Guidance

Bulk personal dataset (BPD) overseas sharing handling arrangements

Updated 21 March 2024

1. Section 109 of the Data Protection Act 2018 applies to the disclosure of a Bulk Personal Dataset (BPD) as defined by Part 7 of the Investigatory Powers Act 2016 or part of a dataset which in itself would meet the statutory definition of a BPD by the intelligence services. SIS/MI5/GCHQ cannot disclose personal data to an international organisation or country or territory outside of the United Kingdom unless it is necessary and proportionate to do so for the purposes of the relevant agency’s statutory functions (section 2(2)(a) of the Security Service Act 1989 and sections 2(2)(a) and 4(2)(a) of the Intelligence Services Act 1994). The sharing of BPD with overseas partners must be carefully managed to ensure that disclosure only takes place when it is justified on the basis of the relevant statutory disclosure gateway. This would include a consideration of:

• the nature of the BPD that is due to be disclosed
• the nature and remit of the receiving party
• the approach taken by SIS/MI5/GCHQ who may have shared BPD with the receiving party under consideration and with regard to any protocols/understanding that have previously been used/followed
• whether the individual circumstances of the BPD disclosure under consideration would require the intelligence service to seek assurances from the receiving party as to its handling of the data contained in the BPD, including limitations on access to the data, restrictions on the onward disclosure, copying, distribution, retention of the data to the minimum necessary to achieve the statutory purpose of the disclosure and conditions for the deletion of the data
• whether the particular circumstances of the BPD disclosure under consideration would require any restriction, or assurances, on the use the data can be put to by the receiving party to ensure its use was in accordance with the UK’s international obligations

2. When considering disclosure of BPDs or information in BPDs, SIS/MI5/GCHQ staff would be required to consider whether the relevant BPD was acquired under a warrant or authorisation and whether any conditions imposed by the method of acquisition or relevant handling arrangements (such as for interception or equipment interference) apply to it. If such conditions or handling arrangements do apply, they must be followed.

3. If a BPD is subject to a Secretary of State’s direction under section 225 of the Investigatory Powers Act 2016, such a direction may require that any conditions applicable to intercepted material or equipment interference material must also apply to the BPD. These may have an impact on the extent of disclosure or on the requirements that must be met before disclosure can take place, and may mean that the BPD is also subject to the disclosure requirements of the intelligence service’s interception or equipment interference handling arrangements.

4. If disclosing BPD to an overseas authority, SIS/MI5/GCHQ must ensure that the receiving party has safeguards in place for storing data and restricting onwards disclosure, although this does not mean that the safeguards must be comparable to those applied by the intelligence services. SIS/MI5/GCHQ will consider whether it is appropriate to require the overseas authority to apply further safeguards limiting the dissemination, storage and copying of the data and requiring its destruction when there are no longer grounds for retaining it and will keep those conditions under review.

5. Where appropriate, the same restrictions on the retention, dissemination and destruction of material that apply to SIS/MI5/GCHQ should apply to the overseas authority. Where this is not appropriate, SIS/MI5/GCHQ staff considering authorising such a disclosure must balance the risk that the material will not be subject to the same level of safeguards against the risks to national security if material is not disclosed.

6. Any data shared with an overseas organisation will be on the basis that it must not be shared beyond the recipient organisation unless explicitly agreed in advance or approved through established processes between the intelligence service and the recipient party.

This document was first published on 11 August 2023.