The UK’s MI5 security agency may have broken the law by holding on to large volumes of data without the proper protection, according to documents from the British Supreme Court.
The registry of the Supreme Court shows no record of the case receiving a final court decision, but that doesn’t mean there were no proceedings.
The 10 internal documents, which include letters from the most senior officials inside MI5, including correspondence from director Sir Andrew Parker, show repeated breaches of compliance, relating in particular to the storage of citizens’ data.
Letters to MI5 from the Investigatory Powers Commissioner’s Office (IPCO) – the body responsible for ensuring privacy protections are upheld – refer to “the undoubtedly unlawful manner in which data has been held or handled.”
On March 11th 2019, a letter from MI5’s director of policy, compliance, security and information reveals that an MI5 compliance team identified in January 2016 that “data might be being held in ungoverned spaces in contravention of our policies.”
The documents state that the MI5 allegedly broke the law because the “the task [of complying with it] was too large,” after initially beginning mitigation work in January 2018.
Compliance gaps were coded as red, amber or green, in relation to their severity. Several practices were colored red, including “review, retention and deletion”, which refers to data held on private citizens.
In general, the civil liberties group Liberty brought the legal challenge to the Supreme Court on June 11th.
In general, the claims against the MI5 include the following, as per the release by the watchdog group:
- Illegal actions: The Commissioner concluded that the way MI5 was holding and handling people’s data was “undoubtedly unlawful”, setting out that: “Without seeking to be emotive, I consider that MI5’s use of warranted data… is currently, in effect, in ‘special measures’ and the historical lack of compliance… is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose'”.
- MI5 knew for three years before informing IPCO: MI5 failed to maintain key safeguards, such as the timely destruction of material and the protection of legally privileged material. This, says Lord Justice Fulford created “serious compliance gaps” in its legal duties. Shockingly, these gaps first became clear to MI5 staff in January 2016, and the MI5 board in January 2018, but were only brought to IPCO’s attention in February 2019. Even then Fulford accuses MI5 officials of continuing to use “misleading euphemism” when describing their failure.
- False assurances: Warrants for bulk surveillance were issued by senior judges (known as Judicial Commissioners) on the understanding that MI5’s data handling obligations under the IPA were being met – when they were not. The Commissioner has pointed out that warrants would not have been issued if breaches were known. The Commissioner states that “it is impossible to sensibly reconcile the explanation of the handling of arrangements the Judicial Commissioners were given in briefings…with what MI5 knew over a protracted period of time was happening.”
The MI5 appeared to be fully aware of the situations, since a senior MI5 official allegedly admitted to the Commissioner that personal data collected by MI5 is being stored in “ungoverned spaces”, while the MI5 legal team claims there is “a high likelihood [of material] being discovered when it should have been deleted, in a disclosure exercise leading to substantial legal or oversight failure.”
There was also a statement by Home Secretary Sajid Javid admitting that MI5 did, in fact, breach the Investigatory Powers Act (IPA).
According to the statement, the Investigatory Powers Commissioner’s Office concluded those risks were “serious and required immediate mitigation”. Home Secretary Sajid Javid has said that he will now launch an independent review of this incident.
The statement as of June 12th appears to be unreachable.
The IPA provides the security services with extremely broad powers, under warrants issued by ‘Judicial Commissioners’, to hack computers and phones and intercept people’s communications. These powers allow the Government to carry out “bulk surveillance” on huge numbers of people who are of no intelligence interest. That information is then stored by the security services for potential investigations in the future.
In September 2018, Liberty, along with 13 other human rights and journalism groups and two individuals, won its challenge to the UK’s previous surveillance regime at the European Court of Human Rights. The European Court found that the UK’s previous regime for bulk interception of data was unlawful.
MORE ON THE TOPIC:
- UK Defense Secretary Fired Over Alleged National Security Council Leak To Huawei
- UK Foreign Secretary Defends Torturing Journalists, Then Says We Must Protect Journalists