Investigatory Powers Commissioner’s Annual Report 2019

Data Assurance
7.19

Data assurance is a new programme of work that was launched in 2019 by the then
Investigatory Powers Commissioner (IPC), Sir Adrian Fulford. This programme was initiated
in response to the compliance issues identified at MI5, described elsewhere in this report
(see chapter 8). This is an evolving area of work which will be resourced with two dedicated
specialist Inspectors in 2020 and which has implications for all the authorities we oversee.
We use the term “data assurance” to refer to the process of ascertaining that appropriate
safeguards are in place for all data derived from the use of investigatory powers. Our
objectives for this programme are:
• to inspect and investigate compliance with data safeguards to establish a high level of
confidence that all data obtained under the powers overseen by the Investigatory Powers
Commissioner’s Office (IPCO) is retained lawfully;
• to embed and encourage best practice for compliance at each authority we oversee; and
• to assist the authorities we oversee to understand and investigate the compliance
challenges arising from the use of bespoke, off-the-shelf and shared data handling
programmes and technical storage environments.

7.20

Our methodology for this needs to be flexible and, given the scale of the activity we
oversee, needs to take a risk-based approach. We therefore separated all the authorities
into three groups. Group one is where we have focused the initial phase of our work and
consists of LEAs and the intelligence agencies. The second group relates to wider public
authorities grouped by available powers, with a third group for local authorities and those
public authorities with similar powers. The first group are typically high-volume users of a
wide range of powers, including those authorised under the IPA, so we therefore judge that
it is appropriate that we investigate any potential non-compliance at these organisations
as a priority. Conversely, the last group are typically low-volume users and in many cases
are not currently obtaining any data under their powers. It is right therefore that we take a
proportionate approach to our investigations.

7.21

As described at chapter 8, we have worked closely with MI5 to investigate compliance
concerns in relation to a specific technical environment and have discussed the implications
for the wider IT estate and future IT development. We had similar discussions over the
summer with GCHQ and the Secret Intelligence Service (SIS) and have initiated safeguards
inspections which will be conducted from 2020.

7.22

For group one, in the autumn, we wrote to all LEAs asking them to complete a selfassessment of their data holdings.

7.23

By the end of 2019 we had conducted an initial analysis of these returns and had identified
key vulnerabilities which required further investigation (these are set out in chapter 12).
We had originally intended to visit all forces in the UK throughout 2020 and had hoped to
present findings in our 2020 report. However, this work has been delayed by the pandemic
and, although we will have visited all forces where key vulnerabilities will have been
identified by November 2020, there will be some forces where a visit will not have been
possible. Therefore, we now expect this work to continue into 2021 and we will provide an
update on this in next year’s report.

7.24

For group two of the programme we have requested that public authorities should
complete a self-assessment. Analysis of these returns is ongoing.

37

Select target paragraph3