56
IPCO Annual Report 2018
Challenge to the lawfulness of GCHQ’s use of bulk data
8.44
As noted in chapter 2, in Privacy International v GCHQ & Others IPT/15/110/CH, the IPT
considered the lawfulness of GCHQ’s use of bulk data. The IPT judgment called for “a
review of existing procedures at GCHQ in relation to sharing of intelligence and of bulk
datasets… under the supervision of IPCO”. In response, GCHQ is conducting a detailed
review of the processes and procedures governing decisions to share data in bulk with
foreign partners. This review is ongoing and we are receiving regular updates. We will
report in full on the outcome of the review in our 2019 Annual Report.
Intelligence Services Act Section 7
8.45
In previous reports we have explained that GCHQ conducts a range of activities overseas
relying on authorisations obtained under section 7 of the Intelligence Services Act (ISA).
GCHQ sometimes relies on class authorisations to authorise a set of activities, which are
managed internally using approval documentation. We have scrutinised this paperwork and
interviewed analysts and approving officers. As with other areas of internal documentation,
we have recommended that GCHQ should ensure that these records demonstrate adequate
consideration of proportionality and intrusion in each case.
8.46
GCHQ’s work on equipment interference, formerly conducted under section 7, is now
conducted under Parts 5 and 6 of the IPA. In some instances, GCHQ will conduct operations
which do not acquire communications, equipment data or other relevant information
protected under the IPA, but which would still be an offence under the Computer Misuse
Act 1990. These operations continue to be authorised under section 7 of the ISA. Our
priority in this area is to work with GCHQ to ensure that our Inspectors and JCs understand
the types of data involved during all phases of a relevant operation and scrutinise whether
the correct authorisation(s) are in place.
8.47
We have reviewed a sample of the relevant casework and are satisfied that these
operations are appropriately authorised under the ISA and IPA. Many of GCHQ’s internal
processes and safeguards do not take into account the method of authorisation and will
ensure that data obtained is handled to meet stringent safeguards, irrespective of how
the operation is authorised. Given the sensitivity of that work, we are not able to disclose
details of the specific operations.
8.48
In 2017, we stated that we were not satisfied that GCHQ were properly capturing the
likelihood of obtaining legal professional privilege (LPP) material. The IPA implements
specific safeguards in relation to the handling and retention of LPP material, which must be
approved by the IPC. We are confident that GCHQ have put processes in place to meet the
requirements of the Act and to ensure that warrantry accurately represents the likelihood
that LPP material will be obtained. We are satisfied that GCHQ are identifying LPP material
and handling it in accordance with those safeguards.