MI5 works within a strict framework of legislation and oversight to ensure our investigative powers are only used where it is necessary and proportionate to do so. Our work is subject to rigorous scrutiny: by the Home Secretary, who personally signs warrants for our most intrusive activity; by Parliament, in the Intelligence and Security Committee; and by the Investigatory Commissioners Office (IPCO) and Judicial Commissioners who are involved in the authorisations of our warrants and the overseeing of our use of such authorisations.
The statutory basis under which MI5 operates is set out in the Security Service Act 1989. The Act sets out our functions and gives some examples of the nature and range of threats that we are responsible for countering.
In summary our functions are:
In a democracy, a domestic security service must be apolitical and accountable. The Act places us under the authority of a Secretary of State, in practice the Home Secretary, who is accountable to Parliament for the work of MI5.
The Act also sets out the Director General's responsibilities in law for ensuring that we do not act to further the interests of any political party. Our role is to protect democracy, not to influence its course. The government of the day cannot instruct MI5 to perform any action for party political reasons.
Article 8 of the European Convention on Human Rights (ECHR) asserts the right to respect for private and family life, home and correspondence. It states that public authorities should not interfere with this right, except in specific circumstances, and this obligation is embodied in the UK through the Human Rights Act 1998.
MI5’s functions are recognised in Article 8 as providing a legitimate basis, in appropriate cases, for interference with an individual’s right to respect for their privacy. Leander v Sweden (1987) established that a state can pursue these functions through a security service that has a clear legal basis.
The state should also ensure that there are adequate and effective guarantees against abuse. The Regulation of Investigatory Powers Act 2000 (RIPA) established mechanisms for the oversight and control of MI5’s activities.
RIPA provides a legal framework for the use of covert surveillance, covert human intelligence sources, the interception of communications, and the acquisition, disclosure and retention of communications data.
All intelligence gathering activities that fall into these categories must, under RIPA, be authorised by designated persons within MI5. These individuals must agree that the action is necessary and proportionate to the aims of the investigation, and that the information cannot be obtained using less intrusive methods. Authorisations must be recorded, and made available to independent commissioners appointed under the terms of RIPA to ensure intelligence gathering is proportionate and not used excessively or inappropriately.
Interception of communications and intrusive surveillance also require the authority of a warrant signed by a Secretary of State, usually the Home Secretary. In most cases, intrusive surveillance will also require a property warrant under the Intelligence Services Act 1994 (authorised by a Secretary of State), to authorise any interference with an individual’s property that is necessary to install a surveillance device.
Under the Investigatory Powers Act of 2016 (IPA), three precursor organisations (Office of Surveillance Commissioners, Interception of Communications Commisioner's Office and the Intelligence Services Commissioner's Office) were merged to form the Investigatory Power's Commissioners Office (IPCO) in September 2017, as an independent oversight body for MI5's use of investigatory powers.
IPCO are responsible for ensuring that MI5's use of these powers are lawful, necessary and proportionate. This oversight responsibility is met through a comprehensive inspective process, whereby IPCO thoroughly examines MI5's use of these powers throughout the year.
IPCO oversight functions extend to also having sight of MI5 warrants throughout the 'double lock' process. This consists of a Judicial Commissioner reviewing MI5 warrants once they have been approved by the Home Secretary, and only authorising the warrant if they feel that the warrant is necessary and proportionate in the interest of MI5's statutory functions.
The Data Retention and Investigatory Powers Act 2014 confirms that companies can be required to retain certain types of communications data for up to 12 months. It also clarifies that companies providing communications services to UK customers should comply with requests for data made under RIPA regardless of where they provide the service from.
Three pieces of legislation define the individual's right to access information held about them within the public sector: the Data Protection Act 2018 (DPA), the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations (EIR). In addition to this, most public sector bodies which process personal data are subject to Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (known as the General Data Protection Regulation, or GDPR). However, MI5 is not subject to the GDPR and processes personal data pursuant to Part 4 of the Data Protection Act 2018.
For more information about this, see Access to information.
The Terrorism Act 2000, Anti-Terrorism, Crime and Security Act 2001, Terrorism Act 2006 and Counter-Terrorism Act 2008 have defined and expanded the range of criminal activities related to terrorism, and police powers to deal with them.
The Terrorism Prevention and Investigation Measures (TPIMs) Act 2011 introduced TPIMs to reduce the risk from people believed to be engaged in terrorism-related activity who cannot be prosecuted or deported. The restrictive measures are more tightly proscribed than those previously available under control orders, which TPIMs replace.