Surveillance data breach draws criticism for MI5

The Home Secretary, Sajid Javid, has said that MI5 failed to uphold security standards through its handling and analysis of data, including that of British citizens being monitored by MI5.

In a statement made before parliament last week, Mr Javid conceded that officials at the secret service agency had made its data stores on UK residents too available, reports in The Register reveal.

Some of the data processing conducted by MI5 and other similar agencies “is kept to the minimum necessary for the statutory purpose, including the number of people to whom material is made available, the number of copies made and the length of time it is retained,” Mr Javid said.

Lord Justice Fulford, the Investigatory Powers Commissioner described the breach in standards as “serious”, and a situation that required “immediate mitigation.”

While not giving full details to parliament owing to a legal case in process brought by pressure group, Liberty, Mr Javid explained to MPs that “the compliance risks identified are limited to how material is treated after it has been obtained.

“They do not relate in any way to the manner in which MI5 acquires information in the first instance or the necessity and proportionality of doing so,” he added.

In the Investigatory Powers Commissioner’s Office (IPCO) annual report for 2017/18, the most recent published by the authority, MI5 came under fire for using “boilerplate text” in internal applications used to survey certain individuals and groups. The implication in this instance was that MI5 operatives were not doing enough to respect current data protection laws.

In a statement, Lord Justice Fulford said:

“I first became aware of the compliance risks identified by MI5 at an oral briefing meeting on 27 February 2019, and I immediately requested a comprehensive written description of all the matters that had then been outlined. This was provided on 11 March 2019.”

“I am reassured that MI5 has taken immediate steps to introduce a series of mitigating actions in the light of that thorough review, and these actions – along with a programme of further measures that will be progressively implemented – provide sufficient reassurance that MI5’s handling arrangements within the particular area of concern are now satisfactory as regards warranted material,” he continued.

Megan Goulding, a lawyer for Liberty, said:

“The breach in itself is deeply concerning but on top of that the way this has unfolded – with IPCO only finding out because MI5 reported it, and the wider public only knowing apparently because of our legal case – shows how fatally flawed the oversight system for security services is.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.