UK Investigatory Powers Bill and bulk personal datasets
The UK Government has published a number of documents that provide guidance about the Investigatory Powers Bill. These will be of particular interest to those with an interest in counter terrorism matters, writes Roger Gomm.
Bulk personal datasets are held on electonic systems for analysis by the security and intelligence agencies (123rf / Faithie)
Bulk Personal Datasets are sets of personal information about a large number of individuals, the majority of which will not be of any interest to the security and intelligence agencies. The datasets are held on electronic systems for the purpose of analysis by the security and intelligence agencies. Examples of these datasets include the electoral roll, telephone directories and travel-related data.
The Bill argues that bulk personal datasets are essential in helping the security and intelligence agencies identify subjects of interest or individuals who surface during the course of an investigation, to establish links between individuals and groups, to understand better a subject of interest’s behaviour and connections and quickly to exclude the innocent. In short, they enable the agencies to join the dots in an investigation and to focus their attention on individuals or organisations that threaten our national security.
Currently the security and intelligence agencies have powers under the Security Service Act 1989 and the Intelligence Services Act 1994 to acquire and use information to help them fulfill their statutory functions, including protecting national security. The use of bulk personal datasets is subject to stringent internal handling arrangements and the regime is overseen by the Intelligence Services Commissioner. Datasets may be acquired, using investigatory powers, from other public sector bodies or commercially from the private sector.
In the future if the Bill becomes law (statute) it will provide robust new safeguards that apply to the retention and examination of bulk personal datasets.
The Bill suggests safeguards in the form of two types of warrant – class BPD warrants and specific BPD warrants. Class BPD warrants will authorise the retention of a class of BPDs, such as certain kinds of travel data. Specific BPD warrants will authorise the retention of a specific dataset – this could be because the dataset is of a novel or unusual type of information, so does not fall within an existing class BPD warrant, or because a dataset raises particular privacy concerns that should be considered separately. Both types of warrant last for six months. They will be issued by the Secretary of State, who must consider that the warrant is necessary and proportionate and adequate measures are in place to store the datasets securely.
As will be the case for interception and equipment interference authorisations, a Judicial Commissioner must also approve the Secretary of State’s decision to issue the warrant. The Bill provides for urgent specific BPD warrants that must be approved by a Judicial Commissioner three working days after they have been authorised by a Secretary of State.
A statutory Code of Practice will set out additional safeguards, which apply to how the agencies access, store, destroy and disclose information contained in the bulk personal datasets.
The Investigatory Powers Commissioner will oversee how the agencies use these datasets. Supported by a team of Judicial Commissioners and technical and legal experts, the Commissioner will audit how the agencies use them and they will report publicly on what they find.
In summary, the key provisions are:
The Bill provides for new safeguards in respect of the security and intelligence agencies’ retention and use of bulk personal datasets
Class and specific BPD warrants are subject to the ‘double lock’ authorisation safeguard
The data can only be examined for the Operational Purposes specified on the warrant and agreed by the Secretary of State and Judicial Commissioner
The Code of Practice will provide clear guidance on whether it is appropriate to seek a specific warrant for a particular dataset
In considering whether a class warrant should be renewed, the Secretary of State will consider the datasets held under the warrant
The Bill places time limits on the initial examination of bulk personal datasets
Roger Gomm is Security & Counter Terrorism Correspondent and Member of CRJ’s Editorial Advisory Panel