MI5 accused of withholding surveillance compliance failures from cabinet minister

MI5 withheld high-risk concerns about its ability to comply with legislation from the home secretary when it submitted applications for surveillance warrants, NGOs Privacy International and Liberty claimed last week

MI5 withheld critical information from the home secretary when it applied for warrants to gather telephone and internet data, Britain’s most secret court has heard.

The security service is accused of failing to report details of serious legal compliance concerns over the storage and deletion of surveillance data stored on its IT systems.

Lawyers representing the campaign groups Privacy International and Liberty argued that MI5 had “failed in its duty of full and frank disclosure” to the Home Office.

They claimed that the then home secretary, Amber Rudd, also failed in her duty to investigate MI5’s compliance failures when the agency belatedly alerted her in 2016.

That effectively made surveillance warrants issued by the Home Office unlawful, the Investigatory Powers Tribunal heard during a two-day case management hearing last week.

MI5 first disclosed compliance failures in “ungoverned spaces” during legal action brought by Privacy International in 2015 to challenge the legality of bulk surveillance by the security and intelligence agencies.

Documents later disclosed by MI5 during a case brought by Liberty showed that MI5 had sought and obtained bulk interception warrants on the basis of misleading statements.

Systematic failure

Speaking after the hearing, Ilia Siatitsa, programme director and legal officer at Privacy International, said: “There appears to be systematic failure by MI5 to comply with human rights standards.

“For more than a decade, MI5 has been collecting vast troves of our personal information while documents today reveal that they knew that there were serious risks of compliance.”

Because of Covid restrictions, lawyers, journalists and observers joined the case through a telephone conference line, but had difficulties hearing the full proceedings.

MI5 had compliance problem from at least 2014

Documents disclosed in court showed that MI5’s management board was aware of compliance risks in what it called the “technical environment (TE)” from at least 2014.

Summarised minutes of a management board meeting from that year showed that MI5’s record, retain and delete (RRD) policy had not been applied to much of MI5’s data and that the agency kept a “vast amount of data” that was not needed.

A year later, an internal report warned that MI5 was holding data unlawfully and that it had “undoubtedly” retained material that “should have removed from the [IT] estate”.

MI5 had put in place a plan to remedy information management risks “inherent in the system”, following a major compliance failure in the agency’s technical environment by October 2016, according to a previously secret report.

The plan led to partial mitigations of some key areas of risk on its completion, but the report warned that not enough had been done to ensure this “legacy risk doesn’t increase” in the future.

“In the context of information management, our limited understanding of what is on the system means we are unable to apply effective review, deletion and discovery techniques,” it said.

Thomas de la Mare QC told the court that although MI5 was required to make “full and frank disclosure” to the secretary of state when requesting surveillance warrants, it had failed to do so until February 2019 at the earliest.

“MI5 made two mistakes by saying that everything was tickety-boo and that there were no facts the secretary of state should be made aware of,” he said.

The security service also failed to fully report its compliance problems to its regulator, the Investigatory Powers Commissioner (IPC), de la Mare told the court.

“Notwithstanding knowledge at the highest level at MI5, MI5 did not report the issue, and when it reported the issue to the IPC, it was not full and frank,” he said.

“There does appear to be a conscious or reckless decision within MI5 not to disclose the totality of the compliance problems they had.”

Under the Regulation of Investigatory Powers Act, that failure meant all warrants were invalid, said de la Mare.

“MI5 had a compliance problem, they knew they had a compliance problem, they told no one at all – or no one adequately – about the compliance problem and they obtained warrants without disclosing a compliance problem,” he said.

MI5 did not warn home secretary of risks

The NGOs argued that then home secretary Rudd failed in her duty to make proper enquiries after the spy agency informed her that there were serious risks that it may not be compliant with legislation in 2016.

MI5 wrote to Rudd in December that year, warning that there was a “relatively longstanding” risk that MI5 was not compliant with the “relevant legislation” on information handling. It rated the risk as “red” – the highest risk category.

The then director general of MI5, Andrew Parker, apologised to Rudd for the errors following a meeting with her on 23 January 2017, according to previously classified documents.

Parker told Rudd that the agency had started a programme to strengthen MI5’s processes and to prepare for the introduction of the Investigatory Powers Act 2016.

