At a glance
- Under Part 3 of the DPA 2018 individuals have rights of access, rectification, erasure or restriction, and to not be subject to automated decision-making.
- Some of these rights may be limited or restricted where this is a necessary and proportionate measure to protect national security. For ease of reference, these restrictions are referred to in this guidance as the national security provisions.
- The national security provisions may also limit your obligation to inform individuals about personal data breaches, where this is necessary and proportionate to protect national security.
- The national security provisions do not apply in a blanket manner. You must be able to show that deviating from specified data protection standards is necessary and proportionate to safeguard national security.
- A Minister of the Crown (specifically a member of the Cabinet, the Attorney General or the Advocate General for Scotland) can issue a certificate relating to the national security provision you wish to apply. You may rely on the certificate as conclusive evidence that the provision is a necessary and proportionate measure to protect national security. You should not assume that you must apply the provision, simply because a certificate has been issued. We publish details of relevant certificates.
- There is no exemption from, or restriction to, the data protection principles. You must always ensure your processing is generally fair and lawful, and complies with the other data protection principles.
- You must always comply with your general accountability and governance obligations.
Checklist for using the national security provisions
☐ We are a competent authority processing for law enforcement purposes.
☐ Our processing is fair and lawful, and we comply with the data protection principles.
☐ We comply with the data protection rights and obligations wherever possible, unless a restriction or limitation is necessary and proportionate to protect national security.
☐ We have considered the rights and legitimate interests of the individual, and have concluded that applying the national security provisions are a necessary and proportionate measure in the circumstances.
☐ We can point to a link between giving full effect to individuals’ rights, or fully complying with our personal data breach obligations, and a potential adverse effect on national security.
☐ We have considered whether a national security certificate is applicable in the circumstances.
☐ We do not apply the national security provisions in a blanket manner, but only to the extent required to protect national security.
☐ We have considered whether we can inform the individual of the use of the provision, or whether this would itself undermine national security.
☐ We have recorded the use of the provision and can demonstrate its necessity and proportionality in light of the individual’s rights and legitimate interests.
Does this guidance apply to us?
This guidance applies to you if you are a competent authority processing for law enforcement purposes related to national security.
The rules governing law enforcement processing are set out in Part 3 of the DPA 2018.
If you are a competent authority processing data for a non-law enforcement purpose (eg for national security purposes only), the UK GDPR will apply to this processing. You should refer to our Guide to the UK GDPR.
If you are not a competent authority, and are processing personal data under the UK GDPR, different provisions apply. You should read our Guide to the UK GDPR.
The intelligence services themselves (or processors acting on their behalf) are covered by a separate regime. For more information, see our Guide to Intelligence Services Processing.
What are the national security provisions?
The rights that individuals have when their data is being processed for law enforcement purposes are set out in sections 44 to 49 of the DPA 2018.
Some of these rights may be limited or restricted in certain circumstances. These circumstances are laid out in the provisions which set out the right. One of these circumstances is when restricting the right is necessary and proportionate to protect national security.
Section 68 sets out your obligations as a controller to inform individuals of a personal data breach which would be likely to result in a risk to their rights and freedoms. This obligation can be limited under certain circumstances. One of these circumstances is when limiting the information you provide is necessary and proportionate to protect national security.
For ease of reference, these restrictions and limitations are referred to in this guidance as the national security provisions.
You must still comply with the data protection principles, and with your accountability and governance obligations.
What does national security cover?
National security is not specifically defined and can be interpreted in a flexible way to adapt to changing threats. Thirty years ago, it would have been difficult or even impossible to predict the threats that developments in computer and communications technology could give rise to, or how such developments could be exploited by terrorists or hostile states. It is generally understood to cover the security and well-being of the UK as a whole, its population, and its institutions and system of government. For example, it can cover:
- protection against specific threats, such as from terrorists or hostile states;
- protection of potential targets even in the absence of specific threats; and
- international co-operation with other countries.
What are the effects of the national security provisions?
The provisions may permit you to restrict some of the data protection rights of individuals. The effects vary depending on the different rights. But in each instance, you can only apply the provision where this is a necessary and proportionate measure to protect national security.
