Skip to main content

Exemptions

Contents

At a glance

  • There is an exemption that you may apply to many of the principles, rights and obligations, and some of the powers of the ICO, where you consider it is reasonably necessary to safeguard national security.
  • This is not a blanket exemption. You should be able to show on a case-by-case basis that compliance would raise a real possibility of an adverse effect on national security.
  • A Minister of the Crown (specifically a member of the Cabinet, the Attorney General or the Advocate General for Scotland) can issue a certificate which covers the processing. If they do so, his is conclusive proof that the exemption applies in the circumstances described in the certificate. We publish details of relevant certificates.
  • You must always still have a lawful basis for your processing. You must also still comply with your general accountability and security obligations.
  • There are also a number of other specific exemptions available.

Checklist for using the exemption

We have a lawful basis for our processing.

We have complied with our documentation and other accountability obligations.

We can point to a clear link between compliance with a specific provision and a potential adverse effect or difficulty for our operational work to protect national security.

We do not apply the exemption in a blanket manner, and have considered the circumstances of the case.

We have considered whether a national security certificate is applicable in the circumstances.

In brief

What is the national security exemption?

Section 110 sets out an exemption that may be applied to many of the data protection provisions:

“…if exemption from the provision is required for the purpose of safeguarding national security.”

If the exemption applies, it can exempt you from:

  • any of the principles (except the lawfulness requirement);
  • any of the rights of individuals;
  • personal data breach reporting; and
  • some of the powers of the Commissioner.

However, you must always ensure your processing is lawful, and that you have a lawful condition for your processing under Schedule 9.

If you are carrying out sensitive processing, you must also ensure you have a relevant condition for sensitive processing under Schedule 10.

You must also still comply with your general accountability and security obligations.

We may investigate your compliance, and will generally consider whether you have properly claimed an exemption. The MoU between the Commissioner and the Intelligence Services provides more detail of how we investigate complaints.

How does the national security exemption work?

Given the importance of national security, you can apply this exemption to a greater number of provisions than many other exemptions.

National security is not specifically defined, and can be interpreted in a flexible way to adapt to changing threats. Thirty years ago, it would have been difficult or even impossible to predict the threats that developments in computer and communications technology could give rise to, or how such developments could be exploited by terrorists or hostile states. It is generally understood to cover the security and well-being of the UK as a whole, its population, and its institutions and system of government. For example, it can cover:

  • protection against specific threats, such as from terrorists or hostile states;
  • protection of potential targets even in the absence of specific threats; and
  • international co-operation with other countries.

The exemption applies if it is “required” to safeguard national security. In this context, “required” means that the use of the exemption is “reasonably necessary”. This is linked to human rights standards and your obligations under the Human Rights Act 1998 and the European Convention on Human Rights (ECHR). This means that any interference with privacy rights should be necessary and proportionate in a democratic society to meet a pressing social need.

The exemption can be applied flexibly and to a large number of the data protection provisions. However, it is not a blanket exemption. You must consider the actual consequences to national security, or to your work in safeguarding national security, if you had to comply with the particular DPA rule. In other words, you should apply the exemption only when it is necessary and on a case-by-case basis. If you could reasonably comply with any of the usual rules without affecting your work, you must do so.

You don’t need to show that compliance would lead to a direct or immediate harm or threat. It is enough to show that there is a real possibility of an adverse effect on protecting national security in a broader sense. For example, in freedom of information cases, courts have recognised that terrorists can be highly motivated. There may therefore be grounds for withholding seemingly harmless information on the basis that it may assist terrorists when pieced together with other information.

If you use the exemption, you are still accountable to the ICO for your compliance with the DPA and you should be able to make a reasoned and convincing argument about the risks of compliance with the specific provision. You may base these on hypothetical scenarios, as long as they are realistic and credible.

For example, you may need to use the exemption to maintain a consistent line so that individuals cannot draw inferences which might harm national security in other cases. For example, to give a non-committal “neither confirm nor deny” (NCND) response to subject access requests.

Example

An intelligence service receives a SAR from a member of the public, who suspects that they may be under surveillance. The service doesn’t hold any relevant personal data about the individual, because they are not a person of interest. But they do not wish to let the person know that no relevant information is held because, if they actually are involved in matters which would be of concern, this may tip them off that their activities have not aroused suspicion. Moreover, if an individual did apply who was under surveillance, the service would want to neither confirm nor deny this. This means that they must adopt a consistent approach, to avoid the applicant knowing whether they were under surveillance or not.

