GCHQ told analysts to assume surveillance 'bulk data' is legal

Documents obtained by charity Privacy International reveal insights into GCHQ’s collection of sensitive bulk data, as lawyers question the impact of surveillance on legal privilege, fair trials and protection of whistleblowers

GCHQ staffers working with bulk personal datasets are told to assume that the data they analyse has been obtained legally, internal documents from the electronic intelligence gathering agency reveal.

The disclosures form part of a cache of 100 intelligence agency documents obtained by pressure group Privacy International, disclosed during a legal case Privacy International is bringing against the government and security services.

Privacy International is contesting the lack of oversight over UK intelligence agencies collection of bulk personal datasets (BPDs), which could include communications information, medical records, bank and credit card, club membership, and membership of political or religious organisations.

The disclosures come amid concerns from barristers, solicitors and journalists that government surveillance is undermining the confidentiality of their work with clients, and is potentially putting the judicial process and the safety of whistleblowers at risk.

BPDs are used to identify persons or subjects of interest, uncover links between such persons and groups, and gain an understanding of their behaviour and connections. The security services see them as “an increasingly important investigative tool”.

Analysts told to assume all data is legal

A compliance guide which has been in operation since 2014, released as part of the cache, shows that GCHQ analysts have been told to assume that the data collected by GCHQ is legal.

“You can assume the data you analyse has been legally obtained, as long as policies on collection and targeting have been properly followed,” it claims.

Analysts are told to abide by three key tenets when searching datasets held on individuals – that their searches be authorised; necessary for the purposes of national security, the economic well-being of the UK, or the prevention of serious crime; and proportionate.

The documents disclosed to Privacy International show that the UK government’s intelligence services – GCHQ, MI5, and MI6 – routinely requisition personal data from potentially thousands of public and private organisations.

This includes data held by financial institutions and may also include anything from confidential NHS records to databases of people who have signed electronic petitions, the organisation said.

GCHQ guidelines for data analysts

Analysts have been told to follow three tenets when searching datasets held on individuals – that their searches be authorised; necessary for the purposes of national security, the economic well-being of the UK, or the prevention of serious crime; and proportionate.

“The individuals whose communications you examine have a right to privacy, so your work must conform to the standards of HRA [the Human Rights Act],” said the documents.

Each query-based system that makes data available to GCHQ analysts requires an HRA justification and must be logged for future audit, and it is the analyst’s responsibility to do so.

“The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data and commercial activities,” said Millie Graham Wood, legal officer at Privacy International.

“This data is integrated into databases that could be used to build detailed profiles about all of us. The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime,” she said.

Intelligence agencies have been collecting the data sets secretly for the past 15 years and are now trying to quietly put the powers on the statute book, through the Investigatory Powers Bill, for the first time, the pressure group said.

Legal profession alarmed by lack of oversight

The revelations have raised concerns among the legal professionals who claim state surveillance is undermining the legal professional privilege between lawyers and their clients, potentially undermining the right to a fair trial.

Jonathan Smithers, president of the law society, told Computer Weekly: “Legal professional privilege is vital to the administration of justice. It protects a client’s fundamental right to be candid and confidential with their legal adviser without fear that someone is listening in.

“It is essential that the Investigatory Powers Bill, currently before Parliament, contains stronger safeguards for legal professional privilege,” he said.

Evidence given by the Bar Council claimed that safeguards to protect lawyer-client privilege only covered some of the extensive surveillance powers introduced by the draft legislation, and those that exist are inadequate.

Journalists and members of Parliament have raised concerns that the Investigatory Powers Bill will make it impossible for whistleblowers to reveal wrong-doing or corruption to the press without risk of reprisals.

“The investigatory powers bill contains extremely intrusive and unnecessary surveillance powers that trample over the very principles of journalism, the bill will be a death knell for whistle-blowers of the future,” said Michelle Stanistreet, general secretary of the National Union of Journalists.

Bulk data sets criticised by Intelligence and Security Committee

The existence of BPDs was first revealed in an Intelligence and Security Committee (ISC) report, published in March 2015.

The report acknowledged that their collection and search “may be highly intrusive” and “impacts on large number of people.”

There has been minimal oversight and no clear legal regime governing the use of BPDs, and that GCHQ, MI5 and SIS had abused BPDs in the course of their work, the ISC said.

Subsequently, it emerged that the security services had used section 94 of the 1984 Telecommunications Act to force communications services providers to give bulk access to communications data.

Revealed: GCHQ guidelines for sensitive professions

The GCHQ compliance guide sets out cases where GCHQ’s surveillance targets have a higher expectation of privacy, notably when GCHQ gathers information that could affect fair trials, freedom of the press and freedom of religion.

Analysts are required to obtain a Combined Policy Authorisation (Copa), ratified by a senior government official before being signed off in GCHQ, the document reveals. Material subject to legal privilege must not be shared or acted on without GCHQ itself taking legal advice.

Each query-based system that makes data available to GCHQ analysts requires a justification under the Human Rights Act and must be logged for future audit, the document claims.

Privacy International aims to obtain declarations that both the use of BPDs and the use of section 94 powers are illegal, and is seeking orders against the government to discontinue their use.

GCHQ guidelines – intelligence gathering that requires special handling

Legally privileged information includes confidential legal advice communicated between a legal professional and a client, and communications between a legal professional and a client relating to litigation.

Journalistic information includes material created as part of a journalist’s work and held in confidence, whether implicitly or explicitly, as well as discussions around editorial policy and management, dissemination of which may damage press freedom.

Confidential personal information includes information relating to physical or mental health, or spiritual counselling. This may include consultations with doctors, medical records, or conversations between individuals and ministers of religion.

Communications with UK legislators includes any and all communications with MPs, the Lords, members of the Scottish Parliament, Northern Ireland Legislative Assembly, Welsh Assembly and members of the European Parliament.

Read more on Privacy and data protection

Data Center
Data Management