19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.
At a glance
- In order to safeguard national security or for defence purposes there is an exemption provided for at section 26 of the DPA. It is capable of exempting personal data from most of the data protection principles and obligations, and individuals rights, where this is required to safeguard national security or for defence purposes.
- This guidance only considers the national security aspects of this exemption. In the future, the ICO will develop additional content on the defence aspects of this exemption, and will publish an amended version of this guidance in due course.
- You may be able to apply this exemption if you process data under the UK GDPR.
- This is not a blanket exemption. You must be able to show that the exemption from specified data protection standards is required for the purposes of safeguarding national security. When deciding whether to use this exemption, we suggest you consider whether complying with the UK GDPR would raise a real possibility of an adverse effect on national security.
- A Minister of the Crown (specifically a member of the Cabinet, the Attorney General or the Advocate General for Scotland) can issue a certificate which covers your processing in relation to national security. If you have decided that it is necessary to rely on the exemption, you can rely on this certificate as conclusive proof that the exemption applies. However, you should not assume that you must apply the exemption, simply because a certificate has been issued. We will publish details of relevant certificates.
- You must always have a lawful basis under Article 6, and show that your processing is more generally lawful. There is no exemption from the requirement to process lawfully.
- You must always comply with your general accountability and governance obligations.
- Modified rules apply to how you process special category data and to your security obligations.
Checklist for using the exemption
☐ We are not an intelligence service or a competent authority processing for law enforcement purposes.
☐ We are processing personal data for national security purposes, and compliance with UK GDPR rules would have implications for national security.
☐ We comply with the data protection principles, rights and obligations other than to the extent that an exemption is required to safeguard national security.
☐ We have a lawful basis for our processing, and have complied with our documentation and other accountability obligations.
☐ We can point to a clear link between compliance with a specific provision and a potential adverse effect on national security.
☐ We do not apply the exemption in a blanket manner, but only to the extent required to protect national security.
☐ We have considered whether a national security certificate is applicable in the circumstances.
☐ We have recorded the use of the exemption and can demonstrate its necessity and proportionality in light of the data subject’s rights and legitimate interests.
☐ We understand the special rules for special category data.
- Does this guidance apply to us?
- What does “national security” cover?
- What is the national security exemption?
- How does the exemption work?
- When is the exemption likely to apply?
- What is a ministerial certificate?
- What are the special rules for special category data?
- How are our security obligations affected?
- What about law enforcement processing?
This guidance applies to you if you usually process data under the UK GDPR, and you are carrying out processing for national security purposes.
If you are a “competent authority” processing for law enforcement purposes related to national security, different provisions apply and you should read our Guide to law enforcement processing. However, if you are also processing data for a non-law enforcement purpose this guidance applies.
The intelligence services (or processors acting on their behalf) are covered by a separate regime. For more information, see our Guide to intelligence services processing.
Further reading – ICO guidance
“National security” is not specifically defined and can be interpreted in a flexible way to adapt to changing threats. Thirty years ago, it would have been difficult or even impossible to predict the threats that developments in computer and communications technology could give rise to, or how such developments could be exploited by terrorists or hostile states. It is generally understood to cover the security and well-being of the UK as a whole, its population, and its institutions and system of government. For example, it can cover:
- protection against specific threats, such as from terrorists or hostile states;
- protection of potential targets even in the absence of specific threats; and
- international co-operation with other countries.
Section 26 of the DPA 2018 sets out a broad exemption from specified provisions of the UK GDPR:
“…if exemption from the provision is required for—
(a) the purpose of safeguarding national security, or
(b) defence purposes.”
This guidance only focuses on the national security element of this exemption.
If the exemption applies, it can exempt you from:
- any of the data protection principles (except lawfulness requirements);
- any of the rights of individuals;
- personal data breach reporting;
- international transfers requirements; and
- some of the Commissioner’s duties and enforcement powers.
You must always ensure that your processing is lawful, and that you have a lawful basis under Article 6.
If you are processing special category data for national security purposes there is no exemption from Article 9, but special rules apply. Section 28 of the DPA permits the processing of special category data for safeguarding national security, provided you ensure there are appropriate safeguards for the rights and freedoms of data subjects. For more information on this see What are the special rules for special category data? below.
If you are processing criminal offence data, and can apply this exemption, you are also exempt from your obligations under article 10 of the UK GDPR.
