Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more

Last Updated: March 25, 2017

The Investigatory Powers Act (IPA) is a new law that makes mass surveillance legal in the United Kingdom. All citizens’ mobile phone and internet use will now be logged, and the law also allows the government to secretly bypass encryption, among other things.

The Act specifies a number of job roles that have access to your Internet Connection Records (ICRs). Many people are concerned about just how many people in the government have access to them. And they should be!

In Summary: Who Has Access?

WhoIsHostingThis filed almost 100 Freedom of Information Requests to find out exactly who gets access to your data. We can now reveal that there at least 16,318 employees in government and public sector who have legal access to your ICRs. And this number only accounts for two-thirds of the organizations mentioned in the Act.

Our current total represents a lower bound — the minimum number of people who have access to what you do on your computer. Over time, we will doubtless learn more and revise this total. Here is the current breakdown:

td {

padding-left: 1em;

padding-right: 1em;

}

Group Subtotal Total Police 10,578 England and Wales 8,716 Ministry of Defence 138 Northern Ireland and Scotland 1,724 Military ? Intelligence Services ? MI5 ? MI6 ? GCHQ ? HMRC 2,967 Emergency Services 644 Marine and Coastguard 11 Fire and Ambulance 538 Miscellaneous 2,129 Total 16,318

If you wish, you can embed this table into your own webpage by copying the text in the following box. It links back to this page in case anyone wants to see the details.

<div style=”text-align: center; padding: 1em; “><a href=”https://www.whoishostingthis.com/blog/2017/03/07/ipa-numbers/”><img src=”https://www.whoishostingthis.com/wp-content/uploads/2017/03/IPA-People.png” alt=”Investigatory Powers Act: All the Cops, Spooks and Suits Watching You” /></a><span style=”font-style: italic; font-weight: bold; font-size: 0.8em;”><br />Data provided by <a href=”https://www.whoishostingthis.com/blog/2017/03/07/ipa-numbers/”>WhoIsHostingThis.com</a>.</span></div>

How We Got These Numbers

Section 4 of the Investigatory Powers Act states the roles required for access to Internet Connection Records. There are two levels of access: Full, or Entities. Entities is a restricted view.

All roles in the Act are the minimum required to access Internet Connection Records. In our Freedom of Information Requests, we asked for the names of all roles senior to the minimum role required, as well as a headcount for each role. Not all organizations provided this, but many did.

Our Purpose

The aim of this article is not to “name and shame” the people with access to your data. After all, many of them never asked for access, may not want it, and may privately oppose the Investigatory Powers Act.

But it’s important to get to grips with the sheer scale of the issue. There are a dizzying number of people with access to your private data. They all have permission to see what you get up to on your laptop or phone. And, in some cases, it isn’t clear how their jobs have anything to do with the supposed reasons the IPA was passed in the first place.

For example, the Department for Work and Pensions and the Food Standards Agency don’t seem to have anything to do with terrorism or human trafficking.

The Numbers In Detail

The figures we present here come from our Freedom of Information Requests and information on the internet. Some organizations did not respond in the allotted time, some requested further information from us, and others are exempt from providing this information. For these reasons, and the complications around how job sharing is reported, these figures should be considered a minimum.

Number of Police With Access

The Investigatory Powers Act allows Police Inspectors to view a truncated version of your Internet Connection Records (including entities in your Internet Connection Records, and links between those entities). Because the data is opened up to senior roles, we know that Chief Inspectors will also get to see this entity data.

England and Wales

According to 2015 figures, there were 7,358 Inspectors and Chief Inspectors in the force in England and Wales.

Full Internet Connection records can be accessed by anyone with the rank of Superintendent or Chief Superintendent, and any member of staff senior to those roles. Based on the 2015 data, that’s 7,358 officers at those ranks and 1,358 officers above. That makes 8,716 officers in the police force in England and Wales with access to ICRs.

Ministry of Defence

The Ministry of Defence (MoD) Police says that it has a total of 119 in the ranks of Inspector or Chief Inspector. There are 19 officers above that rank, for a total of 138 with ICR access.

At this point, it’s worth noting that at least one MoD policeman has been investigated and relieved of duties for misuse of data in recent years. He was suspended after searching police logs for personal information about the ex-footballer Paul “Gazza” Gascoigne, proving that misuse can and does happen.

Northern Ireland and Scotland

In the Northern Ireland police force, there are at least 436 staff with the role of Inspector or higher, and 21 at Superintendent or higher.

