54
IPCO Annual Report 2018
intelligence requirements and were satisfied that the documentation demonstrated that
their approach was necessary and proportionate.
8.32
We inspected GCHQ’s review records, which was a requirement of the section 94 direction.
The reviews summarised how the data to be retained was being handled and analysed. Our
conversations with analysts and officers responsible for protective monitoring gave us a
high level of confidence that these were being adhered to. We have inspected the front-end
analytical tools used to access BCD and were satisfied by the access control mechanisms in
place. GCHQ’s reviews documented the operational advantages of accessing BCD and how
this would progress the relevant operations and investigations. The reviews additionally
included the operational justification and legal basis for continued retention and use.
8.33
During inspections into the selection of BCD for examination by analysts at GCHQ, we
reviewed the breadth and depth of the internal procedures and audited a number of
individual requests made by analysts. We concluded that the analysts had justified in
each case properly why it was necessary and proportionate to access the communications
data (CD).
8.34
GCHQ carries out robust retrospective audit checks. The senior managers we interviewed
explained and demonstrated in some detail how the audit processes work and the
function of GCHQ’s Internal Compliance Team, who carry out random retrospective audit
checks of the analysts’ justifications for the selection of BCD. Some system changes were
undertaken in early 2018 and this enables the IPCO Inspectors, working with GCHQ’s
Internal Compliance Team, to select and review the analysts’ necessity and proportionality
justifications for the selection of BCD. The changes have much improved the capabilities
of the retrospective audit checks. Importantly, GCHQ were able to demonstrate how
deficiencies are remedied when submissions fall short of the required standard. When
the internal audit team identify that necessity or proportionality justifications recorded
by particular analysts are below the minimum requirements, the Policy and Compliance
Lead is responsible for ensuring that the analyst is made aware. The Policy and Compliance
Network is a network of staff distributed throughout GCHQ and who are responsible for
compliance in their areas. This includes working with analysts to ensure their justifications
are up to standard and providing additional training when audit has found justifications
which fall below requirement.
8.35
We made recommendations as to how the training and guidance provided to analysts could
be delivered to highlight the requirement for clarity within their justifications (for example,
simple text setting out what operational benefit is sought when undertaking the queries).
8.36
In addition, GCHQ’s IT Security Team conducts technical audits to identify and further
investigate any areas of concern (for example, activity that may be a breach of the
operational requirements). The senior managers we interviewed as part of the inspection
process explained and demonstrated in some detail how the audit processes work and the
function of the team. We were satisfied with the thorough overall approach.
Bulk Personal Data (BPD)
8.37
As detailed above, we worked with UKIC in anticipation of the implementation of the
IPA to ensure that records in relation to their bulk data holdings complied with the
requirements of the IPA. In preparation for commencement of Part 7 of the IPA, GCHQ
conducted a detailed review of all of its BPDs to ensure they were all transitioned into
appropriate warrants under the Act. This review involved determining which holdings
should be authorised under specific or class warrants. GCHQ applied for a number of class