Yesterday, the Intelligence and Security Committee held a round-table on privacy and national security; in particular in relation to the Snowdon revelations and possible changes to the law.
So this is a good excuse to publish my written evidence to the Committee. It is on the lines that the Data Protection Act should apply to the processing of personal data by the national security agencies.
Historically the national security function was made exempt from the Data Protection Act 1984 probably because this legislation predated the Interception of Communications Act 1985 (which was imposed on the UK following a defeat at the European Court of Human Rights) or any consideration of any independent regulation of the national security function. This comprehensive exemption was carried over into the 1998 Act.
The national security agencies are concerned about oversight, because that oversight with access to documents and projects might, in itself, be a risk to national security. However, there is no need to designate the Information Commissioner as a national security regulator with respect to the processing of personal data.
For instance, disputes with respect to the application of the Principles can be tested by the National Security Tribunal which could hear complaints of substance; the Investigation of Regulatory Powers Tribunal could then assume the role of the Upper Tribunal and adjudicate on points of law. Any audit of compliance (like procedures with respect to warrants) could fall within the remit of the Surveillance Commissioner or the Interception of Communications Commissioner (as required).
I have also taken the opportunity to ask the Committee to investigate that the current set of Certificates which exempt the application of the Data Protection Act as they are sending the wrong message to the public (see blog on these Certificates and for a copy of those Certificates; see references).
For instance, in relation to the exemption from First Principle in these Certificates, it can be seen that only part of the exemption can be justified. For instance, the exemption from the need to provide a fair processing notice (giving a notice would be an act of “tipping off”) and from “lawful” processing (e.g. obtaining personal data in breach of an obligation of confidence) can be justified.
However, the exemption from Schedule 2 and 3 requirements are difficult to see as being justified. For instance, any public body can process personal data which are “necessary” for its statutory functions which, in this case, is “necessary for the national security functions”. It follows that an exemption from this obligation sends the message that the national security agencies might want the flexibility to process personal data that are “not necessary” for these functions.
There is a similar “message to the public” with the exemption from the Second Principle. This Principle requires data controllers to obtain the personal data “lawfully” and not further process (i.e. use or disclose) these data for a purpose incompatible with the national security function. It follows that an exemption from this Principle implants the notion in the public that the national security agencies might want to process personal data for purposes that are incompatible with their national security function.
Likewise with the message derived from the exemption to the Eighth Principle. This Principle requires a data controller to perform a risk assessment on the adequacy of protection, prior to the transfer of personal data outside the European Economic Area (EEA), or apply an exemption from the need to assess adequacy (see Schedule 4).
If these national security agencies were to make any transfer of personal data outside the EEA for a national security purpose, then such a transfer would normally be for a national security purpose and in the “substantial public interest” (and therefore qualify from an exemption to assess adequacy). It follows that message sent to the public is that the national security agencies require an ability to transfer personal data outside the EEA for purposes that possess little in the way of “substantial public interest”.
In my view, it would reassure the public if these agencies had, by law, to commit to the following obligations:
• Process personal data lawfully and ensure that any processing is necessary for their statutory functions.
• Ensure that personal data are processed in a way that is not incompatible with the national security purpose.
• Ensure that all personal data are adequate, relevant and not excessive in relation to the national security purpose.
• Ensure that personal data are kept no longer than necessary for the national security purpose.
• Ensure that personal data are kept secure
• Ensure that personal data are not to be transferred outside the EEA to a country that offers an inadequate level of protection unless there is a substantial public interest in any transfer.
One should add that these data protection principles have passed the test of time for 30 years or so. For instance, if the police and all their sensitive criminal intelligence collections can co-exist with these data protection principles for nearly three decades (since the 1984 Act).
I cannot see why metadata and personal data held by the national security agencies are any different.
Download my evidence here: Download Blog_Evidence to ISC
You can read several National Security Exemption Certificates (Section 29 of the Data Protection Act) at the end of the blog: http://amberhawk.typepad.com/amberhawk/2014/02/should-national-security-certificates-exclude-the-data-protection-principles.html