National security, public security and defence condition

In detail

• What is the national security, public security and defence condition?
• Is it appropriate to use recognised legitimate interest for national security, public security or defence purposes in every situation?
• How do we apply the national security, public security and defence condition?

What is the national security, public security and defence condition?

Being able to use people’s information for national security, public security and defence is key to keeping people and society safe.

If you need to handle people’s information for these purposes, the UK GDPR provides you with a way to do this lawfully.

Annex 1 of the UK GDPR says:

2. This condition is met where the processing is necessary—

(a) for the purposes of safeguarding national security,

(b) for the purposes of protecting public security, or

(c) for defence purposes.

We call this the ‘national security, public security and defence condition’. These terms are not defined in the UK GDPR but they are likely to cover the following:

• National security – this covers the security and well-being of the UK as whole, its population, its institutions and system of government. The activities it covers may change rapidly depending on the circumstances, including threats that currently are not foreseen.
• Public security – public security covers a broad scope of activities. It generally concerns the welfare and protection of the public. It can include the protection of life, institutions and organisations against public threats, including crime, disasters and other risks to life, safety and well-being.
• Defence – along with protecting the UK from external threats, this is likely to include ensuring the combat effectiveness of the UK’s military. It can also mean the continued protection, security and capability of the armed forces, and the civilian staff that support them.

Is it appropriate to use recognised legitimate interest for national security, public security or defence purposes in every situation?

No. Some organisations that handle personal information for security or defence purposes don’t need to rely on recognised legitimate interest. These organisations are likely to:

• be a public authority (public task is likely to be the appropriate lawful basis);
• have a legal obligation to use personal information for these purposes (legal obligation is likely to be the appropriate lawful basis);
• be a competent authority (which handles this information for law enforcement purposes under part 3 of the DPA, not the UK GDPR); or
• be part of the intelligence services (which handle this information under part 4 of the DPA, not the UK GDPR).

But this isn’t always the case. If these circumstances don’t apply, you may be able to rely on this recognised legitimate interest condition.

This condition is often suitable to handle personal information to prevent and protect against national security, public security and defence issues (although you may be able to use it for incidents that are already happening).

In some situations, the purpose of this condition might overlap with another recognised legitimate interest condition. For example:

• Criminal activity could pose a threat to public security and be covered by this condition as well as the crime condition. (For more information, see the Crime condition.)
• A threat of a terrorist attack might meet the threshold to be classed as an emergency and be covered by both this condition and the emergencies condition. (For more information, see the Emergencies condition.)

If this happens, you should choose the condition that provides the best overall fit in the circumstances for your use of personal information. (For more information, see Can more than one recognised legitimate interest condition apply at the same time?.)

How do we apply the national security, public security and defence condition?

If you want to use this recognised legitimate interest condition, you must:

• only intend to use the personal information to safeguard national security, to protect public security or for defence purposes; and
• be able to demonstrate that using the personal information is necessary for one of those purposes.

This condition is likely to apply in situations where:

• national security, public security or the UK’s defence are under threat; and
• the use of personal information is necessary to prevent that threat from materialising or to minimise the harm caused if it does occur.

But it may also apply in circumstances where you need to react quickly to events that are underway and decide whether to use personal information for the purposes covered by this condition. If so, you should consider the following:

• Does using the personal information help to support national security, public security or defence?
• Is using the personal information a reasonable way to do this?
• Is there a less intrusive way to achieve the same result, based on what you know currently?

If you answer ‘yes’ to the first two questions and ‘no’ to the last, it’s likely your use meets the necessity part of this condition.

You should record your decision to help you comply with your accountability obligations and you must still meet all your other obligations under data protection law. (For more information, see What else do we need to consider?.)

There is a national security exemption in the DPA. If this applies to what you want to do, it can exempt you from some of your data protection requirements. But it doesn’t exempt you from having a valid lawful basis.