56
Investigatory Powers Commissioner’s Annual Report 2019
9.27
As noted in 2018, we have seen evidence that most datasets held by SIS need to be
made available to all mission areas. This is necessary to allow that data to be used most
effectively and is compliant with the CoP. We therefore did not expect to see, and did not
see, any requests to modify operational purposes in 2019.
Safeguards
9.28
Following the data compliance issues identified at MI5 (see paragraph 8.44 to 8.58) we had
detailed discussions with SIS about the safeguards in place to protect their warranted data.
Overall, SIS systems and processes appeared to be compliant with IPA safeguards, but we
will conduct a further in-depth inspection focussing on safeguards during 2020. We expect
SIS to continue to review their estate for potential risks and vulnerabilities in relation to
data handling.
9.29
We found that the current handling arrangements introduce the risk that analysed data,
which it is not necessary and proportionate to retain, is left by mission teams on the
corporate records storage system. Unless manually removed, this data would persist in this
system in line with SIS’s corporate records policy. SIS should review their policy on how
warranted data is handled and stored in their central records system. This review should
ensure that no warranted data persists in the central records system when there are no
longer any authorised grounds for retaining it.
9.30
In order to establish a higher level of assurance we have recommended that SIS should
also develop a centralised record of all the processes used by mission teams for handling
warranted data. This process should include consideration of how standalone systems are
used: systems with no central connectivity, and which may be only used by a small number
of individuals, are highly secure but are likely to require manual deletion processes. This is
a potential weakness in data management if the process and policies behind this are not
centrally coordinated.
9.31
SIS identified potential risks regarding processing of TEI warranted data in two of their
tasking and processing systems at one of their facilities. We visited the facility twice during
the year, first for an initial briefing and then to follow up with a more detailed briefing of
the remedial work that had taken place. These risks have now been addressed. We will visit
this site on an annual basis going forward.
9.32
We also identified, in consultation with SIS, a number of other areas for potential
improvement in line with best practice. We expect to work with SIS throughout 2020 to
gain assurance that all systems and environments to handle and store data obtained under
investigatory powers are compliant.
Section 7 of the Intelligence Services Act 1994 (ISA)
9.33
Our inspections of SIS’s reliance on section 7 include examination of submissions to the
Foreign Secretary, which set out the proposed operation and the legal basis for conducting
planned acts under the ISA. We interview officers involved in cases that we have selected
for review and invariably speak to individuals working overseas on each case, as well as
the central policy teams and legal advisors responsible for advising those officers. We have
found in general that officers have received comprehensive training before being deployed
and demonstrate a good level of awareness of the legal framework. Year on year, we have
seen an improvement in the documentation of decision making by operational staff. Our
2019 inspections found that each submission is underpinned by a series of records of