There is no obvious prejudice to national security if no personal data is held, because there is no evidence held that suggests the person is engaged in any activity which would present a risk to national security. But the exemption could still be available if the response to the SAR might expose weaknesses in the intelligence about the person, or in order to avoid indicating whether an individual was or was not under surveillance.

The intelligence service could issue a response to the SAR which didn’t alert the individual whether personal data was or was not held (a NCND response), and could apply the exemption at section 110 to the extent necessary to avoid any relevant, specific requirements of responding to subject access requests.

You can apply a NCND response as a general policy. However, you cannot apply it in a blanket manner, because there may be circumstances in which it is not required for the purposes of safeguarding national security. As a result, you should still consider whether there are any special circumstances which mean you don’t need to rely on the general NCND policy in a particular case.

In many cases we may investigate compliance and consider whether you have properly claimed an exemption, or otherwise complied with Part 4. The ICO retains all our powers and regulatory functions where the use of these would not adversely affect the protection of national security. However, sometimes it may not be possible for us to exercise these powers, if our investigation might adversely affect your work in safeguarding national security. We have agreed a Memorandum of Understanding with the Government, which sets out our understanding of how this may work in some anticipated circumstances, such as a data breach or a complaint.

What are national security certificates?

A Minister of the Crown (specifically a member of Cabinet, the Attorney General or the Advocate General for Scotland) can sign a certificate which is conclusive evidence that the exemption is required for the purpose for safeguarding national security. These certificates can be issued in advance or retrospectively, so it isn’t always necessary for a certificate to be in place before claiming the exemption. The personal data to which the certificate applies may be identified in general terms.

The national security exemption can still apply even if a national security certificate has not been issued. However, the existence of a certificate is conclusive evidence that the exemption applies to the data described in the certificate. If a relevant certificate is in place, you may rely on it to demonstrate that the exemption applies.

The ICO publishes the existence of the certificates, and basic details including the name of the Minister who signed it and the date of signing, together with the text of the certificate where possible. However, there may be some cases where elements are redacted or the text is withheld, if the Minister decides that publishing would be:

  • against the interests of national security;
  • not in the public interest; or
  • would jeopardise the safety of any person.

In all other circumstances, we will publish the full text of the certificate.

A person directly affected by the issuing of a certificate may appeal to the Upper Tribunal. The Tribunal can quash the certificate if it considers that the Minister did not have reasonable grounds for issuing it.

In some circumstances, an individual can also appeal to the Upper Tribunal to challenge whether a certificate applies to their personal data. This right of appeal only applies where they are already party to court proceedings under the DPA (eg to enforce their right of access or objection), and the intelligence service relies on a certificate in those proceedings which applies to a general category of data.

The fact an applicable national security certificate exists does not mean you should rely on it in all circumstances. Even though a certificate has been issued, there may be occasions where there wouldn’t be any adverse effect on your work in safeguarding national security if you complied with a provision in Part 4. In such cases, you cannot rely on the exemption, even if a certificate has been issued about the personal data in question.

Are there any other exemptions?

Schedule 11 contains further exemptions. These may be thought of as ‘specific’ exemptions, in that they relate to a specific set of circumstances and permit exemption from certain provisions of Part 4.

Where necessary, they provide exemptions from:

  • the data protection principles (as set out in Part 4), except that the processing must always be lawful and meet a relevant condition for processing as set out in Schedule 9 and 10;
  • the rights of individuals; and
  • duties relating to reporting breaches to the ICO.

They do not provide an exemption from the powers of the ICO to investigate complaints about the application of the Schedule 11 exemptions, or the general accountability and security obligations of controllers and processors.

You should remember that although exemptions are available for use where required, in most circumstances their use is not mandatory. You can choose not to apply an exemption which would otherwise be available to you. However, there may be some circumstances where you are compelled to apply an exemption. For example, where Parliamentary Privilege applies, or where information is required to be made public by law.

How do the Schedule 11 exemptions work?

The exemptions are mostly intended to:

  • avoid some form of harm or prejudice (harm exemptions); or
  • permit something to be done which would otherwise not be permissible (gateway exemptions).

There are also a number of class-based exemptions that you can apply if the information conforms to the description in the exemption. They are similar in purpose and effect to several of the exemptions in the UK GDPR found at Schedule 2 of the DPA. For more detailed consideration of how you may apply them, you may find it helpful to refer to our guidance on the UK GDPR exemptions as many of the principles and considerations will be similar.

