Investigatory Powers Commissioner’s Annual Report 2019
Bulk communications data (BCD)
9.21
Consistent with their activity in 2018, SIS did not undertake bulk acquisition of
Communications Data (CD) in 2019. SIS continue to have access to certain BCD acquired by
GCHQ and MI5 where it is operationally necessary. We inspect how that data is used by SIS
at the other agencies and confirm that it is lawfully obtained and that disclosure between
the agencies is appropriate.
Bulk personal datasets (BPD)
9.22
As stated in last year’s report, we inspect all appropriate records held by SIS to assure
ourselves that it is necessary for SIS to retain and examine the range of BPDs they hold.
We also review their data handling policies and internal compliance structures. Since
transitioning to the IPA, SIS has introduced improvements to their handling control
and administration of BPD. The most significant is the development of a specific panel
which meets fortnightly to discuss BPD holdings. This panel, chaired and attended by SIS
managers, centrally manages the retention and deletion process for BPDs and considers
ways of improving compliance with the BPD provisions of the IPA within the organisation.
9.23
They have also introduced a monthly committee created to review systems, compliance and
safeguards in relation to new and existing datasets. The new committee’s remit is to:
• assess dataset compatibility;
• ensure an appropriate level of protective monitoring is in place;
• raise concerns or discuss development of systems; and
• manage compliance audit.
9.24
This is a welcome development, which reflects the importance of prioritising compliance
during systems development and testing. As is reflected in the findings of the compliance
review at MI5 and the Compliance Improvement Review recommendations made by
Sir Martin Donnelly (see paragraphs 8.56 to 8.58), compliance has not always been
prioritised at the earliest stages of development. This can make it necessary to retrofit
compliance requirements onto analytical systems or implement manual processes where
it would be preferable to have automatic review of holdings. SIS has created a third panel
centrally to manage the retention and deletion process, which we judge will improve
compliance further.
9.25
SIS has a complex IT structure with several legacy record systems. SIS has undertaken a
review to assess the risk that these systems might hold data which would now constitute
BPD under the terms of the IPA. This work is being completed as a second layer of
assurance, following a systems review which was conducted by each UKIC agency to ensure
that all datasets which should be authorised under the IPA are covered by a warrant. SIS
briefed the IPC on their initial findings from this review, and we expect to be briefed on the
full results and any actions which SIS will take at our next BPD inspection.
Operational purposes
9.26
Our oversight of use of SIS BPD confirmed that their use of operational purposes is
appropriate. SIS’s records kept in this regard are clear and demonstrate appropriate use of
this data.
55