6
Investigatory Powers Commissioner ’s Annual Report 2019
1. Introduction by the
Investigatory Powers
Commissioner,
Sir Brian Leveson
I am delighted to present what is, in reality, my first Annual Report as Investigatory Powers
Commissioner (IPC). As required by section 234 of the Investigatory Powers Act 2016 (IPA), the
Report sets out details of the how the functions of the Judicial Commissioners were carried
out during 2019. I have also chosen, although not obliged by legislation, to provide additional
information on the activities of the Office for Communications Data Authorisations (OCDA), which
also operates under the jurisdiction of the IPC. OCDA makes decisions on whether to grant or refuse
communications data requests and, in the process, ensures that all requests are lawful, necessary
and proportionate; it became fully functional during the course of 2019.
After my appointment in October 2019, I was responsible for despatching the annual report for
2018 which reported on the work of IPCO during the stewardship of the Rt. Hon. Sir Adrian Fulford.
To a very large extent, the activity outlined in this report also took place when he was the IPC.
I acknowledged his work last year but repeat that we owe him a real debt of gratitude: he left both
IPCO and OCDA in a very strong position.
The operation of the 2016 Act was an entirely new area of work for me and I have found my first
few months in the role tremendously interesting. I must also report that I have been very impressed
by the energy and commitment of the Judicial Commissioners, the members of the Technology
Advisory Panel and all of the staff at IPCO and OCDA. I am confident that, together, we can continue
to provide a very high standard of scrutiny and oversight to ensure that the use of covert powers by
the UK fully complies with its human rights obligations.
On the whole, I have also been impressed by the high level of compliance with the legislation and
relevant Codes of Practice. This can be seen both through the reports on the inspections of this
activity and from the low proportion of errors that are reported. Having said that, however, we
have seen two large scale errors during the year, one at MI5 and one at HMRC. Both of these led
to focused inspection work by IPCO and are addressed in greater detail in Chapters 8, 12 and 18 of
this report. Such errors highlight the importance of continued vigilance in the face of change and of
embedding strong compliance cultures across public authorities exercising intrusive powers. I am
very pleased that both organisations recognised the gravity of the issues that were uncovered and
both have addressed them in a comprehensive way.
In response to the issues which arose in MI5, IPCO has instigated a thorough review of data
assurance across all of the public authorities we oversee. The aim of the review is to ensure that
responsibilities for data handling, retention and destruction properly are understood across all
public authorities and that, where necessary, actions are in train to ensure those responsibilities
are being met. This is a major piece of work which was originally expected to take between 18
months and two years. You can find more information on the approach that is being taken later in
this report.