In March, MI5’s deputy head wrote to the home secretary, again reporting that there was a “very high” risk that MI5 was not complaint with its statutory obligations, particularly on information handling, and that there was a risk of “substantial legal/reputational damage”.

By October, the Home Office was aware that MI5’s timetable for reducing the risk from red (very high) to orange (high) has slipped from late 2017 to mid-2018.

In December, MI5 again alerted the home secretary to the “red” risk that MI5 did not comply with statutory obligations. It said the rating reflected the long-term challenge of ensuring compliance with legal and other obligations.

De la Mare told the court that MI5 had also failed in its “duty of candour” by failing to disclose relevant information on its compliance to the Investigatory Powers Tribunal (IPT) during earlier litigation brought by Privacy International and Liberty.

Tribunal not a ‘state trial’

Privacy International and Liberty argued that they should be allowed to amend their legal pleas following MI5’s disclosure of a significant number of documents at short notice before last week’s hearing.

The move was opposed by the government, which argued that the tribunal was not meant to police the system – that job belonged to the IPC – and that the court should not engage in a “state trial”.

Sir James Eadie QC for the government argued that allowing the NGOs to change their pleas to introduce “full and frank disclosure” as a full-blown argument would delay the proceedings.

“It is a pretty serious allegation and one that would need to be responded to accordingly,” he said.

Eadie said that the secretary of state and those responsible for issuing warrants had already acknowledged that they had issued warrants without knowledge of the facts. “That is an admission of unlawfulness,” he said.

“This is not a state trial. This is not an exercise in the tribunal being invited in an open way to investigate all technology failures.”

Eadie said the IPT was not the “policeman of the system” – that job belonged to the IPC.

Speaking after the case, Siatitsa said MI5 had told the IPT in 2015 that it had robust procedures in place to protect data collected about the population.

“MI5 guaranteed that robust safeguards were in place so that such data would be safe and protected,” she said. “Yet it turns out that those safeguards were in some cases illusory and MI5 has known that for a very long time.”

The trial is now expected to be held in May or June 2021.

The case continues.

Internal documents reveal MI5 was aware of legal compliance risks from 2010

2010: MI5’s management board is made aware of compliance failure risks. It identified its “technical environment” as high risk.

2011: A compliance review recommends mandatory training for users and the implementation of a retention and deletion policy.

2012: A review of MI5’s “technical environment” examined “user security practices”. MI5 said that it was unclear what steps were taken to implement its recommendations.

May 2013: MI5 management board discusses a paper setting out serious information management risks. It notes that the work was under-resourced given the scale of the problem, and lacked urgency.

2014: MI5 notes a number of risk in its “technical environment (TE)”.

Nov 2014: MI5 identifies that it is at risk of substantial “legal or oversight” failure when gathering information for legal discovery.

2015: An MI5 2014/15 management board performance report warns of the security service’s lack of a formal, comprehensive and effective record, retain and delete policy.

2015: MI5 records in its risk register that it is unable to create, store or retrieve information in a secure, accessible way due to the inadequacy of one of its information handling applications.

January 2016: An MI5 lawyer warns there is legal risk that the security service held data in “ungoverned places”. The paper said there was a considerable risk that MI5 would fail to meet its duty under the Security Service Act to hold data only for as long as necessary.

15 January 2016: MI5 reports six instances of non-compliance with the bulk personal dataset (BPD) handling arrangements and 47 instances of non-compliance with bulk communications data (BCD) handling arrangements between 1 June 2014 and 9 February 2016.

2016: A 2015/16 management board performance report warns of the risk that information is not disposed of appropriately. It said that it undoubtedly had material that it  “should have removed from the [IT] estate”.

2016: A risk acceptance statement review of MI5’s “technical environment ” finds that “significant risks” found in the TE in a review in 2012/13 continued to persist. 

14 October 2016: MI5 concludes that there is a high likelihood that material that should be disclosed under legal discovery process would not be discovered, or that it would be discovered when it should have been deleted, “leading to substantial legal or oversight failure”. MI5 had been aware of the problem since 2014.

July 2016: An MI5 officer says in a witness statement to the Investigatory Powers Tribunal that there was adequate oversight and handling arrangements for BCD and BPDs, which collect sensitive data on the population.

