National security, public security and defence condition

At a glance

• This condition may be appropriate if you need to handle personal information to safeguard national security, protect public security or for defence purposes. 
• You must be able to demonstrate that using the personal information is necessary for one of these purposes.

In detail

• What is the national security, public security and defence condition?
• How do we apply the national security, public security and defence condition?

What is the national security, public security and defence condition?

Being able to use people’s information for national security, public security and defence is key to keeping people and society safe.  

Many organisations that undertake security or defence activities are likely to be:

• public authorities (who can rely on the public task lawful basis); or 
• competent authorities (who handle this information under part 3 of the DPA). 

But this isn’t always the case. You may find you need to use people’s information for these purposes and the UK GDPR provides you with a way to do this lawfully. 

Annex 1 of the UK GDPR says:

“2. This condition is met where the processing is necessary— 

(a) for the purposes of safeguarding national security, 

(b) for the purposes of protecting public security, or  

(c) for defence purposes.”

We call this the ‘national security, public security and defence condition’. These terms are not defined in the UK GDPR but they are likely to cover the following:  

• National security – this is likely to cover the security and well-being of the UK as whole, its population, its institutions and system of government. The activities it covers may change rapidly depending on the circumstances, including threats that currently are not foreseen. 
• Public security – this generally concerns the welfare and protection of the public at large. It’s likely to include the protection of life, institutions and organisations against public threats including crime, disasters and other risks to life, safety and wellbeing.
• Defence – this is likely to include the combat effectiveness of the UK’s armed forces. It is also likely to cover the continued protection, security and capability of the armed forces, and the civilian staff that support them.

How do we apply the national security, public security and defence condition?

If you want to use this recognised legitimate interest condition, you must:

• only intend to use the personal information to safeguard national security, to protect public security or for defence purposes; and
• be able to demonstrate that using the personal information is necessary for one of those purposes.

In some circumstances you may need to decide quickly whether to use personal information for the purposes covered by this condition. If so, you should consider the following:

• Does using the personal information help to support national security, public security or defence?
• Is using the personal information a reasonable way to do this?
• Is there a less intrusive way to achieve the same result, based on what you know currently?

If your answer is ‘yes’ to the first two questions and ‘no’ to the last, it’s likely your use meets the necessity part of this condition.

In some situations, the purpose of this condition might overlap with another recognised legitimate interest condition. For example, criminal activity could pose a threat to public security and be covered by this condition as well as the crime condition. (For more information, see the Crime condition.) 

If this happens, you should choose the condition that provides the best overall fit in the circumstances for your use of personal information. (For more information, see Can more than one recognised legitimate interest condition apply at the same time?.)   

Whichever condition you use, you must still meet all your other obligations under data protection law. (For more information, see What else do we need to consider?.)