IPCO Annual Report 2018
BPD warrants, which authorise the retention and examination of the majority of its BPD
holdings, and a number of specific BPD warrants to authorise the minority of datasets.
Many of GCHQ’s holdings are technically complex and so GCHQ have worked closely with
the JCs and the TAP so that the judges considering the warrant applications have a clear
understanding of the technical issues involved.
8.38
GCHQ briefed us on how sensitive personal data would be managed in accordance with the
requirements of the IPA. We are content that relevant data would be identified during the
examination and ingestion phase and that only data necessary for the stated operational
purposes would be retained.
8.39
GCHQ holds a large number of datasets outside of the BPD regime, usually because these
datasets do not contain personal data. In some cases, it is not immediately apparent
whether a given dataset constitutes a BPD and GCHQ errs on the side of caution. For
example, a dataset containing Internet Protocol (IP) addresses which may or may not
relate to individuals could be classed as personal data. In some cases, GCHQ identified that
any personal data which a dataset may contain is de minimis. In this scenario, we agreed
with GCHQ that it would be reasonable not to seek a BPD warrant to authorise retention
of the dataset. However, we noted that GCHQ did not have a process in place to record
centrally any decisions it took on whether or not datasets were BPDs. In response to a
recommendation from us, GCHQ is now implementing a process which we will inspect
in 2019.
8.40
Internally, GCHQ reviews the necessity and proportionality case for retaining BPDs under
class warrants or acquiring new ones through its BPD Review Panel. Overall, we were
satisfied that the panel is effectively overseeing the acquisition, retention and deletion
of GCHQ’s BPDs, although we made a small number of recommendations to improve the
clarity of the paperwork put before the panel and the extent to which the panel’s decisions
are subject to challenge.
8.41
During our inspections, as at SIS, we received demonstrations on how GCHQ’s BPDs are
accessed and used. This included a spot-check review of internal justification records used
by analysts to document what they are looking for and why. We were not satisfied by the
standard of these records, although interviews with staff demonstrated a high level of
consideration and understanding of the relevant principles. We recommended that GCHQ
should refresh staff training to address this shortfall and, in particular, should focus on the
issue of intrusion and the proportionality of interrogating BPD in relation to a particular
intelligence requirement. We will follow this up at inspections in 2019.
Operational purposes
8.42
Like MI5 and SIS, in most cases GCHQ seeks approval to use warranted BPD for all
operational purposes in accordance with the CoP. There are some specific datasets which
GCHQ assesses to be necessary to retain and examine only in relation to a subset of
operational purposes. In those instances, GCHQ will apply for a warrant which names a
subset of operational purposes. We have not seen any modifications from GCHQ although
they have applied to the FCO in one instance to remove operational purposes that were not
necessary.
8.43
As noted for the other agencies, we did not scrutinise the records relating to selection for
examination of BPD material during 2018. We will review these records in 2019 and will
examine whether data is being appropriately accessed, including by an individual with a
clear operational need in line with an authorised operational purpose.
55