Investigatory Powers Commissioner’s Annual Report 2019
Data assurance
12.57
As detailed in chapter 7, we have initiated a programme of work to investigate the data
handling processes across all of the authorities we oversee. As the first stage in our data
assurance programme, we required all LEAs to complete a self-assessment of their current
processes and identify potential vulnerabilities in their data handling model. At the end of
2019 this programme was in its early stages, but we had identified some potentially serious
shortcomings which need to be addressed. It is worth noting that we have no sense that
any agency has deliberately mishandled data, but the following themes will help give a
focus to our work with LEAs in 2020.
12.58
In relation to the IPA, the self-assessments did not highlight any issues with targeted
interception material, which is handled on bespoke workflow systems which do not allow
the download of information to be stored elsewhere. The self-assessments suggested that
there may be some vulnerabilities in the handling of targeted equipment interference
material, in particular that data might be shared using emails and stored to personal or
shared desktops for analysis. This issue will be investigated thoroughly before we confirm
whether there are any errors in handling this data. Our concern here is that email systems
are not subject to automatic retention, review and disposal processes. This means people
may file emails in folders for future review and then not delete the material in line with
the schedule. In most organisations emails automatically back up and are capable of being
recovered after deletion, meaning that the material contained in the email is retained on
a server longer than is anticipated by the recipient. Similarly, our concern in relation to
personal and shared desktops is that, at the end of an operation, officers will not always
delete all the material they have stored. It is also possible that if officers can hot desk, then
certain systems will back up the data on individual computers. This could mean that if an
officer logs into computers A, B and C over a month and, at the end of the operation logs
into computer A and deletes the material from his personal desktop, a shadow copy of the
material might be retained, and still technically be accessible, on computers B and C despite
not showing on his desktop viewer. We will need to investigate the implications of these
concerns at each force individually.
12.59
Police forces use one of three commercially available workflow systems for handling CD.
The self-assessment responses have suggested that one of these systems does not have
a disposal capability and a second does not automatically apply review and disposal
processes. We are therefore concerned that a substantial proportion of communications
data material is not being deleted appropriately. We have also noted that emails are used
to obtain material from certain telecommunications operators (TOs). In most cases, we
believe that data can be exported from the workflow systems for analysis and saved to
personal and shared desktops. We will investigate the extent of this vulnerability with each
force we oversee and at a national level given the commonality of the issue.
12.60
Property interference and surveillance techniques rely on a range of systems and
equipment which are retained and handled within specialist units. It has therefore been
difficult to identify trends from the initial returns so we will investigate this issue with
operational teams throughout 2020.
12.61
LEAs implement exceptionally tight controls around CHIS material because of its sensitivity
and the crucial importance of safeguarding CHIS identities. We were therefore not
surprised to find that self-assessments detailed the use of workflow systems that are only
accessible to a small number of individuals and from which nothing can be downloaded.
The retention period of all material relating to a CHIS is typically longer than for other
forms of data because it may be necessary to access it for the CHIS’s protection, throughout
95