Idly browsing through the National Security (Information Tribunal) web-site (as one does when one has spare time to kill), I noticed that a new appeal involving Privacy International (PI) has been posted. Evidently the privacy pressure group was raising questions about the National Security Certificate that allows for the real-time transmission of ANPR images of cars entering London’s Congestion Charge to the national security agencies. PI’s appeal fell at the first hurdle because it was an organisation and not a data subject.
The substantive data protection points raised by PI are very serious and interesting, as the relevant Certificate, signed by the Home Secretary under S.28 of the Data Protection Act, specifies an exemption from the Second and Eighth Principles (amongst other more obvious things). It is these wider aspects that PI wanted to challenge, and it is easy to understand why this is the case.
The Second Principle requires a data controller that is deciding whether or not a disclosure of personal data is incompatible with the purpose of its processing to have “regard ...to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed”.
Thus, if there is an exemption from this obligation, it means that the disclosure of personal data can occur without any regard for any processing purpose undertaken by the person to whom the data are disclosed. It follows that the exemption in the Certificate permits the agencies described by the Certificate to disclose ANPR images within Europe for purposes incompatible with the national security or serious crime purpose.
Similarly, the Eighth Principle can require a risk assessment to be taken prior to the transfer of personal data outside the European Economic Area. So any Certificate that exempts this Principle also extends the disclosure of ANPR images to any organisation outside the Euro-zone without any such risk assessment.
Hence PI argues, with some justification, that the exemption from these two principles described in the Certificate permit the disclosure of ANPR images to anybody on the planet (e.g. any national government agency including the unsavoury ones) for any purpose (e.g. for a purpose that has nothing to do with crime and national security).
The Home Office lawyers defeated PIs appeal by demonstrating that PI had no standing before the Tribunal’. This “technical success” did not diminish the real substantive issues; it just avoided the need to defend them as being necessary.
What is alarming is that a brief study of my collection of national security certificates (don’t tell me you haven’t got a collection?) shows this Second and Eight Principle exemption occurs in other certificates– most notably in the certificate dealing with the use and disclosure of communications data. It follows that the issues PI raised about ANPR images also applies to the onwards disclosure of communications data (of which there is a great amount in the hands of the national security agencies).
The Security Service is justifiably proud of yesterday’s “glasnost” moment with publication of its history which details the fact that it carried out extensive surveillance of CND and other legitimate political activities in the 1980s.
All this is very welcome. However, an exemption from the Second and Eight Principles in many Certificates carries the implication that national security agencies can disclose personal data to anyone for any purpose. It is this unbridled freedom to disclose to anybody for any purpose that can, in time, undermine the claim that questionable national security activities are all now in the past.