Whilst awaiting the arrival of another enthralling, multi-megabyte, download about the General Data Protection Regulation, I started reading the judgement (Case Number IPT 14/85/CH), delivered by the Investigatory Powers Tribunal last February. This is one of the cases between Privacy International and Government Communications Headquarters (GCHQ) which identified some unlawful processing of personal data by the latter (see references).
Paragraph 109 of this Tribunal’s judgment refers to the National Security Certificates established by Section 28 of the DPA; it states:
“Those certificates certify that personal data that are processed in performance of the Intelligence Services’ functions are exempt from the first, second and eighth data protection principles (and are also exempt in part from the sixth data protection principle). Thus the certificates do not exempt the Intelligence Services (including GCHQ) from their obligation to comply with the fifth and seventh data protection principles, which provide:
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. …
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The reference to “those certificates” is a reference to National Security Certificates dated 2001; they were signed by David Blunkett and Jack Straw when they were Home and Foreign Secretaries respectively.
This in turn implies the current Home/Foreign Secretaries have not seen them contrary to the practice established for the Transport for London’s Congestion Charge National Security Certificates (when Jacqui Smith in 2007 and her replacement in the following Coalition Government, Theresa May, signed it in 2011). Why successive Home/Foreign Secretaries have not followed the Transport for London practice for the 2001 Certificates is one of those unanswered questions.
Of course, there is no obligation in Section 28 of the Data Protection Act to refresh Ministerial approval of Certificates (or indeed to have Certificates at all). But it is astonishing that the national security agencies have relied on them for well over a decade, without any evidence of any review of their effectiveness, by any other later Cabinet Minister who has political responsibility for these agencies. In relation to any concept of accountability, there is something not quite right here.
One plausible reason for the lack of review could be the fact that these Certificates, fashioned just after 9/11, are over engineered as they exempt the First, Second and Eighth Data Protection Principles. So for instance, the exemption:
- from Schedule 2 and 3 of the First Principle allows that processing of personal data which is not necessary for the national security purpose.
- from the Second Principle is consistent with the notion the national security agencies might want to use or disclose personal data for purposes that are incompatible with the national security purpose.
- from the Schedule 4 (and the Eighth Principle) is consistent with the idea that the national security agencies want to transfer personal data without any regard for any “substantial public interest” or the adequacy of protection in the territory to which personal data are transferred.
In other words, if I wanted to fashion an exemption that would allow me to transfer personal data to North Korea for any purpose, without regard for the lawfulness of the processing, my exemption of choice would have to include all of the First, Second and Eighth Principles. That, in a nutshell, is why these Certificates are over-engineered.
However, taking paragraph 109 at face value, it appears that the Information Commissioner can undertake an assessment under the Fifth and Seventh Principles. Namely, to assess whether GHCQ has taken;
- appropriate organisational and technical measures against unlawful and unauthorised processing, and
- appropriate steps to ensure that the retention of personal data such as communications data are kept no longer than are necessary for the national security function.
In addition, as the Third Principle is not exempted by the Certificates, such an assessment can include the issue of whether personal data are processed in a way that is relevant to the processing purposes.
The use of “unlawful processing” and “necessary” creates links between the Fifth and Seventh Principles to Article 8(2) of the Human Rights Act. In the context of national security purpose, we can read A.8(2) as:
“There shall be no interference by a public authority” (e.g. data retention by a national security agency) “with the exercise of this right except such as is in accordance with the law” (i.e. not unlawful) and “is necessary in a democratic society in the interests of national security….”.
As each Principle stands by itself, the fact that the First Principle is exempt (i.e. the requirement to process personal data lawfully), does not mean that an assessment cannot be done into management processes to prevent “unlawful processing” in terms of the Seventh Principle.
Given that GCHQ has appeared to have processed personal data unlawfully (see press references below), it is reasonable for the ICO to assess whether GCHQ management has done its best to ensure that any future processing is not unlawful (as alleged by the press) and that all proper “authorisations” for processing are in place. An assessment in terms of data retention and relevance seems also to be possible (unless a new Certificate is produced) if the Commissioner wants to do one.
Of course there might be issues such as concerning security clearance of the Commissioner’s auditors or overlap between the functions of different Regulators. However, these are not insurmountable as there are many contractors and staff of regulators, with the correct level of security clearance, who can be trained to deliver a data protection audit (by us, perhaps?).
In summary, the national security agencies should comply with several data protection principles and refashion the 2001 Certificates in order to precisely define when and why the exemption from the Principle is needed.
In the post Snowdon era, it would reassure the public if these agencies had, by law, to commit to the following obligations:
- Limit the processing to that which is necessary for their statutory functions.
- Ensure that personal data are processed in a way that is not incompatible with the national security purpose.
- Ensure that personal data are kept no longer than necessary for the national security purpose.
- Ensure that personal data be kept secure and only transferred if there is a substantial public interest in the transfer.
My conclusion is that far from exempting the above Principles, the national security agencies should publicly embrace them.
Of course, I am not expecting this to happen; however this does not stop the ICO from establishing the important principle that some processing of personal data for a national security purpose falls within his responsibilities as a data protection authority.
The Tribunal Case No. IPT 14/85/CH: http://www.ccc.de/system/uploads/174/original/Privacy_Greennet_Open_Response_6_Feb_2015.pdf
GCHQ press coverage of existing “unlawful processing”:
• 6th Feb 2015: GCHQ's Internet surveillance with US ruled unlawful: http://www.telegraph.co.uk/news/uknews/law-and-order/11394860/GCHQs-mass-Internet-surveillance-ruled-unlawful.html
• 29th April 2015: GCHQ conducted illegal surveillance, investigatory powers tribunal rules; http://www.theguardian.com/uk-news/2015/apr/29/gchq-destroy-legally-privileged-communications-rendition-victim-sami-al-saadi-ruling
The National Security Certificates (Straw; date 8/12/2001) and (Blunkett; date 10/12/2001) are published at the end of: http://amberhawk.typepad.com/amberhawk/2014/02/should-national-security-certificates-exclude-the-data-protection-principles.html
Data Protection and the national security function; written evidence to the Intelligence and Security Committee: http://amberhawk.typepad.com/files/blog_evidence-to-isc.pdf