The applicable purposes of the exemptions are summarised below. For the specific wording of any exemption refer to the relevant paragraph of Schedule 11.

What harm-based exemptions are available?

The harm exemptions are for the avoidance of prejudice or harm to:

  • prevention and detection of crime, or the apprehension and prosecution of offenders (paragraph 2);
  • judicial proceedings (paragraph 5);
  • the combat effectiveness of the armed forces of the Crown (paragraph 7);
  • the economic well-being of the UK (paragraph 8); and
  • negotiations with the data subject (paragraph 10).

In all cases, you can only apply the exemption to the extent that you need to in order to avoid the prejudice or harm listed in the exemption.

The test is in most cases whether the DPA provision, if applied, “would be likely to prejudice” the activity specified in the exemption. This requires a two-part test.

Firstly, the prejudice or harm envisaged has to be more than trivial, so that the risk outweighs the importance of adhering to the DPA provision in question.

Secondly, the likelihood of the harm occurring has to be a real possibility, and not just remote or fanciful. In short, you need to be able to show that there is a realistic likelihood of some form of harm occurring, and that avoidance of this harm is sufficiently important that it requires you to exempt the processing from the DPA provision you are applying the exemption to.

In addition, there is also an exemption for scientific or historical research, or statistical or archiving purposes (paragraphs 13 and 14). This exemption is only available if:

  • the personal data is processed subject to appropriate safeguards for the rights and freedoms of the data subject; and
  • none of the statistics made available identify a data subject.

This exemption is only available to the extent that the DPA provision would prevent or seriously impair these purposes. This is a different, and somewhat higher hurdle than ‘prejudice’ and requires you to show that the DPA provision in question would actually prevent you from carrying out the activity, or otherwise make it very difficult for you to carry it out.

Keep in mind also that you cannot use these exemptions in a blanket fashion, but must apply them selectively and in as limited a manner as possible, sufficient to avoid the prejudice.

Example

An intelligence service is negotiating a settlement with a former employee who is pursuing an employment claim. The individual has made a subject access request, requesting information about the service’s willingness to compromise. In such circumstances the intelligence service may refuse to provide the former employee with information about their negotiating position, where this would prejudice the negotiations themselves (Schedule 11, paragraph 10). If there is no appreciable risk of prejudice, then the exemption would not be available (for example, because the negotiations are concluded).

If you apply an exemption, it is important to clearly record the reasons for its application, so that if necessary you can explain these to the ICO.

What class-based and gateway exemptions are available?

There are several exemptions you can use for data which matches one of the descriptions in the exemption. If this is the case, you don’t need to show that there would be prejudice in order to apply the exemption:

  • Parliamentary privilege (paragraph 4).
  • Information about the conferring of Crown honours and dignities (paragraph 6).
  • Legal professional privilege (paragraph 9). This exemption recognises the importance of preserving the principles of legal privilege. Both advice and litigation privilege are covered by this exemption.
  • Confidential employment, training or education references (paragraph 11). This exemption permits the intelligence service to exempt a confidential reference it has given.
  • Exam scripts and marks (paragraph 12). This prevents obtaining details of a candidate’s examination answers, or the marks received, before the results of the examination are announced.

These exemptions recognise the inherent confidentiality in certain processes and allow you to protect and preserve that confidentiality where necessary. Again, you should apply the exemptions as restrictively as possible, consistent with the purpose of the exemption. In some cases, for example Parliamentary Privilege, you may have a legal obligation to uphold the privilege and the exemption allows you to meet these obligations.

There is one gateway exemption which applies if:

  • personal data is required to be made public by law; or
  • disclosure is necessary for the purpose of legal proceedings, obtaining legal advice, or establishing, exercising or defending legal rights (paragraph 3).

You can use this exemption to permit disclosure of information which would otherwise not be permitted under Part 4. For example, if the disclosure would otherwise breach an individual’s rights.

This exemption can also apply to prospective legal proceedings. Therefore, it is available even if the proceedings have not yet been commenced and are just at the fact finding or obtaining legal advice stage.

If you are not an intelligence service, then this guidance does not apply to you. If you are a competent authority processing for law enforcement purposes, Part 3 of the DPA contains provisions that allow you to restrict the rights of individuals or limit your obligations where this is required to protect national security. See our guidance on the Part 3 national security provisions for more details.

For all other controllers and purposes, you are processing under the UK GDPR, and may be able to use the national security exemption at Section 26 of the DPA. See our guidance on the application of the national security exemption.