Understanding the Data Protection Act's national security and defence exemption
This post covers the Data Protection Act 2018's national security and defence exemption.
Most controllers will never need to rely on this but, if you do, it's a useful provision, and one which you need to apply carefully.
The national security and defence exemption
s26 Data Protection Act 2018 provides an exemption from some of the provisions of the UK GDPR, and some parts of the DPA 2018 itself, where exemption is required for the purpose of safeguarding national security, or for defence purposes.
The exemption isn't limited to law enforcement agencies or security and intelligence agencies
The national security and defence exemption applies to "normal" processing — for example, in the context of businesses — rather than law enforcement processing or processing by intelligence services.
It can apply to any controller which needs to engage in processing for which exemption from relevant parts of the UK GDPR and DPA 2018 is required for safeguarding national security, or for defence purposes.
If you are, for example, a telecommunications operator subject to the Investigatory Powers Act 2016, you may need to rely on this.
The exemption is both narrow and broad
The national security and defence exemption is both narrow and broad.
It is narrow in the sense that it applies only to the extent than an exemption is required (which the ICO says means "is reasonably necessary") for the purpose of safeguarding national security, or for defence purposes.
You need to assess each of the provisions from which exemption is available, and determine if an exemption is reasonably required on the facts of the case. You cannot safely apply it in a blanket manner, and you'll want to document your rationale and your conclusion.
It is broad in the sense of the exemptions available if necessary: you can be exempted from quite a lot (but not all) of the provisions of the UK GDPR.
You still need a lawful basis
While the national security and defence exemption can excuse compliance with quite a lot of the UK GDPR if required, it does not remove the requirement to have a lawful basis for your processing.
The lawful basis, or bases, available to you will depend on the circumstances, but the ones most likely to be available are:
- necessity to comply with a legal obligation, for example if you are served with an obligation under the Investigatory Powers Act 2016 grounded in national security
- necessity to protect someone's vital interests, if there is an imminent threat to life or serious injury
- necessity for the purposes of legitimate interests (and you'd want to do a good legitimate interests assessment to validate this)
The special category data rules are modified
The national security and defence exemption does not remove the additional rules relating to special category data, but it does change them.
The prohibition on processing special category data does not apply to processing which is carried out for the purpose of safeguarding national security or for defence purposes, provided that you have "appropriate safeguards" in place.
In other words, you've a fair amount of leeway here, but you still need to think things through, and put appropriate protections in place, and document them (from an accountability perspective).
You might, for example, rely on this aspect of the exempt in the context of disclosure of special category data, or for biometric security systems for access to buildings as part of safeguarding national security or for defence purposes.
National security and data subject rights
s26 can provide a total exemption from compliance with the rules relating to the rights of data subjects but, as above, only if exemption is necessary for the purpose of safeguarding national security.
For example, if you have provided someone's personal data to an appropriate authority because you reasonably consider them to be a threat to national security, and they make a subject access request — a request for a copy of the personal data you are processing about them, and for information about people to whom you have provided their data — you could rely on the exemption to not tell them about your disclosure, if withholding that information is required to safeguard national security.
But, unless you can make out the exemption more broadly, you'd still need to comply with the other aspects of their request.
Telecommunications operators subject to a warrant or notice under the Investigatory Powers Act 2016 have specific, additional, obligations, in particular in respect of the secrecy of conduct.
The interplay of the Investigatory Powers Act 2016's secrecy obligations (e.g. here and here) and the data protection framework — for example, in the context of subject access, or notifications to the ICO or data subject in the event of a personal data breach — is not always clear, and may need particular attention.
Fortunately, you can still get appropriate legal advice on how to apply the law around secrecy provisions, without breaching those provisions in doing so.
There's no definition of "national security"
Parliament, and courts, have consistently chosen not to define "national security", to permit flexibility.
A definition of “national security” was proposed by Baroness Jones of Moulsecoomb in the course of the passage of the Investigatory Powers Bill through the House of Lords. The Baroness moved for an amendment (236A), comprising:
“national security” means the protection of the existence of the nation and its territorial integrity, or political independence against force or the threat of force
She withdrew her amendment, following vigorous rejection from other peers.
Earl Howe dealt the final blow to the amendment:
it has been the policy of successive Governments not to define national security in statute. National security is one of the statutory purposes of the security and intelligence agencies. Threats to national security are, as we have heard, constantly evolving and difficult to predict, and it is vital that legislation does not constrain the security and intelligence agencies in their ability to protect the public from new and emerging threats.
I think the key point is that to define national security in statute could have the unintended effect of constraining the ability of the security and intelligence agencies to respond to new and emerging threats to our national security.
While this gives a controller scope for discretion, it also gives plenty of room for argument.
There is no definition of "defence" either
The DPA 2918 does not define "defence", but the House of Lords has indicated that it is broader than "national security":
National security and defence of the realm may cover the same ground though I tend to think that the latter is capable of a wider meaning. But if they are the same then I would accept that defence of the realm may justify action to prevent indirect and subsequent threats to the safety of the realm.
You don't need a "national security certificate" (and probably won't get one)
If you can get one, it's helpful, in that it is "conclusive evidence" of the fact that exemption is required for the purpose of safeguarding national security. But you do not need one to rely on the exemption and, realistically, you probably can't get one.
Although they are "conclusive", it's possible for anyone directly affected by the certificate to appeal its existence, so they're not quite as conclusive as they might seem.
Only a minister who is a member of the Cabinet, the Attorney General, or the Attorney General for Scotland, can issue one of these certificates. If they issue one, they need to send a copy to the ICO, which has to publish a record of it (but not necessarily the full certificate).
If you want to see what they look like, the ICO has published the certificates issues to MI5, SIS, and GCHQ.
The process for seeking one is here.
Applying the national security and defence exemption
The vast majority of controllers are never going to need this exemption, but it is useful if and when that need arises.
If you think you need to rely on this exemption, and want a hand working out the appropriate lawful basis, determining which, if any, of the provisions of the UK GDPR and DPA 2018 from you can validly claim to be exempted, or any of the other aspects of applying it, do get in touch.