46
Investigatory Powers Commissioner’s Annual Report 2019
monthly. Minutes, decisions and communications regarding the panel are available for
scrutiny during inspections.
8.39
We have observed the positive development of the BOP and note its impact in managing
internal compliance. We continue to seek greater clarity regarding the process MI5 uses to
carry out initial examinations of new data sets to better understand decisions to classify a
dataset as BPD or, for example, as targeted data. We were concerned by one unresolved
action on the BOP minutes around resolving discrepancies between allocations of BPD
between MI5 and SIS. It is possible, because of the different uses of the data and the
different cuts of data being held, that both agencies could hold the same dataset, or
versions of it, and that it could lawfully be categorised as bulk by one and targeted data
by the other. There is a risk that, if one of the agencies has incorrectly categorised the
data holding as targeted then that data would be held without appropriate warrant and
might not be subject to appropriate safeguards. We suggested that this question should be
resolved as a priority.
8.40
MI5 also enhanced their internal reviews of the justification used by staff to examine or
query BPD. In compliance with the CoP, each agency requires staff to justify why they need
to run a search on BPD in advance. For MI5 officers, this enables task-based searching,
which allows more than one search to be conducted on a theme. For example, if an
investigator is working to identify a specific individual or event they may conduct more
than one search of the BPDs available to them. The system will track those searches, and
the central audit team will review whether searches are appropriately justified. We have
advised that as the audit team grows in sophistication then they should focus on assurance
around this task-based process.
8.41
We have been pleased to note that the continuous review process required by the
IPA is now in place in relation to justification records and we have made a number of
recommendations to enhance and improve this process. This will be an area of greater
focus during next year’s inspection, when we intend to conduct more granular audit of
search activities conducted under specific justification records. In preparation for that, we
will also be looking more deeply into the safeguards in place for the systems holding BPD.
We have requested further details of staff access and the levels of systems’ audit.
Operational purposes
8.42
We continue to be satisfied that the use of operational purposes in relation to the
examination of BPD by MI5 is appropriate. The records kept in this regard are clear and
demonstrate appropriate use of this data.
8.43
As noted in 2018, we have seen evidence that the majority of datasets held by MI5 need
to be made available to investigators and analysts working across a range of business
areas. Specific, trained staff within certain areas of MI5 require this access to complete a
variety of operational tasks and we are satisfied that MI5’s approach is compliant with the
CoP and legislation. We did not expect to see, and did not see, any requests to modify the
operational purposes on a BPD warrant in 2019.
Non-compliance investigation and safeguards
8.44
As noted in our 2018 report, we were informed by MI5 in February 2019 of serious
compliance risks associated with certain technology environments in use by MI5 (here
after referred to as “TE1” and “TE2”). The detailed investigation launched by the then