Under the right to be informed, individuals have the right to be given privacy information about the collection and use of their personal data. You may be able to withhold some of this information, where this is necessary and proportionate to protect national security. Specifically, you may be able to withhold information about:
- the legal basis for processing;
- the length of time data will be retained for;
- the categories of any recipients of data; and
- any other further information you may normally provide to enable individuals to exercise their right of access.
You should provide as much of this information as you can, and only restrict the information where necessary and proportionate to protect national security.
Under the right of access, you may be able to withhold confirmation that you are processing personal data about a particular individual, and refuse to provide access to the data. Again, you should provide access to as much of the data as you can, and only withhold data where necessary and proportionate to protect national security.
Under the rights to rectification, erasure and the restriction of processing you would normally have to inform an individual exercising these rights whether you had refused their rights. However, you may be able to avoid informing them of this, to the extent that this is a necessary and proportionate measure to protect national security.
When dealing with a personal data breach, you would normally have to notify individuals who may be affected, if the breach is likely to result in a high risk to their rights and freedoms. However, you may be able to withhold this notification, where necessary and proportionate to protect national security.
When are the national security provisions likely to apply?
You can rely on the national security provisions to restrict individuals’ rights or limit your personal data breach obligations, if you can show that doing so is a necessary and proportionate measure to protect national security. This is linked to human rights standards, which mean that any interference with privacy rights must be necessary and proportionate in a democratic society to meet a pressing social need.
Although you are permitted to apply the national security provisions, where necessary and proportionate, you cannot do this in a blanket manner. Instead you need to consider applying the national security provisions on a case-by-case basis. In particular, it’s not enough simply that the processing is related to national security. You must consider the actual consequences to national security if you had to provide the relevant information to the individual. If you can reasonably provide that information without affecting national security, you must do so (subject, of course, to any other restrictions that might apply in the specific circumstances).
When you consider whether to rely on a provision to withhold information, you must also consider whether you should withhold it “wholly or partly”. In practice, this means that you must try and provide as much information to individuals as possible, and only withhold what is necessary to protect national security. So, if you can provide some information without posing any significant risk to national security, you must do so.
You don’t need to show that providing the information would lead to a direct or immediate harm or threat. It is enough to show that there is a real possibility of an adverse effect on national security in a broader sense. For example, in freedom of information cases, courts have recognised that terrorists can be highly motivated. There may therefore be grounds for withholding seemingly harmless information on the basis that it may assist terrorists when pieced together with other information.
So, before withholding information you must first consider the fundamental rights and legitimate interests of the individual, and how these may be affected.
You must then consider whether withholding the information is a necessary and proportionate measure to protect national security. Keep in mind that there may be circumstances where the adverse effect on an individual could outweigh any trivial, or hypothetical risk to national security.
You must disclose it if, having considered this, you conclude that withholding the information is not necessary or proportionate.
If you decide to apply a national security provision, you should be able to make a reasoned and convincing argument about why this was necessary and proportionate. We may ask you for these arguments if we have received a complaint. You may base these on hypothetical scenarios, as long as they are realistic and credible.
For example, you may need to limit your response to a request under the right of access. You may apply a national security provision in order to provide a consistent “neither confirm nor deny” (NCND) response about whether you process data for national security purposes. This may be necessary even in a case where there is no direct impact on national security, so that nothing can be inferred in other cases which might have more of an impact on national security.
You can apply this type of NCND response as a general policy. However, you should be able to make a reasoned argument about its use and demonstrate it to the ICO if required. You should still consider whether there are any special circumstances which mean you don’t need to rely on the general NCND policy in a particular case.
The following example illustrates the process that a competent authority might go through to consider the application of the national security provisions. Although in practice you might consider the application of other restrictions first, this example shows how the process might work and how you may take NCND considerations into account.
A police force receives a subject access request from an individual who is a subject of a covert counter-terrorism investigation. The police can apply a national security provision to restrict the individual’s access to their personal data if this would risk harm to the investigation. For example by tipping off the individual about the investigation, or providing them with an opportunity to evade or frustrate the investigation.
