MI5 wrongly claimed it had been granted a unique exemption, by former home secretary Theresa May, from applying privacy safeguards to access databases containing data on the public’s private phone, email and web browsing activities.

Secret documents released during a court hearing at the end of July 2016 show that the security service misleadingly claimed to its own staff that it was “uniquely exempt” from seeking independent approval for accessing private communications data (CD).

The documents came to light at a hearing at the Investigatory Powers Tribunal (IPT), brought by the charity Privacy International to challenge the legality and lack of safeguards over intelligence services’ use of bulk personal datasets.

Bulk personal datasets held by MI5, MI6 and GCHQ contain highly sensitive information about the population, including location and travel history, internet and mobile phone use, and financial information.

The intelligence agencies match the data with other databases to find targets of interest. The Home Office published an updated version of its Code of Practice for the Acquisition and Disclosure of Communications Data in March 2015, requiring the intelligence services to seek approval from independent members of staff, known as designated persons (DPs), before accessing private communications data during all investigations.

MI5 wrongly told staff Theresa May had exempted it from code of conduct But a secret briefing note issued by MI5, dated 27 October 2015, informed employees that the security service had been granted special exemption from seeking independent approval by the home secretary and two regulatory bodies. “MI5 uniquely and temporarily has an exemption granted by the home secretary from this requirement. This exemption is based on the national security exemption provided for in the code. This approach has also been agreed with the relevant oversight body, IOCCO, and the interception of communications commissioner,” it said. The document revealed that meant investigative and operational managers could “remain lead authorisers for requests made by officers in their own teams”, effectively over-riding government demands for independent scrutiny of applications to access sensitive communications data.

Government solicitors acknowledge claims were untrue But in an embarrassing U-turn, treasury solicitors acting for the government wrote to the tribunal, saying guidelines for staff claiming that MI5 had an exemption from Theresa May, and that its approach had been approved by the Interception of Communications Commissioner’s Office (IOCCO), were untrue. “We are instructed to say that it was not correct to say, as of October 2015, that: the home secretary granted an exemption (indeed neither the current code, or its predecessor, provides the home secretary with the power to “grant an exemption”); or the approach described above had been agreed with the IOCCO or the interception of communications commissioner.” According to the letter, the Security Service instead relied on a provision in the code that said having ongoing operations or investigations immediately affecting national security issues “could” constitute circumstances where it was not necessary to seek independent approval. “In practice this is the case for all Security Service investigations.”

How MI5 fought a rearguard action against greater oversight The disclosure is part of a tranche of documents released during the four-day hearing that show the intelligence services have been fighting a rearguard action against greater oversight over its access to communications data for years. On 28 July, Computer Weekly revealed how MI5 used a secret meeting to persuade judges at the UK’s top intelligence and security court not to disclose any information on sensitive databases holding highly intrusive records about the population. The Security Service was able to skirt requirements to seek independent approval for accessing communications data under a code of practice introduced in 2007, the letter from the Treasury Solicitors revealed. MI5 relied on a provision in the code that designated persons “should” not be responsible for granting authorisations in relation to investigations in which they are directly involved. In practice, that allowed MI5 to avoid the requirement entirely. “The interception commissioner and IOCCO were made aware that this was the case in all Security Service’s investigations at their inspections, and were satisfied that this practice was not in contravention of the code,” the letter stated.

