MI5 engaged in 'extraordinary and persistent illegality' whilst handling personal data, High Court hears

Thames House, the headquarters of the British Security Service (MI5) is seen in London
Thames House, the headquarters of the British Security Service (MI5) is seen in London Credit: Peter Nicholls / REUTERS

MI5 has been unlawfully holding people's data collected through surveillance or hacking programmes, the high court has been told.

In a case brought by civil rights group Liberty, it emerged that MI5 has been holding large volumes of people’s location data, calls, messages and web browsing history without proper protections.

The security agency are also accused of misleading senior judges by applying for warrants on the basis that data protection obligations were being met - when in fact they were not.

The spy agency has been aware of breaches of compliance for at least three years, yet failed to act and, it is claimed, kept the failings secret.

They have now been exposed by the official watchdog, the investigatory powers commissioner, Lord Justice Fulford, and admitted in outline by Sajid Javid, the Home Secretary.

Liberty said it involved the "mass collection of data of innocent citizens." Megan Goulding, a lawyer for the civil rights group, said: "MI5 have been holding on to people's data - ordinary people's data, your data, my data - illegally for many years.

"Not only that, they've been trying to keep their really serious errors secret - secret from the security services watchdog, who's supposed to know about them, secret from the Home Office, secret from the prime minister and secret from the public."

Among the large amounts of data which can be collected by MI5 under the Investigatory Powers Act are individuals' location data, calls, messages and web browsing history.

As well as "bulk data" collection, which can include information about ordinary members of the public, MI5 can use targeted interceptions of communications and computer hacking for investigations such as counter-terrorism.

However,  the Act places strict safeguards on the agency requiring it to ensure the information is stored and handled safely including destroying it when it is no longer needed.

Lord Justice Fulford said MI5 had a "historical lack of compliance" with the law in the way it retained and deleted data. He said it had been held and handled in an “undoubted unlawful manner.”

His ruling, made public for the first time, said the security service would be placed under greater scrutiny by judges when seeking warrants, which the commissioner compared to a failing school being placed in "special measures".

Documents presented in court showed that senior members of the security service were aware in 2016 there were serious issues with the management of data.

In April this year, MI5 informed the Home Office and Number 10 of the concerns, but were criticised by the commissioner for not reporting them earlier.

Information from people's discussions with lawyers was among the data retained without a lawful basis, the court heard.

Liberty said such material should be protected by legal privileges, but because the systems were failing it was being viewed by people at MI5.

Lawyers for MI5 said they could not explain the exact nature of the breaches in open court, not because they were "embarrassing" but because there were "serious national security concerns".

In a statement last month after he had been informed of the issues,  Mr Javid said MI5 had taken "immediate and substantial" steps to comply with the law.

Julian Milford, representing Mr Javid and Foreign Secretary Jeremy Hunt, acknowledged in court "the existence of serious compliance risks".

But he said these specific issues were a "complete irrelevance" to Liberty's court case, which was challenging the legality of the whole system of information gathering created by the Investigatory Powers Act.