You must always comply with your accountability and governance obligations, including the requirement to be able to demonstrate compliance (Article 5(2) of the UK GDPR).
Although there is no exemption from security obligations, modified provisions apply to data processed for national security purposes. For more information on this see How are our security obligations affected? below.
Given the importance of national security, you can apply this exemption to a greater number of provisions than many other exemptions.
The exemption applies if it is “required” to safeguard national security. In this context, “required” means that the use of the exemption is “reasonably necessary”. This is linked to human rights standards. This means that any interference with privacy rights should be necessary and proportionate in a democratic society to meet a pressing social need.
The exemption is capable of being applied to a large number of the data protection provisions. However, it is not a blanket exemption and national security will not automatically override individual rights. You should consider your use of the exemption on a case-by-case basis.
In particular, it is not enough that the data is processed for national security purposes. You must consider the actual consequences to national security if you had to comply with the particular UK GDPR provision. If you can reasonably comply with the provision without affecting national security, you must. Of course, this is subject to any other exemptions that might apply in the specific circumstances.
You don’t need to show that compliance would lead to a direct or immediate harm or threat. It is enough to show that there is a real possibility of an adverse effect on national security in a broader sense. For example, in freedom of information cases, courts have recognised that terrorists can be highly motivated. There may therefore be grounds for withholding seemingly harmless information on the basis that it may assist terrorists when pieced together with other information.
If you use the exemption, you should be able to make a reasoned and convincing argument about the risks of compliance with the UK GDPR provisions. You may base these on hypothetical scenarios, as long as they are still realistic and credible.
For example, you may need to use the exemption to provide a consistent “neither confirm nor deny” (NCND) response about whether you process data for national security purposes. This may even be in a case where there is no direct impact on national security. This is so that nothing can be inferred in other cases which might have more of an impact on national security.
You can apply this type of NCND response as a general policy. However, you should be able to make a reasoned argument about its use and demonstrate it to the ICO, if required. You should still consider whether there are any special circumstances which mean you don’t need to rely on the general NCND policy in a particular case.
Instead of an NCND response, you could also give a different form of non-committal response. There may be circumstances when it is not appropriate to inform a person that you are relying on the national security exemption and you may wish to word your response appropriately.
An organisation is concerned that some of its service users are at risk of radicalisation from extremist groups. It passes details of individuals it considers may have been approached or are at risk to the relevant authorities.
A group of service users make subject access requests to the organisation. They ask specific questions about whether their details have ever been “passed to the authorities”. The service users have announced publicly on social media that they intend to share their responses with each other.
The organisation has informed the relevant authorities about some members of the group of service users, but not others. It is concerned that if radicalised individuals become aware that their details have been shared, it may damage national security, put lives in danger and they may take steps to thwart surveillance or other monitoring of their actions.
The organisation must respond to the subject access requests, but can use the exemption to avoid revealing any information about whether or not it has referred details to relevant authorities. It can omit the relevant details from the information it does provide. It can also provide a non-committal response to any direct question about disclosures to the authorities, regardless of whether or not the referral has in fact taken place.
Further reading – ICO guidance
The courts have considered a very similar exemption in the context of freedom of information requests. For more information, see our guidance on the FOI exemption for safeguarding national security.
You can use the exemption if you can show that complying with the relevant rule would be incompatible with safeguarding national security.
You can also use the exemption to maintain a consistent line so that individuals cannot draw inferences which might harm national security in other cases. For example, giving a non-committal response to subject access requests about national security processing. You do not have to confirm that you are relying on the exemption or give any details which allow an individual to infer that additional information is in fact processed.
A company is concerned that some of its customers may be using its products to make bombs. It decides to provide MI5 with information about these customers and their purchases.
A customer makes a subject access request to the company for their personal data, along with details of the processing. The company should comply with the usual UK GDPR rules on the right of access in the normal way for the processing it does for its own business purposes. However, it is likely to be able to use the national security and defence exemption to avoid giving any information about the disclosures to MI5. In this case, alerting a suspected bomb-maker to the fact that MI5 is aware of their activities would clearly raise a real risk to MI5’s ability to effectively safeguard national security.
If the customer makes a request for erasure of their data, the company can delete its ordinary customer records as usual but rely on the exemption to avoid deleting the data shared with MI5. It could also rely on the exemption to avoid informing the customer that it had not deleted all of the data.
