MI5 transgressed Investigatory Powers Act while handling citizen data
14 June 2019
New documents have emerged that substantiate allegations that MI5, the UK’s domestic counter-intelligence and security agency, may have breached various provisions of the Investigatory Powers Act as far as the handling and retention of data belonging to citizens is concerned.
In May, in a Written Ministerial Statement in the House of Commons, Home Secretary Sajid Javid stated that even though the manner in which MI5 obtained information from the general public or the necessity and proportionality of doing so could not be questioned, there were relevant questions about how the agency treated such material such as how long it retained it, how many copies were made of the material, and to whom such information was made available.
However, Javid added that following the publication of a report from the Investigatory Powers Commissioner’s Office that highlighted serious issues in how MI5 handled material obtained by it, the agency had taken “immediate and substantial mitigating actions to address the concerns raised” and that “the Commissioner was satisfied that the mitigating actions put in place by MI5 were sufficient for him to continue lawfully to approve decisions to issue warrants to MI5”.
“The work MI5 do is absolutely critical, at a time when the threat from terrorism persists and continues to diversify. And the role of the Investigatory Powers Commissioner and his office is also fundamental to protecting our citizens, ensuring that our operational agencies are able to carry out their vital work in accordance with strict and proportionate privacy safeguards,” he added.
In response to the Home Secretary’s comments, Rt Hon Lord Justice Fulford, the Investigatory Powers Commissioner, said that he was reassured that “MI5 has taken immediate steps to introduce a series of mitigating actions in the light of that thorough review, and these actions – along with a programme of further measures that will be progressively implemented – provide sufficient reassurance that MI5’s handling arrangements within the particular area of concern are now satisfactory as regards warranted material”.
Investigatory Powers Commissioner termed MI5’s handling of citizen data “undoubtedly unlawful”
Despite such reassurances from the Home Secretary as well as from the Investigatory Powers Commissioner, human rights group Liberty recently stated that it was in possession of “10 documents and letters from MI5 and IPCO” that revealed how MI5 had transgressed the Investigatory Powers Act in how it handled information over the years and which forced the Investigatory Powers Commissioner to state that MI5’s actions had been “undoubtedly unlawful”.
“Without seeking to be emotive, I consider that MI5’s use of warranted data… is currently, in effect, in ‘special measures’ and the historical lack of compliance… is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose’,” the Commissioner noted.
According to Liberty, even though MI5 staff were aware of such transgressions in January 2016 and the MI5 board came to know of it in January last year, the Investigatory Powers Commissioner was apprised of them as late as in February this year. The Commissioner than said that “it is impossible to sensibly reconcile the explanation of the handling of arrangements the Judicial Commissioners were given in briefings…with what MI5 knew over a protracted period of time was happening.”
“These shocking revelations expose how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data, our web browsing history,” said Megan Goulding, a lawyer representing Liberty.
“It is unacceptable that the public is only learning now about these serious breaches after the Government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner,” she added.
GSHQ shared citizen data with HMRC & other third parties
This isn’t the first time that the manner in which investigative agencies in the UK collect information about citizens and handle such material has been called into question. In 2017, Privacy International appeared before the Investigatory Powers Tribunal (IPT) to state that intelligence agencies like the MI5 and MI6 have been processing bulk data belonging to citizens and sharing it with others without following legal safeguards.
Privacy International alleged that bulk personal datasets collected and monitored by MI5 and MI6 contain highly sensitive concent about citizens. These include their activities on social media sites, online dating sites and leave almost nothing to the agencies’ imagination.
“Such datasets are very intrusive. They contain information that goes right to the core of an individual’s private life,” the group contended.
The IPT was also told that a select group of researchers at the University of Bristol were also given access to bulk datasets that were stored by GCHQ. These data sets included every conceivable sensitive information like internet usage logs, call logs, online file transfers and lists of websites visited by citizens.
At the same time, GCHQ also shares bulk datasets with HM Revenue and Customs (HMRC). According to the petitioners, once such datasets were shared with external agencies, control over them was lost. At the same time, such datasets could also be used by intelligence agencies for purposes that may not have official or legal sanction.