"This highly sensitive information about us is vulnerable to attack from hackers, foreign governments and criminals. The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time in the investigatory powers bill, which is currently being debated in parliament."
A large cache of over 100 memorandums, forms and policy papers, obtained by the privacy campaign group throws light on how the data is collected, stored and used by the intelligence agencies.
"Although bulk personal datasets constitute only a tiny proportion of the data GCHQ obtains, its retention and use of such datasets represent a significant interference with many people’s right to privacy under the European Convention on Human Rights (ECHR)," said a document.
GCHQ started collecting bulk personal data from 1998 under section 94 of the 1984 Telecommunications Act, the document revealed.
The agencies collected details of individuals from passports, travel records, financial data, telephone calls, emails and other hidden or open sources.
The documents showed that the intelligence agencies often received warnings over the consequences of misusing private data of individuals.
"We’ve seen a few instances recently of individuals crossing the line with their database use … looking up addresses in order to send birthday cards, checking passport details to organise personal travel, checking details of family members for personal convenience," said a newsletter circulated in September 2011 by the Secret Intelligence Agency (SIS).
"Another area of concern is the use of the database as a ‘convenient way’ to check the personal details of colleagues when filling out service forms on their behalf.
"Please remember that every search has the potential to invade the privacy of individuals, including individuals who are not the main subject of your search, so please make sure you always have a business need to conduct that search and that the search is proportionate to the level of intrusion involved."
Two MI5 and three MI6 officers were "disciplined" between 2014 and 2016 for misusing the data. Last year, a member of GCHQ’s staff was also reported to have been sacked for conducting unauthorised searches, the Guardian reported.
The documents also disclose that mistakes committed while handling the data continues to be an issue. The UK government lawyers said "47 instances of non-compliance either with the MI5 closed section 94 handling arrangements or internal guidance or the communications data code of practice were detected."
The documents show that each intelligence agency possesses a separate database, with MI5 storing the bulk data at its headquarters in London.
Jacob Ginsberg, Senior Director at Echoworx, said: "The UK governmentand its intelligence agencies are watching UK citizens as if they were criminals. This kind of cyber surveillance is no different to old school wire-tapping. However, a wiretap may only be approved by a court if evidence of reasonable suspicion can be found.
"The government should not be allowed to circumvent existing laws that have been put in place to protect law abiding citizens from potentially harmful intrusion. Having the power to sweep someone’s phone records, financial data, medical records and internet communications without a warrant during bulk data collection is morally wrong."
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.