Personal Records/Files
39. Soon after our appointment, the Committee's continuing interest in the Agencies' security policies and procedures led us to begin a detailed examination of the Agencies' policies on the creation and use of personal files, in particular those involving British citizens. Security Service files, in particular, are at the heart of much of the Service's work. They are also the subject of a significant proportion of the complaints to the Security Service Tribunal; of continuing debate in Parliament and, last year, of allegations in the national press by an ex-member of the Service. During the year, we took oral evidence from all three Agencies30 and also, on two occasions, from the Home Secretary31; we also received a body of written evidence, and members of the Committee visited the Security Service to be briefed on the records management systems in use there, and to meet some of the staff directly involved in the handling and safe-keeping of files.
40. In our inquiries, we have been concerned in particular to see:
- whether the Agencies have efficient access to the information they require to fulfil their statutory functions;
- whether such personal and often highly sensitive information is afforded a sufficient degree of protection;
- what protection there is for individuals against having information inappropriately or inaccurately gathered, stored and used against their interests;
- that the Agencies are properly accountable for the decisions they make in respect of individual cases; and
- that there are safeguards against any possibility that the Security Service could use its control of the retention or destruction of files to rewrite the historical record.
Security Service files
41. Security Service policy on the creation, use and retention or destruction of files is set out in a Service Manual of Recording Policy (MRP), whose fundamental purpose is to ensure that the Service complies with its statutory duty to collect and disclose only such information as is necessary for the discharge of its functions under the Security Service Acts 1989 and 1996. Service papers are collected into permanent and temporary files; there are also computerised indices for recording basic details about individuals or organisations which have come to notice in the course of investigations but where there is as yet insufficient information to make a judgement about their significance. Permanent files include personal records, containing security information on individuals, as well as other records covering, for example, organisations of interest, particular subjects of study, major Service projects, and policy and administrative issues. At present, the Service holds around 250,000 hard copy personal records on individuals who may, at some time during the Service's history, have been the subject of inquiry or investigation; a further 40,000 are archived on microfiche32.
42. The function of opening a file is performed by the Central Registry, acting on a request by a desk officer with management approval where necessary. The Registry, which members of the Committee have visited, is responsible for ensuring that the request complies with Service policy that no file is opened unless the subject falls within a current 'recording category'. We were provided with details of these categories, covering the full range of the Service's current operational work. For the most part, they reflect the nature of the threats which the Service is engaged in countering, and specify types of behaviour which indicate that an individual may pose or contribute to a threat. They are defined by the branches within the Service, in consultation with the Registry and the Service's legal advisers, and are regularly reviewed33.
43. Once a file is opened it is initially coded green, the first stage in a 'traffic-lighting' process first described in the Security Service Commissioner's 1991 Annual Report34:
GREEN: 17,500 hard copy files (7% of total) Open for inquiries; papers may be added to file. Individual/organisation falls within current recording category, and is or may be subject of current investigation. We were told, however, that at any one time only a very small proportion of GREEN files are the subject of active investigation, and that most such records will never be the subject of intrusive investigation.
Of all GREEN files (permanent and temporary - see below), roughly two-thirds - around 13,000 files - relate to British citizens.
File remains GREEN for up to five years, depending on recording category, and is then reviewed for transfer to ...
AMBER: 97,000 hard copy files (39%) Closed for active inquiries, but may have relevant new papers added.
AMBER period depends on recording category, but in most cases until subject is 75 years old or until five years after investigation ceases, whichever is later.
RED: 135,500 hard copy files (54%) File closed, and retained for research purposes only, or destroyed.
There are, in addition, some 3,000 temporary (GREEN) files opened to house papers for active investigation pending a decision on whether or not to open a permanent file. These must be converted into a permanent file or destroyed after a maximum of three years, subject to the requirements of the Security Service Tribunal (see below)35.
44. This amounts to a substantial body of information containing a great deal of sensitive and personal information, and we have questioned the Director-General and others within the Service on the issue of access to files and application of the 'need to know' principle in this area. We were told that some files require and are given special protection because of the particularly sensitive nature of the material they contain, for example, on agents of the Service or on espionage or other especially sensitive investigations. In the majority of cases though, there is potentially much broader access to current files, whether it be by line managers and colleagues working in the same general area or by officers in other branches when, for example, a subject might fall within two separate recording categories36 .
45. Beyond this, whenever an individual comes to the attention of a desk officer, a check must be made with the Service file indices to see whether any record already exists on that individual; the desk officer may need to examine all the files on a resultant list to ascertain whether any of them refer to the particular individual of interest. We were told that this is a process which is repeated "hundreds of times every day across the Service"37. We accept that these are necessary processes to enable the Service to conduct its investigative work in an efficient and effective way, and that all Service staff are security cleared to handle very sensitive material. All reasonable steps should be taken, however, to ensure that access to personal files is restricted to those with a clear need to see them, and that there are detailed audit trails to identify which officers or sections have had access to what information, and the reasons for that access.