Before applying the provision, the police need to consider whether the individual’s rights or legitimate interests would be adversely affected. The individual’s right of access would clearly be adversely affected. The police need to consider whether restricting the individual’s right to access their personal data is a necessary and proportionate measure in light of the purpose for which they are restricting the rights, and the importance of the investigation in protecting national security.
The police do not have to inform the individual that their rights have been restricted, or the reasons for the restriction, if doing so would harm the investigation and pose a risk to national security. The police still need to inform the individual in general terms of their right to complain to the ICO or to apply to a court.
Once the investigation is complete, the police do not have to revisit the original subject access request, but if they receive a new request, they have to consider whether the restriction is still necessary. For example, to protect confidential sources, or other associated investigations. They also need to consider whether the restriction could be fully or partially removed.
What should we do if we restrict individuals’ rights?
If you have restricted an individual’s rights, you should normally inform them about:
- the restriction and the reasons for the restriction;
- their right to ask the ICO to check the restriction is lawful; and
- their right to bring a complaint to the ICO or apply to a court.
However, you may not have to inform individuals about the restriction and the reasons for it, if providing this information would itself undermine the purpose of the restriction.
Instead, you may consider issuing a more non-committal response. However, you should still provide anything which does not undermine the restriction. Wherever possible, also provide them with some information about their rights, in general terms. So, if you have refused to comply with an individual’s request, you must still tell them about their right to complain to the ICO, or to apply to a court.
Individuals have the right to ask the ICO to check that any such refusal or restriction was lawful. This does not mean that the individual is able to circumvent the restriction and exercise their rights through the ICO instead. In many cases, we may be unable to be very specific about our findings because that might in itself reveal information which would prejudice the purposes the exemptions are designed to protect.
You need to record the restriction, and your reasons for applying it, so that you can show the ICO your reasons, if requested. You need to be able to show that you have applied the restriction only as far as necessary. Remember that you can apply the restriction wholly or partly to the right, and you should avoid applying it wholly unless that is necessary for protecting national security.
What is a ministerial certificate?
Section 79 of the DPA says that certain Ministers of the Crown (specifically, a member of the Cabinet, the Attorney General or the Advocate General for Scotland) can sign a certificate which is conclusive evidence that the restriction is a necessary and proportionate measure to protect national security.
It is important to remember that a certificate is not required in order for you to rely on the national security provisions. In fact in most cases, you will determine for yourself whether a restriction or limitation is required to safeguard national security (ie the application of a national security provision).
The provisions and the ministerial certificate do different things. The provisions, as detailed above, are always available and you may properly apply them to safeguard national security, with or without a ministerial certificate. Ministerial certificates are meant to give greater legal certainty that national security is applicable for specified data processing. This is because certificates certify that a restriction is a necessary and proportionate measure to protect national security.
In this context, a ministerial certificate is admissible as conclusive evidence that a restriction of an individual’s rights or a limitation on a controller’s obligations is necessary to protect national security.
These certificates can apply in advance, or they can be issued retrospectively for a restriction applied by a competent authority. The ICO publishes some details of all national security certificates which have been issued, including the text of the certificate where possible. However, there may be some cases where the text of the certificate is sensitive and cannot be published. In these cases, we publish the fact that a certificate was issued, the date it was signed, and which minister signed it.
If a relevant certificate is in place, you can rely on it to demonstrate that the restriction is necessary and proportionate. However, you should always consider whether you need to apply a restriction, or rely on any associated certificate, in a particular case. Individuals may challenge inappropriate reliance on a ministerial certificate in the Tribunal.
If you consider that a certificate is required, you can apply to a Minister of the Crown to issue a national security certificate under section 79. Details of the process for doing this are on the Home Office website, and linked to from the National Security Certificate page of the ICO website.
Individuals directly affected by a certificate can appeal against it to the Upper Tribunal. The certificate may be quashed if the Tribunal considers that the Minister did not have reasonable grounds for issuing it.
Individuals may also appeal to the Tribunal on the basis that the restriction the competent authority is relying on does not fall within the general description in the certificate.
For more information on ministerial certificates, see the Guide to Intelligence Services Processing.