In 2019, my predecessor notified Parliament of compliance risks that MI5 had identified and reported to the Home Office and the Investigatory Powers Commissioner. These risks were identified within certain technology environments used to store and analyse data, including material obtained under the Investigatory Powers Act. The compliance risks related to the particular safeguards set out in the Investigatory Powers Act that relate to the processing of material that has been obtained under a warrant—section 53 of the Act and the corresponding provisions.
As part of the response to this, Sir Martin Donnelly, a former Permanent Secretary, conducted an independent review to consider how these risks arose and what could be done to reduce the likelihood of a similar situation arising again in the future. In June 2019, the Compliance Improvement Review’s summary and recommendations were published on gov.uk and work began immediately to address these recommendations. One of these recommendations was
“the satisfactory delivery of this change programme should be independently verified by the end of June 2020.”
On 6 July 2020, I made a written ministerial statement to notify Parliament that due to the adverse impacts of covid-19 the independent verification of the implementation of the recommendations would be delayed until the start of 2021. Despite the ongoing impact of covid-19, the independent verification has now taken place.
The independent verification process was led by Mary Calam, a former director-general in the Home Office. She considered whether the work undertaken since the summer of 2019 had addressed the concerns raised in Sir Martin Donnelly’s report and delivered the outcomes he had intended. Mary had access to all relevant documentation and personnel, and conducted interviews with senior members of the relevant organisations as well as with focus groups of staff. I would like to place on record my thanks to Mary and the review team, who have produced a comprehensive report in a difficult working environment due to covid-19.
I was provided with a copy of the verification report earlier this year and have since had the opportunity to discuss it with Mary. The Investigatory Powers Commissioner and the Intelligence and Security Committee of Parliament have both received copies of the full report.
The verification report concludes that significant and measurable progress has been made and that the new operating model is an excellent start to ensure any future compliance risks are identified and addressed early. The report finds that
“MI5 have used the Compliance Improvement Review to make fundamental changes across the whole organisation”
“there is new governance to oversee compliance and security risks and resourcing for compliance work has been significantly increased.”
The report further notes that
“the broader changes that MI5 has made to strengthen its legal compliance risk management processes, instil a culture of individual accountability for legal compliance risk and ensure that compliance is built in to new products should give Ministers greater confidence that new risks will be identified early and addressed promptly.”
The report does acknowledge that, in places, work remains to be done and that maintaining high levels of compliance is—by definition—an ongoing effort. MI5 have already put in place a successor programme to take forward further work and the director-general of MI5 and I are fully committed to ensuring this work remains a priority. I will continue to monitor progress through the quarterly MI5 Ministerial Assurance Group which I chair.
I am very grateful to the director-general of MI5 and his staff, as well as my own officials, for the immense progress that has been made since Sir Martin Donnelly completed his compliance improvement review in June 2019.
A copy of the verification summary document will be made available on www.gov.uk and will be placed in the Libraries of both Houses.