Previously confidential documents published (1) today reveal the staggering extent of UK Government surveillance that has been kept secret from the public and Parliament for the last 15 years. Revealed in a case brought by Privacy International about the use of so-called 'Bulk Personal Datasets' and a law dating back to 1984, the extracts show that the UK Government's intelligence services, GCHQ, MI5, and MI6, routinely requisition personal data from potentially thousands of public and private organisations. This includes data held by financial institutions and may also include anything from confidential NHS records to databases of people who have signed electronic petitions.
The term 'Bulk Personal Datasets' was first used in March last year in an Intelligence & Security Committee (ISC) Report. Even the ISC, the Parliamentary Committee that oversees the work of the intelligence agencies and has full security clearance, was unaware of the use of BPDs until recently. The papers released today act as proof of, and show the sheer scale of, British intelligence agency surveillance of our personal data. It goes far beyond monitoring our text messages, email messages, and social media posts. The intelligence agencies have secretly given themselves access to potentially any and all recorded information about us.
The documents reveal the potential to requisition medical records and confidential information shared with a doctor (including blood group, physical characteristics (hair/eye colour), biometrics), travel records, financial records, population data, commercial data (details of corporations and individuals involved in commercial activities), regular feeds from internet and phone companies, billing data or subscriber details, content of communications (including with lawyers, MPs, or doctors), and records from government departments.
The Intelligence and Security Committee reported (attached below) (paras 156, 158) that there are hundreds of millions of records which may be linked together. The datasets are likely to contain significant quantities of information about British citizens. None of the intelligence agencies have been able to provide statistics about the volume of personal information about British citizens included in the datasets.
The extent of abuses of personal sensitive data has also been revealed for the first time. In recent years only three cases of non-compliance or misuse resulted in staff being disciplined. It is not apparent that any victims have been notified.
The documents also describe the intelligence agencies' use of Section 94 of The Telecommunications Act 1984 to access data in bulk. The Telecommunications Act is pre-internet legislation that was never intended to enable this level of intrusion in a digital age. Until November 2015 that use of Section 94 to require telecommunications companies to provide bulk access to communications data outside the protections of the RIPA (Regulation of Investigatory Powers Bill) regime was unknown.
Millie Graham Wood, Legal Officer at Privacy International said:
"The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities. This data is integrated into databases that could be used to build detailed profiles about all of us. The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime. This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals. The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time, in the Investigatory Powers Bill, which is currently being debated in Parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective Parliamentary scrutiny."
Since March 2016 Privacy International has received over 1000 pages of disclosure from the intelligence agencies.
On 12 March 2015, the Intelligence and Security Committee published its report “Privacy and Security: A modern and accountable legal framework” (“the ISC Report”). The ISC report disclosed, for the first time, the existence of Bulk Personal Datasets:
284. The publication of this Report is an important first step in bringing the agencies ‘out of the shadows’. It has set out in detail the full range of the agencies’ intrusive capabilities, as well as the internal policy arrangements that regulate their use. It has also, for the first time, avowed Bulk Personal Datasets as an agency capability” (underlining indicates emphasis added).
Reference to citation above:
156. These datasets vary in size from hundreds to millions of records. Where possible, Bulk Personal Datasets may be linked together so that analysts can quickly find all the information linked to a selector (e.g. a telephone number or ***) from one search query. ***.140
158. The Committee has a number of concerns in this respect:
Access to the datasets – which may include significant quantities of personal information about British citizens142 – is authorised internally within the agencies without Ministerial approval.
Footnote: 142 None of the agencies was able to provide statistics about the volume of personal information about British citizens that was included in these datasets.
Press release source at link below: