MI5 may have broken the law by holding large volumes of citizens’ private data without proper protections, according to documents released today in the High Court.

The 10 internal documents, which include letters from the most senior officials inside MI5, including correspondence from Director Sir Andrew Parker, show that the spy agency was aware of persistent breaches of compliance over several years.

The documents refer to “historical lack of compliance” and “the undoubted unlawful manner in which data has been held or handled”.

On 11 March 2019, for instance, a letter from MI5’s Director of Policy, Compliance, Security and Information reveals that an MI5 compliance team identified in January 2016 that “data might be being held in ungoverned spaces in contravention of our policies”.

Mitigation work began in January 2018 to resolve the problem, but, the letter says, “the task… was too large”.

Under MI5’s system, compliance gaps were coded red, amber or green according to their severity.

Several practices were coded red, including “review, retention and deletion,” which refers to data held on private citizens.

The documents were released as part of a court case undertaken by the National Council for Civil Liberties against the Home Office.

“The documents show extraordinary and persistent illegality in MI5’s operations, apparently for many years,” said civil liberties organisation Liberty, which is bringing the case.

“The existence of what MI5 itself calls ‘ungoverned spaces’ in which it holds and uses large volumes of private data is a serious failure of governance and oversight, especially when mass collection of data of innocent citizens is concerned.”

Under the Investigatory Powers Act of 2016, the UK’s security services were given extensive powers to collect what is known as “bulk data” on citizens, whether or not they were suspected of a crime.

More follows…