The ISC’s Report of March 12, 2015 revealed that in addition to intercepting communications, the intelligence and security services acquire, share, and link together “Bulk Personal Datasets “containing personal information about a wide range of people,” and including hundreds to millions of records. Para. 151. The datasets are obtained through “overt and covert channels,” and the Director General of MI5 informed the ISC that Section 19 of the Counter-terrorism Act (2008) was deliberately added so that duties of confidentiality on the part of those who might share data would be overridden when the sharing was necessary for national security purposes. Although the ISC concluded that the Bulk Personal Datasets that the Agencies accessed were “related to national security investigations”(para. 151), independent assessment of that conclusion is prevented by the redaction from the ISC’s Report of the types of information contained in the datasets, the datasets currently held by the agencies, and the numbers of datasets held by MI6, GCHQ, and MI5 as of mid-2014.
The ISC noted that until its Report was published, the Agencies’ acquisition and use of Bulk Personal Datasets “was not publicly acknowledged, and there had been no public or Parliamentary consideration of the related privacy considerations and safeguards.” Para.158. While RIPA governs the interception of communications and acquisition of communications data, there are no legislative “restrictions on the acquisition, storage, retention sharing and destruction of Bulk Personal Datasets, and no legal penalties exist for misuse of this information.” Id.
The Committee recommended that “in the interest of transparency,” the intelligence and security services’ ability to use Bulk Personal Datasets “should be clearly acknowledged and put on a specific statutory footing.” Recommendation X. In addition, the ISC recommended that a statutory basis be established for the Intelligence Services Commissioner’s current practice of retrospectively reviewing the Agencies’ holding of Bulk Personal Datasets during his half-yearly inspection visits. The advisability of prospective, rather than retrospective, oversight of the Agencies’ decisions to acquire and use particular Bulk Personal Datasets Report was not considered.
The ISC also reported on the internal controls, including training, auditing, and disciplinary procedures, that the Agencies had established for the acquisition and use of Bulk Personal Datasets, but noted that “while these controls apply inside the Agencies, they do not apply to overseas partners with whom the Agencies may share datasets.” Para. 163.