“MI5 data-management system akin to the ‘wild west’”
Privacy Internationals and Liberty’s latest legal case against the UK’s Security Service (MI5) hinges on MI5’s failure to police their vast data holdings. PI and Liberty allege MI5 broke the law by not effectively implementing crucial safeguards designed to protect all of us.
The UK’s security services have the power to collect, analyse, and store huge amounts of personal data. They can target specific individuals, hack their computers, and intercept their data or communications, but they can also obtain personal datasets in bulk, intercept overseas communications in bulk, and collect huge swathes of communications data from telecomms providers.
The public rightly expects that the vast amounts of personal data which agencies like MI5 collect and store will be held lawfully, and in a way that protects our privacy and data rights. For example, the law requires that our data should not be held indefinitely, there should be clear limits on who can access the data, and there should be processes in place for deleting datasets or databases, which are not needed for intelligence purposes. Just as we would expect big tech companies like Google, Meta and Apple to comply with laws around how they handle our personal - and often very sensitive - data, we expect our intelligence agencies to do so too.
MI5 isn’t above the law
Back in July PI and Liberty, were before the Investigatory Powers Tribunal (a UK body that hears claims against the security services), taking on MI5 and the Home Secretary for their disregard of the laws and standards which protect our data. You can see our joint press release from the hearing here.
We argued that, based on MI5’s own disclosures, the agency had breached UK surveillance laws since at least 2010 and provided false information to unlawfully obtain bulk surveillance warrants against the public. Additionally, despite knowing of the breaches since at least 2016 at the highest levels, we argued that MI5 failed to report its breaches to the Home Office or other oversight bodies.
In the course of our case against MI5, we even saw internal MI5 documents which referred to some of their internal data systems as “akin to the wild west places”.
- Excerpt from document disclosed during the proceedings - Minute referring to TE as "wild west of places'
During the litigation, MI5 also admitted that they acted unlawfully by failing to implement appropriate review, retention and destruction procedures, and not disclosing to the Home Office and oversight bodies and that it “retained substantial amounts of intelligence material…where it was no longer needed for intelligence purposes.”
When it comes to intercepting people’s personal communications and data, and collecting it in bulk, British Security Agencies like GCHQ, MI5 and MI6 have wide, sweeping powers. 
These powers - which include the power to hack into your phone and email, monitor your location and movements, and scrape and retain datasets about you - are justified by the Government as necessary to protect national security.
The only real limits on British security agencies’ sweeping powers to intercept and hold personal data can be found in a handful of legislative provisions.
These ‘rules’ are mandatory, and not following them is unlawful.
For example, MI5 must obtain warrants authorising interception and, once personal data is collected - whether in bulk or through targeted surveillance - the data must be is ‘handled’ in a way that protects the privacy and sensitivity of that data. These safeguards include:
- “Access controls” = the number of people who have access to this personal data must be limited (to the minimum number of people possible),
- Deletion requirements = when there are ‘no longer any relevant grounds’ for retaining any data that was collected for a specific purpose, it should be destroyed and not kept indefinitely, and
- Highly confidential data, such as lawyer-client communications which are subject to legal privilege, have to be identified & handled with heightened protections.
But, in 2019, it came to light that MI5 wasn’t implementing some of these safeguards, which are required by law to prevent grave abuses of power by these agencies.
- Excerpt from document disclosed during the proceedings - Fulford LJ's Decision on Warrants 5 April 2019
- Excerpt from document disclosed during the proceedings - MI5 Management Board Performance Report 2015/2016
Internally, MI5 admitted that they had a ‘limited’ understanding of what data was held in specific systems, and that they couldn’t even search it. If the purpose of collecting this data is to protect national security, can it really be that useful if it can’t be understood or retrieved when its needed?
- Excerpt from document disclosed during the proceedings - MI5 Minute 2016
We also argued that MI5 failed to disclose issues with the way it provided data to regulators as well as other courts and tribunals to which MI5 was responsible for making disclosures, such as in inquests and inquiries related to terrorist attacks like the Litvinenko Inquest or the inquiry into the Manchester Arena bombing.
By 2019, the Investigatory Powers Commissioner had found that MI5 held and handled large amounts of personal data in a way that was “undoubtedly unlawful”.
Why does this matter?
The way our data was handled by MI5 amounts to a significant intrusion into potentially millions of people’s fundamental right to privacy. This case is a critical mechanism to hold MI5 accountable for failing to handle the data they hold in a lawful manner. Agencies tasked with protecting national security process huge amounts of sensitive information. Due to the nature of their work, their operations can’t be subjected to the same levels of scrutiny and transparency that we can demand of other government institutions, yet they are not above the law. That is why this case is so important: it is one of the only tools we have to ensure that our right to privacy is respected by the UK intelligence agencies.
Given that MI5 - apparently knowingly - breached existing laws and arrangements for safeguarding millions’ of people’s data for years, we have argued that these safeguards are not effective in practice.
The “compliance” problems at MI5 appear to be systematic & systemic. For instance, MI5’s internal documents, disclosed during the case, reference “cultural” issues towards compliance at MI5.
This contradicts what MI5 has previously said publicly. For example, the 2015 ISC Parliamentary Committee Report stated the following, and quoted the then-Director General of MI5:
The Agencies have said that they apply strict policy and process safeguards to control and regulate access to the datasets. The Director General of MI5 explained: “… we only access this stuff… where there is an intelligence reason to do it. So we start off with a threat, a problem, a lead, that then needs to be examined and pursued and either dismissed or lead to action to counter it. That is when we use the data. It is absolutely not the case that there is anybody in MI5 sat there, just trawling through this stuff, looking at something that looks interesting; absolutely not.”
Our case allow us to scruntise such statements, contributing to more effective oversight of these secretive agencies.
What we’re asking for
We asked the UK’s Investigatory Powers Tribunal to declare that MI5’s data-handling practices violated the law and are incompatible with the European Convention on Human Rights.
We don’t think MI5 should be able to collect people’s personal data in bulk in the first place, but we certainly don’t think they should be allowed to hold it in a way that ignores legal safeguards intended to prevent abuses of power.
For a more detailed look, visit our case page.
 see generally, the Investigatory Powers Act 2016.