22
A Democratic Licence to Operate
2007, for example, HMRC lost the data relating to all families in the UK receiving childbenefit payments (approximately 25 million recipients), causing a significant shift in the
public’s perception of personal data security.
1.60
European and UK data-protection regulation provides for exemptions for law-enforcement
and intelligence agencies to store certain types of data. The ISR Panel were told that only
relevant information from stored data is ever released (for example, only the relevant
sections of a transcript from a telephone interception should be distributed to those
with a valid requirement for seeing it).60 Stored data must be destroyed by the agencies
‘as soon as there are no longer any grounds for retaining it as necessary for any of the
authorised purposes’.61 In June 2015, the IPT ruled that, while the interception by GCHQ
of the e-mails of two human-rights organisations was legal, it subsequently retained
these e-mails for longer than it should have, violating its own internal procedures.62
1.61
The ICO has advised all organisations that, under the Data Protection Act (DPA) 1998,
they should ‘identify the minimum amount of personal data you need to properly
fulfil your purpose’ and should ‘hold that much information, but no more’.63 The
Interception of Communications Commissioner’s Office (IOCCO) has also undertaken a
significant review of the retention, storage and destruction of intercepted material at
all the interception agencies. This investigation found that ‘every agency has a different
view on what constitutes an appropriate retention period for material’. All of IOCCO’s
recommendations for the SIAs were accepted, leading to a ‘significant amount’ of
material being destroyed. In some circumstances the maximum retention periods for
interception and communications data have been halved.64
1.62
The SIAs will review the utility of any bulk data set it has acquired (through whatever
means) on a regular basis; if there is no reasonable or legitimate reason for keeping the
data set, then it will be disposed of. Within MI5, for example, different bulk personal data
sets will have a review period of six months, twelve months or two years, depending on
the sensitivity of the data within it.65
Access to Data
1.63
Businesses can interrogate their own data records at their choosing and use individuals’
data based on their consent (for instance, via terms and conditions, T&Cs, at sign up)
or another legitimate basis, and pass or sell on this data to third parties – including
government, law-enforcement and intelligence agencies. In order for these agencies
to access information held by CSPs and ISPs, however, they must go through legally
60.
61.
62.
63.
64.
65.
ISR visit to GCHQ, December 2014.
See the Regulation of Investigatory Powers Act 2000, Section 15(3).
BBC News, ‘GCHQ “Broke Rules” When Spying on NGOs’, 22 June 2015.
ICO, ‘The Guide to Data Protection’, Version 2.2.20, p. 33.
May, Report of the Interception of Communications Commissioner: March 2015, p. 33.
ISC, Privacy and Security, p. 58.