Investigatory Powers Commissioner’s Annual Report 2019
TE2: Errors reported to IPCO
8.55
In the course of its internal investigation into the compliance problems with TE1, MI5
also identified a number of relevant errors associated with the handling of warranted
data within a second technology environment, TE2. These all arose because of a failure
consistently to apply the correct retention period to some of the data held in particular
parts of TE2, such that the data was being retained by MI5 longer than was necessary in
pursuit of its statutory functions. Having reviewed these errors with MI5, we are satisfied
that MI5 is taking all reasonable steps to delete the data concerned and ensure that similar
errors do not arise in future. Whilst these errors were reported to IPCO in the course of
MI5’s investigation into TE1, we are confident that TE2 does not present compliance risks of
a similar scale to those presented by TE1 in the early part of 2019.
Compliance Improvement Review
8.56
In response to the compliance problems identified in TE1, the then Home Secretary
commissioned Sir Martin Donnelly in May 2019 to lead an independent review to identify
lessons which could be learned for the future. Known as the Compliance Improvement
Review (CIR), Sir Martin’s report was published on 15 July 2019. A summary of the report’s
conclusions and recommendations is available on gov.uk.20
8.57
One of the CIR’s recommendations required IPCO’s involvement:
There should be an urgent programme to provide staff, including contractors, with
tailored best practice training on MI5’s statutory obligations in respect of handling
warranted data. This should draw on experience elsewhere in UKIC, with input from
IPCO’s inspectorate on the level of detail required.
8.58
In response, MI5 has shared the content of its new and improved training programme with
us in draft, and we are in dialogue with them about their future training plans. The material
we have seen to date is sufficiently detailed to give staff a comprehensive understanding of
the compliance and legal requirements which are relevant to their respective roles.
Consolidated Guidance
8.59
MI5 has a clear and comprehensive internal policy to ensure its officers comply with the
Consolidated Guidance. This includes a requirement that an internal form be completed
any time MI5 is involved in activity that engages the Consolidated Guidance, even if the
proposed course of action is low risk.
8.60
Where MI5 teams are passing intelligence to higher risk foreign liaison partners, they are
almost always doing so in reliance on SIS ministerial submissions which are separately
inspected by IPCO. As such, the decisions MI5 makes internally tend to be at the lower
end of the risk spectrum. We have recommended to MI5 that, where appropriate, they
might consider making greater use of so-called “thematic” internal forms. These set out
the evidence behind MI5’s judgement that all intelligence sharing with a particular partner
is low risk, and permit MI5 to share intelligence with that partner in cases that engage the
Consolidated Guidance for the next six months unless there are reasons to believe the risks
have changed.
20 Sir Martin Donnelly, “Compliance Improvement Review” (15 July 2019), www.gov.uk/government/
publications/compliance-improvement-review
49