68
Investigatory Powers Commissioner’s Annual Report 2019
10.33
Currently, our oversight of the Equities Process is being conducted on a non-statutory
basis. We expect the Government to keep this under review but will continue to conduct
oversight of this important process.
Inspections of the Equities Process
10.34
We conducted two initial visits to GCHQ in 2019. During these two visits, we were briefed
in detail on how the Equities Process works in practice and familiarised ourselves with the
processes and concepts involved. We made some initial recommendations to GCHQ, which
were focused on gathering further information and identifying areas which require more
detailed investigation in 2020. We also made a number of recommendations about how
the decision-making process itself could be improved. Whilst we saw evidence that GCHQ
is making careful, evidence-based decisions about individual vulnerabilities, we queried the
extent to which GCHQ is assessing the aggregate risk of these decisions over time. Where
relevant, Equities Process decisions should refer explicitly to NCSC assessments about cyber
risks where this is relevant to the risk of retaining the vulnerability in question.
10.35
Our other key recommendation in 2019 was for GCHQ to consider how ministerial oversight
of the Equities Process could be improved. We expect to see GCHQ’s first annual report
on the Equities Process, which will be addressed to the Foreign Secretary, in due course.
We have also underlined to GCHQ the importance of ensuring the Foreign Secretary can
exercise his duty, under section 2 of the IPA, to have regard to the public interest in the
integrity and security of telecommunication systems. This should include the extent to
which the Foreign Secretary needs to have sight of GCHQ’s judgements about the impact
decisions taken under the Equities Process may have on such systems.
Bulk communications data (BCD)
10.36
One GCHQ bulk acquisition warrant which relates to several telecommunication operators
commenced in February 2019 and has been renewed since. Similar to MI5 (see paragraph
8.35), GCHQ has a system used by their analysts to outline why the examination of specific
data is both necessary and proportionate. This allows subsequent examination or audit of
the activities of specific members of staff who are authorised to undertake the examination
of BCD. These records will also include details of any sensitive information, such as that
relating to sensitive professions, which might be examined. Through our inspections, we
concluded that GCHQ’s recorded justifications to undertake the examination of BCD were
of a good standard and satisfied the principles of necessity and proportionality. We were
satisfied that no unnecessary examination of sensitive material is being made.
10.37
As we explained in the 2018 report, we made recommendations as to how the training and
guidance provided to analysts could be delivered to highlight the requirement for clarity
within their justifications. This could be done, for example, by using simple text setting out
what operational benefit is sought when undertaking the queries. We are satisfied that
training, and awareness of the requirements set out in the CoP, is now maturing, and that
the justifications being recorded by the analysts are detailed and yet concise.
10.38
GCHQ’s Internal Compliance Team carries out robust retrospective audit checks of the
analysts’ justifications for the selection of BCD. When the internal audit team identify
that necessity or proportionality justifications recorded by particular analysts are below
the minimum requirements, the Policy and Compliance Lead is responsible for ensuring
that the analyst is made aware. The Policy and Compliance Network is a network of
staff distributed throughout GCHQ who are responsible for compliance in their areas.