MI5 may have broken the law by holding large volumes of private data without proper protections, according to documents released in the High Court.

The security agency also misled senior judges by applying for warrants on the basis that data protection obligations were being met - when in fact they were not.

The 10 internal documents, which include letters from the most senior officials inside MI5, including correspondence from director Sir Andrew Parker, show repeated breaches of compliance, relating in particular to the storage of citizens' data.

They also show that the spy agency was aware of breaches of compliance over several years, yet failed to act.

Letters to MI5 from the Investigatory Powers Commissioner's Office (IPCO) - the body responsible for ensuring privacy protections are upheld - refer to "the undoubtedly unlawful manner in which data has been held or handled".


On 11 March 2019, a letter from MI5's director of policy, compliance, security and information reveals that an MI5 compliance team identified in January 2016 that "data might be being held in ungoverned spaces in contravention of our policies".

Mitigation work began in January 2018 to resolve the problem, but, the letter says, "the task... was too large".

Under MI5's system, compliance gaps were coded red, amber or green according to their severity. Several practices were coded red, including "review, retention and deletion", which refers to data held on private citizens.

The documents were released as part of a court case undertaken by Liberty against the Home Office.

"The documents show extraordinary and persistent illegality in MI5's operations, apparently for many years," said civil liberties organisation Liberty, which is bringing the case.

"The existence of what MI5 itself calls 'ungoverned spaces' in which it holds and uses large volumes of private data is a serious failure of governance and oversight, especially when mass collection of data of innocent citizens is concerned."

MI5's lawyer told the court: "We accept this poses serious compliance risks to MI5, which is why we've brought it to the court's attention under our duty of candour."

Under the Investigatory Powers Act of 2016 - known colloquially as the "Snoopers' Charter" - the UK's security services were given extensive powers to collect what is known as "bulk data" on citizens, whether or not they were suspected of a crime.

This data was collected under warrants issued by judicial commissioners, on the basis that the safeguards were being maintained. These letters show the serious internal concerns about the effectiveness of these safeguards.

Investigatory powers commissioner Lord Justice Fulford told MI5 in April: "Without seeking to be emotive, I consider that MI5's use of warranted data... is currently, in effect, in 'special measures' and the historical lack of compliance... is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is 'fit for purpose'."

The hearing continues.