Police Scotland confirmed the figures for its force after processing our Freedom of Information Request. There are 861 police inspectors, 240 inspectors, 117 superintendents, 38 Chief Superintendents, 7 Assistant Chief Constables, 3 Deputy Chief Constables, and 1 Chief Constable, adding 1,267 to the total.

That makes a total of 1,724 officers in Northern Ireland and Scotland with access to ICRs.

Army, Navy, Air Force

The Royal Air Force, Navy, and Army police did not reply to our Freedom of Information Request within the allowed time.

We found a 2013 report on (PDF) gov.uk that there are 5,294 personnel at the rank Commander (Royal Navy Police), Lieutenant Colonel (Royal Military Police), and Wing Commander (Royal Air Force Police). But this represents the entire military. At this time, we do not know how many military police officers have this rank. Just as important, we do not know if general military personnel above this rank will have access.

As a result, we cannot provide an estimate for this category at this time.

Policing Totals

Given all the people with access to all of this data, it is of some import that the Chief Constable of Police Scotland was criticized in August 2016 for failing to secure his own personal Facebook page. If the head of the Scottish police has trouble managing his own internet privacy, 58 million UK citizens should surely be concerned that he’s in charge of their data too.

Police total so far: 10,578. Remember: this is based on incomplete data, so it is a low estimate.

We Don’t Know About Access at MI5, MI6, and GCHQ

The intelligence agencies presented a particular problem for our investigation.

MI5

MI5 stands for Military Intelligence, Section 5, and is responsible for domestic counter-intelligence and security. Currently, it employs approximately 4,000 people.

The Act allows General Duties 3 staff (or more senior) to access full Internet Connection Records, and General Duties 4 access to Entities only. We asked MI5 for the number of staff in these roles, but they declined to provide any figures.

MI6

MI6 stands for Military Intelligence, Section 6, and is responsible for gathering intelligence from outside the UK to support certain UK government activities. Full ICRs will also be available to MI6 staff at Grade 6 or above. We do know that MI6 had 2,479 staff in March 2015 and plans to recruit 1,000 more by 2020. We don’t know how many are at Grade 6 or above, and MI6 did not respond to inquiries.

In 2016, MI6 and MI5 were found to have breached human rights law by collecting bulk communications data without consent. This is the kind of activity that the Investigatory Powers Act was designed to legalize.

GCHQ

GCHQ personnel who have a role of GC8 or above also have access to ICRs. But GCHQ has not responded to our inquiries.

As we have no confirmed numbers for this section, we have not added anything. But it is certain that MI5, MI6, and GCHQ would increase our total by a significant amount.

Number of People at HMRC With Access

We already know that Her Majesty’s Revenue and Customs (HMRC) scrapes social media accounts to find data about UK taxpayers. This data is fed into its analytics platform, Connect, and merged with information about UK residents’ wages, pensions, bank accounts, investments, and online shopping habits. Now that dataset will be augmented with the online activity of ordinary UK residents.

Full Internet Connection Records are visible to Senior Officers at HMRC, while entities are available to Higher Officers. In a 2016 summary of junior posts, there were 2,123 Senior Officers, and 844 Higher Officers. All of the people above these roles also have access, but HMRC did not classify exactly which roles would fall into those groups.

So far, this represents 2,967 HMRC employees, by our count, making our running total 13,545 people — which is a very conservative estimate.

Number of People in Emergency Services With Access

At the Marine and Coastguard Agency, 4 staff can see entity data, and 7 other staff have full access to Internet Connection Records. The Maritime Operations Commander is among them, as is the Head of Enforcement. The Marine and Coastguard Agency did not recognize some of the job roles in the wording of the Act, so this figure may be higher.

Even this relatively small figure should concern you. According to a 2016 Freedom of Information request, the Marine and Coastguard Agency’s IT security audit revealed 16 “significant” security risks. It did not, however, provide any information about the nature of those risks.

At fire brigade and ambulance services, Internet Connection Records are available to Watch Managers and Duty Managers in control rooms. These people are in charge of directing the response to incidents. All of the roles senior to these people also have full access to ICRs, including Brigade Managers, Area Managers, Operations Managers, and others.

We made Freedom of Information Requests to each individual fire or ambulance authority, and we confirmed at least 644 people with access across all of the fire and ambulance services that responded.

That brings our total to 14,189 that are known.

