IPCO Annual Report 2018
8. Government
Communications
Headquarters (GCHQ)
Overview
8.1
We inspect the Government Communications Headquarters (GCHQ) individually as well
as, on occasion, in combination with UK Intelligence Community (UKIC) partners as
explained above. GCHQ contributed to the work to prepare for the Investigatory Powers
Act 2016 (IPA), including to the training programme for our Judicial Commissioners (JCs),
leading in particular on some of the more technical areas and helping to develop a realistic
understanding of how bulk powers are used.
Findings
8.2
It is worth noting that GCHQ’s reliance on bulk powers under the IPA is greater than
they originally anticipated.26 This reflects the realities of enacting the legislation rather
than a substantial change in GCHQ’s working model or a response to the availability of
those powers.
8.3
Our inspections show that GCHQ’s IT protects all data to the standard set out in the IPA as a
default. Where there is an operational requirement to access data, which will include bulk
communications data (BCD) and/or bulk personal data (BPD), an analyst must justify why
the access and examination of the data are necessary and proportionate and must record
the specific intelligence requirement and priority for each search. We have found that this
establishes the most consistent and cautious approach to safeguarding operational data; all
data is protected to the standards set out in the IPA as a default.
8.4
The internal procedures within GCHQ have been modified to take account of the
commencement of bulk acquisition warrants within Chapter 2 Part 6 of the IPA and the
accompanying Code of Practice (CoP). We will continue to work with GCHQ to ensure that
these are adequate.
8.5
In November 2018, GCHQ published details of their UK Equities Process.27 This relates
to GCHQ’s work with technology companies to maintain the intended level of security
of publicly used technologies. This document explained that many, but not all, technical
vulnerabilities are disclosed to vendors and GCHQ set out the internal review process that
they use to assess whether the best course of action is to inform the company, rather
than to exploit the vulnerability for national security purposes without disclosing it to the
vendor. This process includes scrutiny by a panel of technical experts from GCHQ, National
Cyber Security Centre (NCSC), UKIC and the Ministry of Defence (MOD). GCHQ invited the
Investigatory Powers Commissioner’s Office (IPCO) to oversee this process in November
26 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/761147/Letter_from_the_
Security_Minister_to_Dominic_Grieve_QC_MP_December_2018.pdf
27 https://www.gchq.gov.uk/information/equities-process
49