The commissioners responsible for overseeing the UK's spy agencies have admitted that they have never carried out a formal inspection or audit of the sharing of bulk communications and personal data with industry.
The intelligence agencies' collection of mass communications data has come under repeated scrutiny, and the government was dealt a heavy blow last year when the Investigatory Powers Tribunal ruled that a chunk of its activities had been unlawful.
In a case brought by campaign group Privacy International in October 2016, the court ruled that bulk collection of data carried out by GCHQ and MI5between 1998 and 2015 – through directions given under section 94 of the Telecommunications Act 1984 – was illegal.
The Investigatory Powers Tribunal is holding a follow-up hearing this week, which is looking at three further issues, including whether and how the government shares the bulk communications or personal data it hoards with foreign governments and other organisations.
Although the agencies' official line is not to confirm or deny such data sharing has taken place, historic documents released by NSA whistleblower Edward Snowden have indicated that information had been shared with researchers at the University of Bristol.
And one of the documents put forward during this week's hearing from the two oversight bodies – the Intelligence Services Commissioner and the Interception of Communications Commissioner's Office (IOCCO) – reveals that there has never been a formal audit of information sharing.
The letter, sent to the tribunal and seen by The Register, is in response to a request from Privacy International for more information on the auditing of bulk communications and personal data sharing with industry partners.
Industry partners are understood to cover non-government bodies, many of which will use the information to develop software or hardware to improve storage or manipulation of the data.
The commissioners' letter states: "Neither commissioner with responsibility for the intelligence agencies, nor their inspectors, has ever conducted a formal inspection or audit of industry in this regard."
Elsewhere in the document, the commissioners say that if the agencies think there is merit in sharing personal datasets externally "then it must meet the necessity and proportionality tests under the Security Service Act or the Intelligence Services Act as well as considering any wider legal, political or operational risks".
We can neither confirm nor deny anything
However, Millie Graham Wood, legal officer at Privacy International, branded the answer "fairly vague" and expressed concern at a lack of clear information on the way sensitive personal information was being handled.
"As has happened a lot in this case, we're slowly eking out what's been going on for a long time," she told The Reg. "There's a real question about what's happening in relation to sharing data externally – yet again it seems what has been going on has taken place in secret and there is inadequate oversight to ensure against abuse and misuse of individuals' data."
She added that because the government will neither confirm nor deny that sharing occurs, "we are in a situation where there is a considerable lack of information".
"We don't expect from the government a wholly unredacted policy document. If they are going to be handing over this data then we should at the very least get something whether it be a highly redacted document, that sets out the agreements that have to be in place. We want a better idea of what's going on," Graham Wood said.
This week's Investigatory Powers Tribunal hearing will also consider whether the level of interference in communications and personal data is proportionate, as well as the impact of EU law on the mass collection of communications and personal data.
A landmark ruling from the European Court of Justice at the end of last year, which came about after Labour deputy leader Tom Watson issued a legal challenge against the Investigatory Powers Act, said that general and indiscriminate retention of electronic communications data was illegal – and that EU law overrules national legislation.
However, in its respondents' skeleton case – published at the start of the hearing – the government says that the case cannot be applied to bulk communications and personal dataset regimes.
An IOCCO spokesperson said: "While IOCCO has consistently argued for greater transparency in the use of investigatory powers, the question of what sensitive information should be considered in an open hearing of the Investigatory Powers Tribunal is for the tribunal."
The case is due to run all week.