MI5 resisted pressure from Theresa May for independent oversight Even as late as last year, Andrew Parker, the director general of MI5, had been resisting pressure from the then home secretary, Theresa May, to move away from the practice of allowing investigators to authorise their own access to communications data (see How MI5 resisted pressure for greater scrutiny from Teresa May, below). In March 2015, he warned May that the appointment of independent designated persons to approve more than 100,000 data requests issued by MI5 each year would cause “significant disruption, reduce our effectiveness and introduce inconsistencies that will have the opposite effect to what is intended”. “Furthermore, there does not appear to be a pressing litigation or reputational requirement to commit to make these changes now, and we can therefore see no obvious gain in doing so,” he said. In April, he wrote again to May, warning that MI5 would not meet her deadline to put independent approval in place for investigations into sensitive professions, which included medical doctors, journalists and religious ministers. Two months later, he warned May that her proposals would require MI5 to extend independent approval more generally, would require more staff, and would pose significant problems. “Implementing operationally independent authorisation for all of our CD requests would be a substantially greater ask.” And in December 2015, he wrote to dissuade May from including these safeguarding measures in the forthcoming Investigatory Powers Bill, which will give new rights to law enforcement agencies for suspicionless surveillance. “I continue to have strong reservations about agreeing now to more widespread changes for targeted CD requests,” he told her. The move would divert effort from the front-line investigations, without any clear benefit. “Widening access to these would, in my opinion, introduce significant operational risk by extending the knowledge of our most sensitive operations beyond those with a legitimate requirement to know the details, ” he said.

Anthony May raised concerns with MI5 in 2014 The Interception of Communications Commissioner’s Office, which oversees surveillance by the security services, did not raise the question of independent oversight with MI5 until 2014, according to previously secret documents. In December that year, the IOCCO, run by Anthony May, carried out an inspection of the security service’s compliance with the Human Rights Act, the Regulation of Investigatory Powers Act (Ripa) and its Code of Practice. The heavily redacted inspection report found that, contrary to expected good practice, the designated persons responsible for approving communications requests were aware of the investigations they were being asked to sign off. It reported that many were not recording the reasons for their decisions. “It is recommended that MI5 reviews this area of the process and implementation measures,” said the report. A year later, IOCCO warned in its 2015 inspection report that the situation had become even more critical. “The Security Service must devise a strategy and implement procedures to ensure that DPs are independent from operations,” it insisted.

MI5 claimed it was acting in line with code of conduct MI5 argued that its processes were in line with the code of conduct – “which has been agreed by your office and the Home Office for several years” – according to a letter from the deputy director, interception and digital intelligence, in March 2015. The code, it said, “allows for public authorities which have ongoing operations or investigations immediately impacting on national security issues to not need to call upon a designated person who is independent from their operations and investigations”, he said. According to evidence at the July tribunal, MI5 was reminded of the need for checks and balances on its use of communications data in 2010, when Robert Hannigan, now the director of GCHQ, published a report advocating greater safeguards.

Criticism over MI5’s use of the Telecommunications Act 1984 to gather personal data Privacy International’s legal action has shed light on the use made by MI5 and GCHQ of the Telecommunications Act 1984 to obtain bulk data on the population, rather than the Regulation of Investigatory Powers Act 2000, which requires stronger privacy safeguards. The practice was acknowledged publicly for the first time by May as home secretary in November 2015. According to evidence presented at the tribunal, “bulk communications data…involves large amounts of data, most of which relates to individuals who are unlikely to be of any intelligence interest”. The interception of communications commissioner, Swinton Thomas, expressed reservations about the practice as early as 2004 in a long chain of letters with GCHQ. Swinton finally acquiesced, telling GCHQ in November that year: “I have … reached the conclusion, not without some difficulty, that the present system for retrieval of data pursuant to a Section 94 direction is lawful. “The requirement of a Ripa…authorisation would cause real difficulties which could not have been envisaged by Parliament when Ripa was enacted. I am, therefore, content that you should proceed as proposed,” he said.

MI5 admits staff looked up records of 20 celebrities But does the lack of independent approval for searches of bulk personal data matter? Evidence presented at the tribunal suggests it does. According to the government, intelligence agents in MI5 have used bulk databases to carry out searches of 20 celebrities, which were not operationally justifiable. Between 2009 and 2012, three different users carried out searches of high-profile individuals, without authorisation. And there were 17 searches of high-profile individuals between 2009 and 2011, which may not have been operationally justifiable. However, the Secret Intelligence Service has no formal records of conversations with their line managers to be able to confirm one way or another.