Last Updated: March 25, 2017
The Investigatory Powers Act (IPA) is a new law that makes mass surveillance legal in the United Kingdom. All citizens’ mobile phone and internet use will now be logged, and the law also allows the government to secretly bypass encryption, among other things.
The Act specifies a number of job roles that have access to your Internet Connection Records (ICRs). Many people are concerned about just how many people in the government have access to them. And they should be!
In Summary: Who Has Access?
WhoIsHostingThis filed almost 100 Freedom of Information Requests to find out exactly who gets access to your data. We can now reveal that there at least 16,318 employees in government and public sector who have legal access to your ICRs. And this number only accounts for two-thirds of the organizations mentioned in the Act.
Our current total represents a lower bound — the minimum number of people who have access to what you do on your computer. Over time, we will doubtless learn more and revise this total. Here is the current breakdown:
|England and Wales||8,716|
|Ministry of Defence||138|
|Northern Ireland and Scotland||1,724|
|Marine and Coastguard||11|
|Fire and Ambulance||538|
If you wish, you can embed this table into your own webpage by copying the text in the following box. It links back to this page in case anyone wants to see the details.
How We Got These Numbers
Section 4 of the Investigatory Powers Act states the roles required for access to Internet Connection Records. There are two levels of access: Full, or Entities. Entities is a restricted view.
All roles in the Act are the minimum required to access Internet Connection Records. In our Freedom of Information Requests, we asked for the names of all roles senior to the minimum role required, as well as a headcount for each role. Not all organizations provided this, but many did.
The aim of this article is not to “name and shame” the people with access to your data. After all, many of them never asked for access, may not want it, and may privately oppose the Investigatory Powers Act.
But it’s important to get to grips with the sheer scale of the issue. There are a dizzying number of people with access to your private data. They all have permission to see what you get up to on your laptop or phone. And, in some cases, it isn’t clear how their jobs have anything to do with the supposed reasons the IPA was passed in the first place.
For example, the Department for Work and Pensions and the Food Standards Agency don’t seem to have anything to do with terrorism or human trafficking.
The Numbers In Detail
The figures we present here come from our Freedom of Information Requests and information on the internet. Some organizations did not respond in the allotted time, some requested further information from us, and others are exempt from providing this information. For these reasons, and the complications around how job sharing is reported, these figures should be considered a minimum.
Number of Police With Access
The Investigatory Powers Act allows Police Inspectors to view a truncated version of your Internet Connection Records (including entities in your Internet Connection Records, and links between those entities). Because the data is opened up to senior roles, we know that Chief Inspectors will also get to see this entity data.
England and Wales
According to 2015 figures, there were 7,358 Inspectors and Chief Inspectors in the force in England and Wales.
Full Internet Connection records can be accessed by anyone with the rank of Superintendent or Chief Superintendent, and any member of staff senior to those roles. Based on the 2015 data, that’s 7,358 officers at those ranks and 1,358 officers above. That makes 8,716 officers in the police force in England and Wales with access to ICRs.
Ministry of Defence
The Ministry of Defence (MoD) Police says that it has a total of 119 in the ranks of Inspector or Chief Inspector. There are 19 officers above that rank, for a total of 138 with ICR access.
At this point, it’s worth noting that at least one MoD policeman has been investigated and relieved of duties for misuse of data in recent years. He was suspended after searching police logs for personal information about the ex-footballer Paul “Gazza” Gascoigne, proving that misuse can and does happen.
Northern Ireland and Scotland
In the Northern Ireland police force, there are at least 436 staff with the role of Inspector or higher, and 21 at Superintendent or higher.
Police Scotland confirmed the figures for its force after processing our Freedom of Information Request. There are 861 police inspectors, 240 inspectors, 117 superintendents, 38 Chief Superintendents, 7 Assistant Chief Constables, 3 Deputy Chief Constables, and 1 Chief Constable, adding 1,267 to the total.
That makes a total of 1,724 officers in Northern Ireland and Scotland with access to ICRs.
Army, Navy, Air Force
The Royal Air Force, Navy, and Army police did not reply to our Freedom of Information Request within the allowed time.
We found a 2013 report on (PDF) gov.uk that there are 5,294 personnel at the rank Commander (Royal Navy Police), Lieutenant Colonel (Royal Military Police), and Wing Commander (Royal Air Force Police). But this represents the entire military. At this time, we do not know how many military police officers have this rank. Just as important, we do not know if general military personnel above this rank will have access.
As a result, we cannot provide an estimate for this category at this time.
Given all the people with access to all of this data, it is of some import that the Chief Constable of Police Scotland was criticized in August 2016 for failing to secure his own personal Facebook page. If the head of the Scottish police has trouble managing his own internet privacy, 58 million UK citizens should surely be concerned that he’s in charge of their data too.
Police total so far: 10,578. Remember: this is based on incomplete data, so it is a low estimate.
We Don’t Know About Access at MI5, MI6, and GCHQ
The intelligence agencies presented a particular problem for our investigation.
MI5 stands for Military Intelligence, Section 5, and is responsible for domestic counter-intelligence and security. Currently, it employs approximately 4,000 people.
