MI5 'broke law' with serious breaches of safeguards for intercepted data

Get the free Morning Headlines email for news from our reporters across the world

Sign up to our free Morning Headlines email

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

MI5 broke the law by breaching surveillance safeguards that are meant to limit how spies use, share and retain intercepted material, it has emerged.

Home secretary Sajid Javid has launched an independent review to consider “what lessons can be learned” after a watchdog identified serious risks that the intelligence agency did not report quickly enough.

He said MI5 breached parts of the Investigatory Powers Act that regulates the processing of material obtained under a warrant, including intercepted data.

In a written ministerial statement, Mr Javid said the law requires spies to “ensure certain processing is kept to the minimum necessary for the statutory purpose, including the number of people to whom material is made available, the number of copies made and the length of time it is retained”.

He added: “A report of the Investigatory Powers Commissioner’s Office (Ipco) suggests that MI5 may not have had sufficient assurance of compliance with these safeguards within one of its technology environments. The report of the Ipco into these risks concluded that they were serious and required immediate mitigation.

“The Commissioner also expressed concern that MI5 should have reported the compliance risks to him sooner.”

Data accessed under the Investigatory Powers Act can include private messages, browsing history and location information.

The human rights group Liberty condemned authorities for refusing to disclose details of the breach, what information had been put at risk and how long for.

One of their lawyers, Megan Goulding, said the case was deeply concerning and showed how “fatally flawed the oversight system for security services is”.

She added: “This is a clear cut example of how the supposed safeguarding and oversight system is failing to protect us from the excessive and unwarranted surveillance and data retention powers created under the snooper’s charter. It is possible, from what is known, that millions of innocent people’s data is being shared widely with foreign governments. If the government has its way, we will never know if this is the case.

“If the UK’s surveillance regime is to have a semblance of legitimacy, the public needs to know what happened, and how badly our privacy and the security of our information were put at risk.”

Mr Javid said he could not give further information for national security reasons but further details would be included in Ipco’s annual report.

“The work MI5 do is absolutely critical, at a time when the threat from terrorism persists and continues to diversify,” he added. “It is of course paramount that UK intelligence agencies demonstrate full compliance with the law. In that context, the interchange between the commissioner and MI5 on this issue demonstrates that the world leading system of oversight established by the Act is working as it should.”

The Investigatory Powers Commissioner, Lord Justice Fulford, said he was first notified at a meeting in February and immediately requested written information that was received in March.

“I then asked a team of inspectors from my office to spend a week in MI5 investigating the extent of the compliance risks that had been identified,” he added.

“I am reassured that MI5 has taken immediate steps to introduce a series of mitigating actions in the light of that thorough review, and these actions – along with a programme of further measures that will be progressively implemented – provide sufficient reassurance that MI5’s handling arrangements within the particular area of concern are now satisfactory as regards warranted material.”

Ipco has carried out a follow-up inspection and will conduct regular reviews.

The home secretary said MI5 had taken “immediate and substantial mitigating actions” in response to the Ipco report and that implementation was being monitored.

“The compliance risks identified are limited to how material is treated after it has been obtained,” he said.

“They do not relate in any way to the manner in which MI5 acquires information in the first instance or the necessity and proportionality of doing so,” he added.

“All UK intelligence agencies treat protection of personal information seriously.”

It came as Liberty mounts a wider legal challenge to the Investigatory Powers Act, which will be heard at the High Court next month.

Campaigners are to argue that bulk surveillance that captures messages, browsing history and other large datasets without suspicion “dangerously undermines privacy and free expression”.

Last year, the High Court found the power to order private companies to store communications data, including internet history, so that state agencies can access it breached the right to privacy.

In September, the European Court of Human Rights found that the UK’s previous regime for bulk interception of communications data was unlawful before it was replaced by the 2016 Investigatory Powers Act