An analysis of Section 28 Certificates issued by the previous Labour Government shows that the exemptions for the national security function are excessive. The recent publication of a “memorandum of understanding” and analysis of the TfL Certificate (last week’s blog) shows that the current Government has continued this policy.
It is my view, that if the national security agencies were required to apply the data protection principles, subject to appropriate exemptions and an effective system of regulation (not necessarily by the Information Commissioner), then the extensive, mass surveillance undertaken by these agencies would have been considered (and regulated) in the context of necessity, relevance and retention. Such obligations could have avoided the current controversies.
I have decided to re-publish these old Section 28 Certificates covering the national security agencies because, in the light of the Snowden allegations, they are pertinent to the current public debate over supervision of these agencies, I have also made them available to the Parliamentary Security Committee which has issued a call for evidence on the supervision of national security.
The blog was also stimulated by legal advice to Tom Watson MP (see references), which includes the issue of whether or not it is lawful for the Government Communications Headquarters (‘GCHQ’) to intercept bulk electronic data. In that advice, Jemima Stratford QC states:
“We have no information as to whether or not the Secretary of State has issued relevant section 28 notices. Nonetheless, what follows is based on the assumption that the Secretary of State may (and possibly has) taken some aspects of the intercept ‘programme’ outside of the scope of the DPA”.
This blog confirms that assumption.
Background to the Certificates
These Certificates were published by the Home Office in 2005 in response to a FOI request and one should assume that they are out of date. Despite this, these Certificates give quite a lot of detail of what these agencies do with personal data and this detail may be pertinent to the current furore over the extent of mass surveillance undertaken by these agencies (see the 2000 Certificates, in particular).
In addition, the TfL Certificates signed by the previous and current Home Secretaries have not changed much; so one can assume that the content of the “old” Certificates might be similar to the content of the current Certificates. You will note that these Certificates are of a very generic nature and like the TfL Certificate, can be published without any prejudice to the national security function. This has not happened.
The "New Labour" Certificates
Looking at these Certificates, there are four common themes; a complete exemption from the First, Second and Eighth Principles, the Section 55 offence, Commissioner’s powers of enforcement and the rights of access and objection. These latter exemptions from rights are understandable in the context of the national security function, and I will make no further comment on them.
In relation to the exemption from First Principle, it can be seen that only part of the exemption can be justified. For instance, the exemption from the need to provide a fair processing notice (giving a notice would be an act of “tipping off”) and from “lawful” processing (e.g. obtaining personal data in breach of an obligation of confidence) can be justified.
However, the exemption from Schedule 2 and 3 requirements are difficult to see as being justified. For instance, any public body can process personal data which is “necessary” for its statutory functions which, in this case, is “necessary for the national security functions”. It follows that an exemption from this obligation sends the message that the national security agencies might want the flexibility to process personal data that are “not necessary” for these functions.
Whether or not these agencies have processed personal data “unnecessarily” is at the heart of the Snowden allegations.
There is a similar “message to the public” with the exemption from the Second Principle. This Principle requires these agencies to obtain the personal data “lawfully” and not further process (i.e. use or disclose) these data for a purpose incompatible with the national security function. It follows that an exemption from this Principle implants the notion the national security agencies might want to process personal data for purposes that are incompatible with their national security function. There again, this is an issue at the centre of the Snowden allegations.
Likewise with the message derived from the exemption to the Eighth Principle. This Principle requires a data controller to perform a risk assessment on the adequacy of protection, prior to the transfer of personal data outside the European Economic Area (EEA), or apply an exemption from the need to assess adequacy (see Schedule 4).
I would argue that if these national security agencies were to make any transfer of personal data outside the EEA for a national security purpose, then such a transfer would be in the “substantial public interest” (and qualify from an exemption to assess adequacy). It follows that message sent to the public is that the national security agencies require an ability to transfer personal data outside the EEA for purposes that possess little in the way of “substantial public interest”.
In this context, the Snowden allegations concerning the personal data exchange between the NSA and GCHQ springs to mind; the USA is not seen as offering “an adequate level of protection” (certainly by many European Data Protection Commissioners),
Although the Certificates do not exempt the Third Principle (relevance) and Fifth Principle (retention), the exemption from Commissioner’s powers means that any breach of national security agencies cannot be enforced.
Quite simply, the Data Protection Act has been deliberately airbushed out so it does not exist for the national security agencies. The exemptions described by these Certificates leaves data subjects (e.g. any member of the public in the case of mass surveillance) with no easy mechanism of raising a problem.
Alternative mechanisms of redress.
There are limited means of redress in relation to national security function and an aggrieved individual could:
• Raise an issue with the Surveillance Commissioner or the Interception of Communications Commissioner. However, these Commissioners look at whether the Secretary of State and the national security agencies are using their powers appropriately and whether they have completed the relevant paperwork correctly; these Commissioners do not take complaints from individuals who are worried that they have been unjustly targeted as a subject of surveillance.
• Take action under the Human Rights Act; however, this exposes the individual to considerable costs if they lose the case. In the case of the national security agencies, the complainant takes on the State (e.g. the Home Office) backed by the tax-payer. This is a very uneven battle and a lengthy one – for instance, the mass retention of DNA (in UK v Marper) look six years to resolve.
• Complain to the Interception of Communications Tribunal: This is the forum where those who are seeking a hearing can get a Tribunal to look at the substantive issues. Because the Tribunal is not a public authority for FOI requests, there are no published statistics as to the number of complaints it receives. However, we do know the Tribunal publishes, on average, a single determination in a case per year. This suggests the evidential hurdles are high in bringing a case that is likely to succeed.