The Act allows General Duties 3 staff (or more senior) to access full Internet Connection Records, and General Duties 4 access to Entities only. We asked MI5 for the number of staff in these roles, but they declined to provide any figures.
MI6 stands for Military Intelligence, Section 6, and is responsible for gathering intelligence from outside the UK to support certain UK government activities. Full ICRs will also be available to MI6 staff at Grade 6 or above. We do know that MI6 had 2,479 staff in March 2015 and plans to recruit 1,000 more by 2020. We don’t know how many are at Grade 6 or above, and MI6 did not respond to inquiries.
In 2016, MI6 and MI5 were found to have breached human rights law by collecting bulk communications data without consent. This is the kind of activity that the Investigatory Powers Act was designed to legalize.
GCHQ personnel who have a role of GC8 or above also have access to ICRs. But GCHQ has not responded to our inquiries.
As we have no confirmed numbers for this section, we have not added anything. But it is certain that MI5, MI6, and GCHQ would increase our total by a significant amount.
Number of People at HMRC With Access
We already know that Her Majesty’s Revenue and Customs (HMRC) scrapes social media accounts to find data about UK taxpayers. This data is fed into its analytics platform, Connect, and merged with information about UK residents’ wages, pensions, bank accounts, investments, and online shopping habits. Now that dataset will be augmented with the online activity of ordinary UK residents.
Full Internet Connection Records are visible to Senior Officers at HMRC, while entities are available to Higher Officers. In a 2016 summary of junior posts, there were 2,123 Senior Officers, and 844 Higher Officers. All of the people above these roles also have access, but HMRC did not classify exactly which roles would fall into those groups.
So far, this represents 2,967 HMRC employees, by our count, making our running total 13,545 people — which is a very conservative estimate.
Number of People in Emergency Services With Access
At the Marine and Coastguard Agency, 4 staff can see entity data, and 7 other staff have full access to Internet Connection Records. The Maritime Operations Commander is among them, as is the Head of Enforcement. The Marine and Coastguard Agency did not recognize some of the job roles in the wording of the Act, so this figure may be higher.
Even this relatively small figure should concern you. According to a 2016 Freedom of Information request, the Marine and Coastguard Agency’s IT security audit revealed 16 “significant” security risks. It did not, however, provide any information about the nature of those risks.
At fire brigade and ambulance services, Internet Connection Records are available to Watch Managers and Duty Managers in control rooms. These people are in charge of directing the response to incidents. All of the roles senior to these people also have full access to ICRs, including Brigade Managers, Area Managers, Operations Managers, and others.
We made Freedom of Information Requests to each individual fire or ambulance authority, and we confirmed at least 644 people with access across all of the fire and ambulance services that responded.
That brings our total to 14,189 that are known.
Number of People With Access Elsewhere
Here are the responses to our FOI requests, along with the figures we were given:
- 279 people at the Competition and Markets Authority
- 326 at the Department of Health Medicines and Healthcare Products Regulatory Agency
- 10 at the Department of Health Anti-Fraud Unit
- 59 at the Department for Work and Pensions
- 3 at the Common Services Agency for the Scottish Health Service
- 13 at the Criminal Cases Review Commission
- 537 at the Department for Communities in Northern Ireland
- 5 at the Department for the Economy in Northern Ireland
- 11 at the Department of Justice in Northern Ireland
- 13 at the Financial Conduct Authority
- 45 at the Food Standards Agency
- 5 at Food Standards Scotland
- 56 at the Gambling Commission
- 45 at the Health and Safety Executive (HSE)
- 10 at the Independent Police Complaints Commission (IPCC)
- 75 at the Information Commissioner’s Office (ICO)
- 13 at the National Health Service Business Services Authority
- 3 at the Northern Ireland Health and Social Care Regional Business Services Organisation
- 548 people at the Office of Communications
- 16 at the Office of the Police Ombudsman for Northern Ireland
- 2 at the Police Investigations and Review Commissioner
- 49 at the Serious Fraud Office
- 6 at the Northern Ireland Fire and Rescue Board.
This makes for a total of 2,129 more people who have access to Internet Connection Records, bringing our total to 16,318.
There are doubtless many more — based just on the lack of information about MI5, MI6, and GCHQ. But there are potentially thousands more that remain uncounted.
Why This Matters
Again: this isn’t an attempt to shame people with access to your personal data. But it is an attempt to shock you into recognizing how wide-open the access is.
Small-scale data protection breaches happen all the time; large scale hacks aren’t that rare. And the UK government has a long track record of losing personal data accidentally, too.
UK councils also have a dubious record when it comes to misusing surveillance in the past. For example:
- RIPA, a similar, but less intrusive law from 2000, was allegedly misused for surveillance of citizens by 186 different councils in the UK according to a 2016 report. Some of its uses were allegedly as trivial as “spying on people walking dogs, feeding pigeons, and fly-tipping [illegal disposing of waste].”
- A previous report from 2010 cites RIPA being used in surveillance, including by local councils spying on their own employees.