October 2016: A paper produced for the directors of MI5 and others concludes: “There is a significant risk around the absence of compliance with relevant legislation, codes of practice and handling arrangements.”

15 December 2016: A Home Office note records that MI5 is at risk of not being compliant with the relevant legislation for information handling. This is a “relatively long-standing risk” classified as “red” on the risk register. MI5 has set up a department to introduce training, file reviews and new IT processes to improve compliance with legislation.

March 2017: An MI5 report on the “technical environment” identifies significant risks that it did not comply with relevant legislation and codes of practice and handling arrangements.

6 October 2017: MI5 reports that, contrary to its disclosure in February 2017, it held intercepted data from Privacy International in the “workings” area used by intelligence analysts, which had been collected unlawfully.

October 2017: A paper warning that there remains a legal risk in MI5 failing to find relevant information required for discovery in the “technical environment” is presented to four directors of MI5. It notes that MI5 continues to build some systems that do not have the capability to review, retain and destroy data properly.

January 2018: By now, the MI5 management board knew about serious problems with the way MI5 held data obtained through surveillance warrants in the “technical environment”, including failures to safeguard legal professionally privileged communications. The investigatory powers commissioner, Adrian Fulford, writes that MI5 should have reported the matter to him, and should have considered the legality of continuing to store operational data.

October 2018: An MI5 executive board paper again identifies compliance risks in the “technical environment”. This could lead to successful legal challenges, the loss of confidence of ministers, restrictions on warrants and reputational damage. It says MI5 is unable to provide “robust assurances” to oversight bodies.

4 February 2019: A deputy director of MI5 responsible for managing the legal and compliance teams says in a witness statement to the Investigatory Powers Tribunal that he is satisfied that MI5’s data-handling requirements are in compliance with RIPA.

27 February 2019: MI5 partially discloses compliance breaches first discovered in January 2016, in an oral briefing to the investigatory powers commissioner Adrian Fulford. IPCO inspectors had not identified the problems during earlier audits.

29 February 2019: A submission to the home secretary reports that MI5 planned to disclose two “key challenges faced by the TE” to the regulator, the Investigatory Powers Commissioner.

11 March 2019: MI5 provides a written briefing on its compliance breaches to IPCO. IPCO subsequently orders an audit of MI5 systems.

18-22 March 2019: IPCO carries out its first inspections of MI5’s “technical environment”.

29 March 2019: IPCO’s first inspection report finds that MI5 had a manual system in place for deleting material covered by legal professional privilege (LLP). However, MI5 can give little assurance that it has complied with any conditions imposed on the use and retention of the material. Some systems within the “technical environment” did not allow LLP material to be highlighted at all, and it was possible that flags marking material as LLP would not be carried over in “file shares”.

1 April 2019: MI5 updates its Handbook for judicial commissioners to highlight “mitigations” that would allow warrants to continue to be issued lawfully.

15-16 April 2019: IPCO carries out further inspections of the “technical environment”.

26 April 2019: IPCO’s second inspection report gives two red warnings – which, if left unfixed, would impact compliance – and three amber warnings on MI5’s “technical environment”.

3 May 2019: MI5 identifies compliance problems in “other areas”, including areas it called “technical environment 2, area 1 and area 2”, associated with bulk data collection. It reports that the area is challenging to investigate and that it has only been able to scan some of the files. MI5 was aware of some of the risks in 2016.

8 May 2019: Investigatory powers commissioner Adrian Fulford says MI5 appears to have been aware of a compliance risks in “technology areas 1 and 2” since 2016. Fulford, who had not been told of the breaches, asks MI5 for an immediate briefing, including whether MI5 had been in breach of the Investigatory Powers Act.

9 May 2019: Home secretary issues a written statement on compliance issues at MI5.

15 May 2019: MI5 discloses to Fulford that it did not know what information was held in “technical environment 2”, nor the associated “working practices” under which data is processed.

June 2019: A compliance improvement review concludes that “MI5 must ensure that all its data can be shown to be held in accordance with legal compliance requirements by June 2020”.

28 November 2019: Minutes record that MI5 has identified “significant” risks with legacy IT. MI5’s deputy director general said the risks were being managed appropriately and there was no requirement to brief the home secretary.

Read more on MI5 and surveillance

Read more on Privacy and data protection

Data Center
Data Management