Number of People With Access Elsewhere

Here are the responses to our FOI requests, along with the figures we were given:

279 people at the Competition and Markets Authority

people at the Competition and Markets Authority 326 at the Department of Health Medicines and Healthcare Products Regulatory Agency

at the Department of Health Medicines and Healthcare Products Regulatory Agency 10 at the Department of Health Anti-Fraud Unit

at the Department of Health Anti-Fraud Unit 59 at the Department for Work and Pensions

at the Department for Work and Pensions 3 at the Common Services Agency for the Scottish Health Service

at the Common Services Agency for the Scottish Health Service 13 at the Criminal Cases Review Commission

at the Criminal Cases Review Commission 537 at the Department for Communities in Northern Ireland

at the Department for Communities in Northern Ireland 5 at the Department for the Economy in Northern Ireland

at the Department for the Economy in Northern Ireland 11 at the Department of Justice in Northern Ireland

at the Department of Justice in Northern Ireland 13 at the Financial Conduct Authority

at the Financial Conduct Authority 45 at the Food Standards Agency

at the Food Standards Agency 5 at Food Standards Scotland

at Food Standards Scotland 56 at the Gambling Commission

at the Gambling Commission 45 at the Health and Safety Executive (HSE)

at the Health and Safety Executive (HSE) 10 at the Independent Police Complaints Commission (IPCC)

at the Independent Police Complaints Commission (IPCC) 75 at the Information Commissioner’s Office (ICO)

at the Information Commissioner’s Office (ICO) 13 at the National Health Service Business Services Authority

at the National Health Service Business Services Authority 3 at the Northern Ireland Health and Social Care Regional Business Services Organisation

at the Northern Ireland Health and Social Care Regional Business Services Organisation 548 people at the Office of Communications

people at the Office of Communications 16 at the Office of the Police Ombudsman for Northern Ireland

at the Office of the Police Ombudsman for Northern Ireland 2 at the Police Investigations and Review Commissioner

at the Police Investigations and Review Commissioner 49 at the Serious Fraud Office

at the Serious Fraud Office 6 at the Northern Ireland Fire and Rescue Board.

This makes for a total of 2,129 more people who have access to Internet Connection Records, bringing our total to 16,318.

There are doubtless many more — based just on the lack of information about MI5, MI6, and GCHQ. But there are potentially thousands more that remain uncounted.

Why This Matters

Again: this isn’t an attempt to shame people with access to your personal data. But it is an attempt to shock you into recognizing how wide-open the access is.

Small-scale data protection breaches happen all the time; large scale hacks aren’t that rare. And the UK government has a long track record of losing personal data accidentally, too.

UK councils also have a dubious record when it comes to misusing surveillance in the past. For example:

Some misuse may be intentional, while some may be the result of simple ignorance. At least one of the organizations that we approached did not provide an answer to our questions because the respondent did not know what Internet Connection Records are, even after we provided a link to the Act.

The more people that can access the data, the more potential there is for that data to be accessed illegally, or used unethically. And that can compromise your safety and your liberty.

Appendix

Upwards of one hundred FOI requests were filed for this article. Of these, 76 were completed and used in the final version of this article. As we gather more data, we will add to this article. Here are PDFs containing each FOI document we have used:

Organizations that Did Not Reply

A number of organizations failed to provide the information we asked for by the legal deadline. Note that there are any number of reasons why this may be — it is not necessarily the fault of the organization in question. We will continue to work on getting data from these organizations:

Cumbria Fire and Rescue Service Gangmasters and Labour Abuse Authority GCHQ Home Office Humberside Fire and Rescue Service MI6 Ministry of Justice National Crime Agency Police Service of Scotland Royal Air Force Police Royal Military Police Royal Navy Police Scottish Criminal Cases Review Commission West Midlands Fire Service

In addition to these, the Ministry of Defence did respond to our inquiry (PDF) via traditional mail. As a result, we received it only shortly before publication. More important, it did not provide information, but rather asked for additional details. We will continue to pursue this matter.

Update (March 25, 2017)

We eliminated our total for the military police because we cannot confirm the number from public records and have received no responses from the Royal Air Force, Navy, and Army. We have increased our numbers because of late arriving FOI responses. We increased the numbers for Police Scotland up to 1,267, Greater Manchester Fire and Rescue to 83, Hertfordshire Fire and Rescue to 12, and Northern Ireland Fire and Rescue to 6.