You cannot use the exemption if the impact of compliance would be trivial or is not linked to national security (eg to avoid embarrassment).
You cannot use the exemption in a blanket way just because you process data for national security purposes. You must be able to show some link between compliance with the specific provision and the need to safeguard national security, even if that link is indirect. If necessary, we would expect you to be able to provide us with evidence about why you used this exemption.
Section 27 of the DPA says that a Minister of the Crown (specifically a member of the Cabinet, the Attorney General or the Advocate General for Scotland) can sign a certificate which is conclusive evidence that the exemption is required for the purpose of safeguarding national security.
It is important to remember that you do not require a certificate in order to rely on the national security exemption. In fact, in most cases, controllers will determine for themselves whether they require an exemption to safeguard national security. It is also important to note that there are no certificates for relying on this exemption for defence purposes.
The exemption and the ministerial certificate do different things. The exemption, as detailed above, is always available. You may properly apply it to safeguard national security, with or without a ministerial certificate. Ministerial certificates are meant to give greater legal certainty that national security is applicable for specified data processing. This is because it certifies that an exemption is required for specified personal data to safeguard national security.
In this context, a ministerial certificate is admissible as conclusive evidence that exemption from the specific provision listed in section 26 is required to safeguard national security.
These certificates can be issued in advance or retrospectively. The personal data to which the certificate applies may be identified in general terms.
The ICO will publish some details of all national security certificates which have been issued, including the text of the certificate where possible. However, there may be some cases where the text of the certificate is sensitive and cannot be published. In these cases, we will publish the fact that a certificate was issued, the date it was signed, and which minister signed it.
If a relevant certificate is in place, you can rely on it to demonstrate that the exemption applies. However, you should still consider whether you actually need to rely on the exemption, and the certificate, in a particular case. You may need to check with the relevant authorities whether or not you should rely on a certificate.
If you consider that a certificate is required, you can apply to a Minister of the Crown to issue a national security certificate under section 27. Details of the process for doing this are on the Home Office website, and linked to from the National security certificate page of the ICO website.
For more information on ministerial certificates, see the Guide to intelligence services processing.
Section 28 of the DPA 2018 modifies the rules on special category data for the purpose of safeguarding national security.
You may not always need to identify an Article 9 condition for that element of your processing as long as you have “appropriate safeguards” in place to protect individuals’ rights and freedoms. This reflects the substantial public interest in national security. However, you still need to ensure you have an Article 6 lawful basis for your processing.
The DPA does not specify how you can demonstrate that you have appropriate safeguards in place – so it is your responsibility to identify a reasonable way to do so.
However, one way in which you can demonstrate this is to have a document similar to the appropriate policy document.
This document should briefly outline:
- how you have met the lawfulness requirements of principle (a) – including which lawful basis you are relying upon;
- your retention and deletion policies; and
- an indication of the retention period for the specific data.
If you already have an appropriate policy document for the processing of special category data, you may wish to include the details about your security processing in it.
It is good practice to retain these details until six months after the date you stop this processing. You must keep it under review. You do not have to publish it, although it is good practice to do so (although it may not be appropriate to do so for national security reasons).
Section 28 also modifies the security obligations placed on a controller. So, slightly different security obligations apply if you are processing for the purpose of safeguarding national security.
You must implement security measures appropriate to the risks arising from your processing. There are also specific additional requirements for any electronic data. You must evaluate the risks, and implement specific measures to:
- prevent unauthorised processing or interference with your electronic systems;
- ensure that you can establish the details of any processing which takes place (ie there is an electronic audit trail);
- ensure proper functioning and restoration of the system; and
- ensure that data will not be corrupted if a system malfunctions.
If you are a competent authority processing for law enforcement purposes, different rules apply under Part 3 of the DPA 2018.
There is no equivalent broad exemption to safeguard national security for law enforcement processing. The usual principles and obligations apply. However, there are some restrictions built-in to some of the rights of data subjects, and some of the provisions about reporting data breaches. These can apply where necessary and proportionate to protect national security. A Minister can sign a certificate as conclusive evidence that these restrictions apply, in a similar way to the UK GDPR exemption.
For more information on the restrictions available to protect national security, see the Guide to law enforcement processing.
For more information on processing by the intelligence services themselves and the equivalent exemption in Part 4 of the DPA 2018, see the Guide to intelligence services processing.