UK security services have been collecting personal information from citizens who are "unlikely to be of intelligence or security interest" since the 1990s, documents have revealed.
More than 100 documents revealing the policies and procedures of the UK's intelligence agencies – dating back as far as 2005 – have been published by campaign group Privacy International.
The documents show that GCHQ and intelligence agencies have been using powers to collect bulk personal data sets, which contain details on mass groups of people, since 1998. Bulk collection of data in this way is granted under the provisions of section 94 of the Telecommunications Act 1984.
The privacy group published the documents it received in response to an upcoming legal challenge at the Investigatory Powers Tribunal. At the tribunal, which will take place in July, Privacy International will challenge the government's claim that bulk collection and retention of data is lawful, necessary and proportionate.
In its closed response, which was ordered to be made public by the Tribunal, the Home Office, Foreign and Commonwealth Office, GCHQ, security services and secret intelligence services – said the "majority" of the data held was on individuals who were "unlikely to be of intelligence interest".
Bulk personal datasets can contain "hundreds to millions of records" on people who may not be suspected of wrongdoing, Privacy International claimed. According to Millie Graham Wood, the campaign group's legal officer, the datasets could be used to build profiles on everyone they collect information about.
"This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities," she said in a statement. "This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals."
The release of the documents, which contain more than 1,000 pages of evidence, comes in the context of an ongoing attempt by the Home Office to pass new surveillance laws. The Investigatory Powers Bill has had its second reading in parliament and is currently being scrutinised by a public bill committee that will make recommendations for amendments to the planned law.
Since the IP Bill was presented to politicians in November 2015 it has been criticised by several groups of MPs and Lords for not having robust privacy provisions and failing to justify provisions for mass data collection.
The use of section 94 to collect bulk data sets was only admitted by Home Secretary Theresa May as she announced the IP Bill for the first time.
The documents state that "arrangements exist for the obtaining, use and disclosure of" bulk personal datasets and bulk communications data accessed under the section 94 rule. But regulations on how this data should be treated and handled only came into force in November 2015.
If these procedures aren't followed then staff from the intelligence services – GCHQ, Mi5 and Mi6 – could be disciplined.
The documents published by Privacy International show multiple occasions in recent years where GCHQ and the secret intelligence services have failed to handle the datasets they are collecting properly, with some staff members being disciplined.
One document states that GCHQ had a bulk data set for five years, without realising it was a bulk data set. The documents state a bulk personal dataset, first acquired by GCHQ in 2010, "was not initially recognised as BPD. It was subsequently identified as BPD in 2015 by GCHQ's Compliance Team."
Another dataset acquired by GCHQ in 2012 was not reauthorised for re-use once its initial approval had expired. The dataset was rediscovered in 2015 and deleted "as it was deemed to be no longer of use".
According to the documents, there were 47 instances between June 2014 and February 2016 where data was incorrectly processed by security services.
Four of these involved "issues" where the "necessity and proportionality" of the information was not correctly considered. The other 43 errors included those where the data did not relate to the subject of the investigation and where requests had been duplicated.