• Raise an issue with the Intelligence and Security Committee (ISC) of Parliament. This Committee was established in 1994 to examine the policy, administration and expenditure of the national security agencies; last year that it was given an increased remit to include oversight of operational activity and the wider intelligence and security activities of Government. In other words, the ISC’s remit is strategic and their website says they do not take individual complaints (however multiple complaints on the same issue could eventually trigger something that falls within the ISC’s remit).
In other words, there is a degree of oversight (which I think has been ineffectual – see references) but I can see no simple way that an individual can use to resolve issues within a reasonable timescale.
Apply the data protection principles to national security
In summary, I cannot see why the national security agencies should not be required to comply with the principles. For example, would it reassure the public if these agencies had, by law, to commit to the following obligations?
• Process personal data lawfully and ensure that any processing is necessary for their statutory functions.
• Ensure that personal data are processed in a way that is not incompatible with the national security purpose.
• Ensure that all personal data are adequate, relevant and not excessive in relation to the national security purpose.
• Ensure that personal data are kept no longer than necessary for the national security purpose.
• Ensure that personal data be kept secure
• Ensure that personal data are not to be transferred outside the EEA to a country that offers an inadequate level of protection unless there is a substantial public interest in any transfer.
Of course, there needs to be exemptions from fair processing notices, rights of access or profiling; data sharing might need to apply the exemption from the non-disclosure provisions and there might be other exemptions that are needed. What these exemptions are and their scope can be the subject of debate.
One should add that these data protection principles have passed the test of time. For instance, if the police and all their sensitive criminal intelligence collections can co-exist with these data protection principles for nearly three decades (since the 1984 Act), I cannot see why metadata held by the national security agencies is any different.
I also cannot see why a regulator cannot investigate to reassure the public that these principles are central to the processing of personal data for national security purposes; of course that regulator need not be the Information Commissioner.
Finally, I have to respond to the comments of Jack Straw MP (Hansard: 10 Jun 2013, Column 38) where he stated that:
“Does the Secretary of State accept that many of our allies, leaving aside the United States, are astonished by the degree of control and supervision of our system of ministerial oversight, oversight by judicially qualified commissioners and oversight by the ISC, which surpasses that of most other western democracies?”.
To be poetic, this is a case of “a Jack covering his tracks”.
History records that Data Protection Act was enacted as a Home Office Bill, when Jack Straw was Home Secretary. Section 28 of the Act is his handiwork and it is his signature that adorns several Certificates (see below). He is responsible for exempting the national security agencies from applying the only set of enforceable principles which offer reassurance to the public and provide a mechanism for redress.
In my view, it is this misjudgement (to negate the data protection principles by creating an excessive exemption) that is at the root cause of the public relations disaster that now envelops the national security agencies.
The evidence suggests that the current Home/Foreign Secretaries are continuing to make the same mistake. A memorandum of understanding, just published by the Government, ensures the data protection principles are not enforced by the Information Commissioner. By contrast, these principles should be centre stage.
Over the next few months there will be many debates about national security.
Let us not forget that the trusted data protection principles, applied to the national security function, form a consistent basis to deliver the correct balance between the “purpose of national security” and reassurance to the public.
References (long list I am afraid)
Legal advice of Jemima Stratford QC: http://www.tom-watson.co.uk/2014/01/advice-from-jemima-stratford-qc-on-the-legality-of-reported-ongoing-gchq-practice
Download the Certificates here:
• Blog S.28 Straw Certificate Security Service 2000 Download Blog S.28 Straw Certificate Security Service 2000
• Blog S.28 Cook Certificate GCHQ SIS 2000 Download Blog S.28 Cook Certificate GCHQ SIS 2000
• Blog S.28 Blunkett Certificate Security Service 2001 Download Blog S.28 Blunkett Certificate Security Service 2001
• Blog S.28 Straw Certificate GCHQ SIS 2001 Download Blog S.28 Straw Certificate GCHQ SIS 2001
• Blog S.28 Straw Certificate GCHQ SIS No. 2 2001 Download Blog S.28 Straw Certificate GCHQ SIS No. 2 2001
• Blog S.28 Smith TfL Certificate 2007 Download Blog S.28 Smith TfL Certificate 2007
• Blog S.28 May TfL Certificate 2011 Download Blog S.28 May TfL Certificate 2011
Certificate published by the Government: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/100394/7605-Sec28-dpa.pdf
Memorandum of understanding about the application of the national security exemptions to FOI and DP (Jan. 2013): https://www.gov.uk/government/publications/memorandum-of-understanding-between-the-secretary-of-state-of-justice-and-the-information-commissioner.
Why I think the current supervisory arrangements are weak
• Home Secretary spends 90 minutes per day with interception warrants?: http://amberhawk.typepad.com/amberhawk/2009/09/home-secretary-spends-90-minutes-per-day-with-interception-warrants.html
• Labour’s privacy legacy: 1 in 50 subject to communications surveillance: http://amberhawk.typepad.com/amberhawk/2010/10/labours-privacy-legacy-1-in-50-subject-to-communications-surveillance.html
• Is “one adult in 78” subject to surveillance of their communications?: http://amberhawk.typepad.com/amberhawk/2009/09/is-one-adult-in-78-subject-to-surveillance-of-their-communications.html