Security News > 2021 > June > MI5 still risks breaking the law on surveillance data through poor controls – years after it was first warned

MI5's storage of personal data on espionage subjects is still facing "Legal compliance risk" issues despite years of warnings from spy agency regulator IPCO, a Home Office report has revealed.

Answering the question of whether MI5's data holdings are "Now legally compliant," a Home Office report, published on June 7, said MI5's "Implementation of mitigations" for "Identified risks" was still under way.

You can see mention of a specific data storage issue in IPCO's annual report [PDF] for 2017, published two years later, which noted: "There was one complex error reported by MI5 in relation to the retention of data on an area within their IT systems. MI5 is undertaking work to remedy this problem and delete data which has been retained erroneously."

More detail emerged in 2019's IPCO report, which castigated MI5 for its "Inconsistent approach to controls around the extent to which users were able to copy data and place it into storage areas within the environment".

More information about MI5's wrongdoing in the agency's internal Compliance Improvement Report was published in July of that year, containing 14 recommendations to bring MI5 into line with the law.

"The MI5 Legal Director should provide a quarterly report agreed with the Home Office Chief Legal Advisor to the Home Office Permanent Secretary and the Director General MI5 on issues relating to MI5's compliance with its statutory obligations and key legal risks."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/22/mi5_legal_compliance_ipco_reports/