- Some local councils in Scotland have been criticized for having a “dangerously lax attitude” towards civil liberties.
Some misuse may be intentional, while some may be the result of simple ignorance. At least one of the organizations that we approached did not provide an answer to our questions because the respondent did not know what Internet Connection Records are, even after we provided a link to the Act.
The more people that can access the data, the more potential there is for that data to be accessed illegally, or used unethically. And that can compromise your safety and your liberty.
Upwards of one hundred FOI requests were filed for this article. Of these, 76 were completed and used in the final version of this article. As we gather more data, we will add to this article. Here are PDFs containing each FOI document we have used:
- Avon Fire and Rescue Service
- Bedfordshire and Luton Fire and Rescue Service
- Buckinghamshire Fire and Rescue Service
- Cambridgeshire Fire and Rescue Service
- Cheshire Fire and Rescue
- Cleveland Fire Brigade
- Common Services Agency for the Scottish Health Service
- Competition and Markets Authority
- Cornwall Fire and Rescue Service
- County Durham and Darlington Fire and Rescue Service
- Criminal Cases Review Commission
- Department for Communities Northern Ireland
- Department for the Economy in NI
- Department for Work and Pensions
- Department of Health Anti-Fraud Unit
- Derbyshire Fire and Rescue Service
- Dorset and Wiltshire Fire and Rescue Service
- East Midlands Ambulance Service NHS Trust
- East of England Ambulance Service NHS Trust
- East Sussex Fire and Rescue Service
- Essex County Fire and Rescue Service
- Financial Conduct Authority
- Food Standards Scotland
- Gambling Commission
- Gloucestershire Fire and Rescue Service
- Hampshire Fire and Rescue Service
- Health and Safety Executive
- Independent Police Complaints Commission
- Information Commissioner
- Isle of Wight Fire and Rescue Service
- Isles of Scilly Fire and Rescue Service
- Kent Fire and Rescue Service
- Lancashire Fire and Rescue Service
- Leicestershire Fire and Rescue Service
- Lincolnshire Fire and Rescue Service
- London Ambulance Service NHS Trust
- London Fire Brigade
- Maritime and Coastguard Agency
- Medicines and Healthcare Products Regulatory Agency
- Merseyside Fire and Rescue Service
- Ministry of Defence Police
- National Health Service Business Services Authority
- Norfolk Fire and Rescue Service
- Northamptonshire County Council Fire and Rescue Service
- North East Ambulance Service NHS Foundation Trust
- Northern Ireland Ambulance Service
- Northern Ireland Health and Social Care Regional Business Services Organisation
- Northern Ireland Prison Service
- Northumberland Fire and Rescue Service
- North West Ambulance Service NHS Trust
- North Yorkshire Fire and Rescue Authority
- Nottinghamshire Fire and Rescue Service
- Office of Communications OFCOM
- Oxfordshire Fire and Rescue
- Police Investigations and Review Commissioner
- Police Ombudsman of Northern Ireland
- Royal Berkshire Fire and Rescue Service
- Scottish Ambulance Service
- Scottish Criminal Cases Review Commission
- Serious Fraud Office
- Shropshire Fire and Rescue Service
- South Central Ambulance Service
- South East Coast Ambulance Service NHS Foundation Trust
- South Western Ambulance Service NHS Foundation Trust
- Staffordshire Fire and Rescue Service
- Suffolk Fire and Rescue Services
- Surrey Fire and Rescue
- Tyne and Wear Fire and Rescue Service
- Warwickshire Fire and Rescue Service
- Welsh Ambulance Services NHS Trust
- West Midlands Ambulance Service NHS Foundation Trust
- West Sussex Fire and Rescue
- West Yorkshire Fire and Rescue Service
- Yorkshire Ambulance Service
- Norther Ireland Fire and Rescue
- Greater Manchester Fire and Rescue
- Hertfordshire Fire and Rescue
- Police Scotland
Organizations that Did Not Reply
A number of organizations failed to provide the information we asked for by the legal deadline. Note that there are any number of reasons why this may be — it is not necessarily the fault of the organization in question. We will continue to work on getting data from these organizations:
- Cumbria Fire and Rescue Service
- Gangmasters and Labour Abuse Authority
- Home Office
- Humberside Fire and Rescue Service
- Ministry of Justice
- National Crime Agency
- Police Service of Scotland
- Royal Air Force Police
- Royal Military Police
- Royal Navy Police
- Scottish Criminal Cases Review Commission
- West Midlands Fire Service
In addition to these, the Ministry of Defence did respond to our inquiry (PDF) via traditional mail. As a result, we received it only shortly before publication. More important, it did not provide information, but rather asked for additional details. We will continue to pursue this matter.
Update (March 25, 2017)
We eliminated our total for the military police because we cannot confirm the number from public records and have received no responses from the Royal Air Force, Navy, and Army. We have increased our numbers because of late arriving FOI responses. We increased the numbers for Police Scotland up to 1,267, Greater Manchester Fire and Rescue to 83, Hertfordshire Fire and Rescue to 12, and Northern Ireland Fire and Rescue to 6.