Section 220 of the Intelligence and Security Act 2017 explicitly bans use of vetting information for any purpose other than security clearance assessment and counter-intelligence. The purpose of the ban is to ensure people can give honest answers to vetting questions without e.g worrying that if they disclose minor past criminal behaviour, the SIS will rat them out to police. But despite this clear legal prohibition, the SIS has been using it for counter-terrorism investigations, and sharing it with law-enforcement. On one occasion, this was apparently done without any legal assessment whatsoever. On another, they relied on a tendentious legal interpretation from their pet lawyers that "disclosure" was not "use", so s220 did not apply (this was stomped on by Crown Law, but only after the information had illegally been disclosed). But most worryingly, they have used intelligence warrants - which allow spies to carry out "an otherwise unlawful activity" - to over-ride the protection of s220. Which effectively renders all the "protections" of the Act a simple nullity. The IGIS recommends this practice stop immediately. Whether it has or not is something we won't know until their next report.
(As an aside, the IGIS also notes that disclosure of vetting information to police may be a crime. But of course no-one will ever be prosecuted for it, because both the spies and police are above the law).
Another report showing that the SIS remains a pervasively criminal agency which is constantly trying to evade the legal limits imposed on it by Parliament is bad enough. But the most worrying aspect of this is the use of intelligence warrants to bypass legal prohibitions on disclosure. The IGIS says that this is unlawful for vetting information because a warrant cannot over-ride the Intelligence and Security Act itself:
Section 49(3) ISA provides that an authorised activity may lawfully be carried out “despite anything to the contrary in any other enactment” [my emphasis]. In my view, if the intent of Parliament was to enable an authorisation to override anything in the ISA itself, the section would state ‘in this or any other enactment’, or words to that effect.But the upshot of that is that it can be used to over-ride promises of secrecy or confidentiality in other enactments. For example, in the Data and Statistics Act 2022 (allowing them to access your personal dossier in the Integrated Data Infrastructure), or in the COVID-19 Public Health Response Act 2020 (allowing them to access your contact-tracing information). Parliament makes these promises for the same reasons as for s220 ISA: to encourage honesty where information is crucial. But it turns out that none of them are binding. Whether the spies are in fact pissing all over Parliament's solemn promises in this way is something we will likely never know (again, unless there is an IGIS report). But the fact that it is a possibility will inevitably affect the quality of the answers the government gets, and is a standing threat to both good government and trust in government in this country.