46. On the uses to which such files are put, we have also given some consideration to the system whereby the Service makes available to an incoming Prime Minister, in relation to the formation of a Government, any relevant national security information (concerning, for example, contacts with a foreign intelligence service, or a relationship with a terrorist organisation) held on candidates for election. A similar service has been provided to the Leader of the Opposition, in forming a shadow cabinet, since 1992. The Director-General told us that individuals' files are sifted by the Service's central secretariat, before summaries are prepared for him for a decision on whether to pass on the information to the Prime Minister: the number of records made available in the last two General Elections was in single figures38. There is a heavy responsibility on the Director-General, in putting forward any such file, to ensure that the information on it has been properly checked and relates solely to national security.
Retention and destruction of files
47. Until 1970, the Security Service weeded and destroyed a proportion of its personal files. When this policy was found to have seriously hampered the investigation of a number of espionage cases, the decision was taken to microfiche closed files, rather than destroy them outright. This remained the position until 1992, when the Service reconsidered its files policy again in the light of the changing nature of the threat with the end of the Cold War and the decline in the threat from subversion i.e. actions intended to overthrow or undermine Parliamentary democracy by political, industrial or violent means. Since that time, the Service has been reviewing and destroying files on a case-by-case basis39. We were told by the Director-General that files would normally be reviewed for destruction at the end of their RED period, but that the Service was currently reviewing files systematically by category, and that routine reviewing had been suspended40. 110,000 files have been destroyed or "marked for destruction" so far. The vast majority of these relate to subversion, on which the Service is no longer conducting any investigations. We note, however, that reviewing in this respect is currently restricted to files on individuals who are over 55 years old. This means that there may be files on individuals under the age of 55 because they joined an organisation which was categorised as subversive possibly 20 years ago, and that these files may still be used for vetting and other purposes. However, no such files would be opened on somebody who joined the same organisation today. We shall be considering this further.
48. When reviewing files, a number of considerations are taken into account, including whether the information is of continuing relevance to the Security Service's functions today, and the Service's responsibilities under the Public Records Act 1958. The former is left entirely to the judgement of the Service alone; the criteria for the retention of files on historical grounds are the subject of discussion with the Public Record Office and a number of historians. The latter were announced by the Home Secretary in the House of Commons on 25 February 1998, and include files relating to: major investigations; important subversive figures, terrorists or spies; individuals involved in historical events; causes celèbres in a security context; major changes in Service's policy, organisation or procedures, and milestones in the Service's history; and cases in which the Service has had a public profile.
49. A further factor is that the Service is required to retain copies of all files where inquiries have been made since 1989 or where vetting disclosures have been made, to meet the requirements of the Security Service Tribunal under the Security Service Act 1989 in relation to the investigation of complaints41. There may also be occasions, for example when an investigation of an individual turns out to have been mistaken or where a particular recording category is deleted or assessed in retrospect to have been invalid since its inception, where a file could be destroyed by the Service well prior to its normal review date.
50. Ultimately, the judgement in respect of the review and destruction of individual files is made solely by the Security Service. We believe, however, that some form of independent check should be built into the process, particularly in respect of files relating to subversion.
51. As we were finalising our Report, the Home Secretary made an important statement on the Security Service's file holdings, and file destruction programme. At the same time, the Service published a further booklet, which includes information about its files. We shall be reviewing these issues in the light of this material. We shall be considering, amongst other aspects: whether individuals should have rights in connection with the destruction or otherwise of any file held on them; protections against having inaccurate information gathered, stored and used against individuals' interests; the position under current data protection legislation; and implications of the European Convention on Human Rights.
Other Agencies' files
52. There are significant differences in the type and use of files in the other two intelligence Agencies. SIS, for example, does not hold files on individuals in the same way as the Security Service. Those that do exist generally relate to staff of the Agency, agents, former agents and others with whom the Service has contact, and may contain information, for example, relating to the subject's potential access to intelligence needed to meet JIC requirements. SIS currently holds 86,000 such records, perhaps half of which relate to UK citizens. Files date back to the earliest days of the Service in 1909; some 75% are closed ie. no papers have been placed on the file for three years, and there has been no 'movement' in the file in the preceding 12 months. The vast majority of SIS files are retained both for historical reasons, and also because of the operational value of reference back to files, sometimes after many years42.
53. Similarly GCHQ does not create or maintain personal records in the same way as the Security Service. Its policy on data classed as personal information ie. records kept for intelligence purposes that contain information about individuals or organisations, falls directly from the Interception of Communications Act 1985 (IOCA) and the Intelligence Services Act 199443. Under the latter Act, where a communication is passing or will pass over a British public telecommunications network, GCHQ require a warrant to carry out interception of that communication. Evidence we took from the Director of GCHQ, however, indicated that there are communications obtained incidentally during the course of an authorised, targeted collection, but relating to an individual who was not the subject of the warrant. We were told that such data which may arise from collection under warrant or otherwise is a necessary and sometimes key analytical tool44. It is particularly important that the use of such material is kept under close review, and that it is destroyed as soon as practicable unless there are clear and continuing operational requirements, which will require its own authority.
54. We have also received some limited written evidence in respect of policy on the use, retention and destruction of personal files by Special Branches, which acquire intelligence to assist the Security Service in carrying out its statutory duties but also to meet local policing needs45. One issue, for example, is the extent to which Special Branches might retain 'subversive files' for their own needs, on individuals whose Security Service file may have been destroyed. We intend to take further evidence on this subject in the autumn, and to report to you in due course.
|
