Compliance inspections of MI5 complete
In the wake of IT compliance issues identified earlier in the year, the Investigatory Powers Commissioner (IPC) has now concluded a series of targeted inspections of MI5.
The IPC asked a team of inspectors and technical experts to examine the mitigations that MI5 had put in place. This series of inspections lasted six months and, on the basis of this work, the IPC has concluded that MI5’s use of the IT system in question is now fit for purpose.
The Investigatory Powers Commissioner, Sir Adrian Fulford, said:
“MI5 has devoted substantial resources both to the programme of work to fix the compliance problems identified and to service this intensive inspection regime.
“I am confident that MI5’s remediation work has secured compliance with the standards required.
“I have been impressed by MI5’s reaction to our criticisms, in particular the speed, focus and dedication with which they acted to rectify the situation.”
Inspectors spent a total of 48 days over the course of four inspections at MI5 between March and September. The Commissioner and his deputy were closely involved throughout, and a member of the Technology Advisory Panel has scrutinised technical aspects of the system inspected.
MI5 has introduced a range of automatic and manual processes to ensure its staff use the technology in a compliant way. Changes have also been made to the technology itself to enforce compliance requirements.
Inspectors from the Investigatory Powers Commissioner’s Office (IPCO) will continue to work with MI5 and other agencies to ensure that all systems have appropriate safeguards, processes and policies in place.
The IPC is now writing to all organisations who use investigatory powers requesting them to conduct an internal review and provide assurances on their use of data. This will enable IPCO to determine whether similar issues exist at other authorities. Where necessary, IPCO will support UK authorities to ensure that all covertly obtained data is handled in compliance with the law, and that this can be appropriately demonstrated.
The Commissioner was first made aware of the compliance risks identified by MI5 on 27 February 2019, and issued a statement shortly after. The Home Secretary laid a further Written Ministerial Statement on the issue on 9 May 2019.