On 9 May 2019 I made a Written Ministerial Statement to notify Parliament of compliance risks that MI5 had identified and reported within certain technology environments used to store and analyse data. In the statement I confirmed that I had established an independent review to consider and report back to me on what lessons could be learned for the future. My statement today notifies Parliament that this review, the Compliance Improvement Review (CIR), is now complete and that the Government is publishing the summary section of the report and its recommendations, gisted where necessary for national security reasons.
The CIR was led by Sir Martin Donnelly, a former Permanent Secretary, and examined how the issue arose and considered MI5’s governance and risk management procedures in light of this. The review team had access to all relevant documentation and met key individuals from Government, MI5 and the Investigatory Powers Commissioner’s Office to discuss the background to the risks being identified. I would like to place on record my thanks to Sir Martin and the review team, who have worked diligently to complete a thorough and well-evidenced review.
I was provided with a copy of the review report in late June and have since had the opportunity to discuss it with Sir Martin. The Investigatory Powers Commissioner and the Intelligence and Security Committee of Parliament have both received copies of the full report.
The CIR identified three areas where improvements can be made. These are: improvements to support an effective compliance culture across MI5; improvements to ensure more effective sharing of information between MI5 and the Home Office to identify emerging issues; and improvements to ensure increased legal input to the MI5 Management Board and ensuring closer joint working between MI5 and Home Office legal advisors. The review makes a total of 14 recommendations to address these issues, which are set out in the document that has been published today.
I can confirm that DG MI5 and I agree with the CIR’s conclusions and my department will now work closely with MI5 to deliver the recommendations.
It should be noted that the CIR found that there was no attempt by MI5 to hide the compliance risk they were managing. The CIR describes MI5 as “a consistently high-performing organisation, with a growing number of committed and professional staff working under sustained pressure to keep this country safe”, a view I share from my experience as Home Secretary. Copies of the CIR summary document will be made available on Gov.UK and will be placed in the Libraries of both Houses.