SIS conduct a range of activities overseas under section 7 of the ISA. On inspection, SIS
proactively brought a number of sensitive and complex operations to our attention in
addition to material that we selected for review. We considered submissions to the Foreign
Secretary to cover work conducted at a number of stations and discussed those cases with
the teams working under those authorisations either in person or via video conference. In
each case we reviewed, SIS set out the legal framework for their operation, taking domestic
and international law into consideration. This detail is typically thorough and clearly
set out.
7.25
In 2017, we raised the concern that considerations of privacy were not well documented by
SIS on internal approvals. This concern related to the way that SIS officers recorded privacy
considerations for operations and activities conducted lawfully under authorisations
approved by the Secretary of State. Previous Commissioners have noted similar concerns
in relation to SIS’s record keeping, but that this does not reflect a lack of consideration in
SIS’s operational planning. Nonetheless, we have urged SIS to improve record keeping such
that they are able to demonstrate how their work respects individuals’ right to privacy, and
takes steps to minimise intrusion, where possible. We have seen a general improvement in
SIS’s documentation, including to introduce more consistent internal records for reliance on
section 7 authorisations and therefore have no ongoing concerns on this issue.
47