The UK's three major spy agencies have been covertly collecting personal data about British citizens en masse since the 1990s and haven't always followed their own protocols about its use, according to documents published online Thursday.
Privacy International, a rights group that has scrutinized the agencies since 2013, when whistleblower Edward Snowden revealed governments' widespread spying on average citizens, published almost 80 previously secret files from GCHQ, MI5 and MI6.
The files, released to the group in response to a legal complaint filed last year, provide new insights into an activity known as "bulk personal dataset" collection. The information comprises detailed medical, travel and financial records, communications data and the contents of emails and phone calls, even for people the agencies acknowledged in the documents are "unlikely to be of intelligence or security interest."
The newly published files reveal for the first time the extent of the data collected on average UK citizens. While most people have known for a while that British intelligence agencies monitor communications, few realized that the agencies seek out, store and search data as personal as National Health Service records and signatures of online petitions. The documents also show that the data has been collected regardless of whether a citizen may pose a threat to national security.
"This data is integrated into databases that could be used to build detailed profiles about all of us," Millie Graham Wood, legal officer at Privacy International, said in a statement. "The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime."
None of the agencies provided details to Privacy International about the number of British citizens in the database. But internal memos contained in the documents reveal they include the families and friends of spy agency employees, as well as the staff members themselves.
Details of detected misuse of the personal data were reported in a newsletter -- part of the newly released documents -- that circulated internally among the Secret Intelligence Service, aka MI6, staff in September 2011.
"We've seen a few instances recently of individual users crossing the line with their database use for instance, looking up addresses in order to send birthday cards, checking passport details to organise personal travel, checking details of family members for personal reasons," the newsletter reads. "Another area of concern is the use of the database as 'convenient' way to check the personal details of colleagues when filling out Service forms on their behalf."
Staff members were reminded at the time, as well as in later memos, that misuse of the database could be illegal and could result in disciplinary action or dismissal.
Information about the existence of the data collection became public in a March 2015 report from the Parliament's Intelligence and Security Committee, which oversees the spy agencies. Committee members indicated in the report their concern over the absence of legal penalties for misuse of bulk personal datasets. The committee also noted that the data's collection had not been publicly acknowledged and that Parliament had not weighed in on privacy and safeguards. There was also concern that access to datasets didn't require approval from senior government ministers but was instead controlled internally.
MI5, MI6 and GCHQ did not respond to a request for comment.