Today, the Government will whip its controversial Investigatory Powers Bill (IP Bill) through its Parliamentary Report stage; the Bill, in part, provides powers that permit the national security agencies to amass bulk personal datasets where the majority of personal data in a bulk dataset relates to data subjects who are not of interest to these agencies.
The Government has so far ignored the data protection recommendations of the draft IP Bill Committee which asked for important data protection considerations to be included as part of the double lock procedure (the double lock has been proposed by the Government as a major protection from abuse).
Instead the Government intends to keep the Section 28 exemption in the Data Protection Act and the associated system of certification that usually exempts the First, Second and Eighth Data Protection Principles. This keeps data protection considerations firmly outside the double lock procedure.
The fact that these Principles are outside the tent, so to speak, will send some unfortunate data protection messages. These messages include that the national security agencies can process bulk personal datasets: without regard to their statutory functions; without regard to fairness; without regard for lawfulness; without regard for compatibility, and, in extremis, permit the transfer of a dataset anywhere in the planet (even to North Korea, such is the scope of the national security exemption used).
No justification has been provided by Government for the using an exemption of this breadth nor for the rejection of the IP Bill Committee’s data protection recommendations.
Ignoring the IP Bill Committee’s recommendations
The draft IP Bill Committee made two important data protection recommendations:
“… We recommend that the assessments undertaken by Judicial Commissioners when authorising warrants should give consideration to data protection issues”. (Para 52 of the Conclusions and Recommendations of the Committee).
“… To the greatest extent possible, the safeguards that appear in the Data Protection Act 1998 should also apply to personal data held by the security and intelligence agencies…” (Para 74 of the Conclusions and Recommendations of the Committee).
The Government’s response to this was to state that the national security agencies were already subject to the Data Protection Act unless an exemption applied. Such an exemption:
‘…is required for the purpose of safeguarding national security. By virtue of section 28(2) of the DPA, a Minister may certify that exemption from the Data Protection Principles is so required” (note that a Minister approves a certificate but only if one is needed).
The response also confirmed that:
“…those certificates certify that personal data that are processed in performance of their functions are exempt from the first, second and eighth data protection principles (and are also exempt in part from the sixth data protection principle)”. Note: it is important for the following analysis “to clock” the confirmation that these certificates exempt the aforementioned principles as matter of routine.
The fact that the Government intend to continue the Section 28 certificated exemption from the Data Protection Act is confirmed the Code of Practice relating to bulk personal datasets:
“Each of the Security and Intelligence Agencies (SIA) is a data controller in relation to all the personal data that it holds. Accordingly, when the Security and Intelligence Agencies use any bulk data that contain personal data, they must ensure that they comply with the Data Protection Act 1998 (except in cases where exemption under section 28 is required for the purpose of safeguarding national security)” (paragraph 11.9)
One consequence of a national security certificate being outside the double lock is already visible and is illustrated by the Investigatory Powers Tribunal case involving Privacy International ([2014] UKIPTrib 13_77-H; delivered on 05/12/2014, at paragraph 19). In statements made to the Tribunal, the barrister for GCHQ produced a certificate signed by David Blunkett thirteen years previously (in 2001) to show that key obligations in the Data Protecting Act were exempt.
In other words, once a general certificate is signed, it can apply to any bulk personal dataset operation into the future; there is no requirement that a Home Secretary (or Judicial Commissioner) is made aware or re-approves certificates signed by any predecessor in the post.
Messages arising from the use of the national security exemption
As stated previously, the Government propose that the national security agencies continue to apply the wide certificated and timeless exemption from the First, Second and Eighth Data Protection Principles. This in turn will mean the national security agencies will be sending messages that, in my view, are very likely to undermine public confidence in what they do.
For instance, the First Data Protection Principle contains a requirement to process personal data “lawfully”. If this requirement is exempt, the data protection message sent is that the national security agencies might undertake some processing of personal data that would be “unlawful” in terms of this Principle.
The First Data Protection Principle contains a requirement to process personal data in accordance with a Schedule 2 condition; in the context of national security the relevant condition is that the processing of personal data “is necessary for the exercise of any functions conferred on any person by or under any enactment”. If this provision is exempted, as the Government intend, it sends the data protection message that the national security agencies might want to process personal data in a way that is NOT necessary for their statutory functions.
A similar argument applies to the First Data Protection Principle and the requirement to process sensitive personal data (e.g. medical records) in accordance with a Schedule 3 condition that limits processing to that which is also “necessary for the exercise of any functions conferred on any person by or under any enactment”. If this requirement is exempt, the data protection message sent is that medical records might be used for purposes NOT necessary for the national security function.
The Second Data Protection Principle contains a requirement to process personal data a way that is NOT incompatible with the purpose of obtaining. If this is exempt, as the Government intend, the data protection message sent is that the national security agencies might process personal data in a way that can be incompatible with the national security, terrorism or serious crime purposes.
The Eighth Data Protection Principle requires transfers to countries that offer an adequate level of protection. If this requirement is exempt, as the Government intend, it implies that the national security agencies might transfer a bulk personal dataset to any country that does not offer an “adequate level of protection” (e.g. North Korea).
Not only that. As the Eighth Principle allows adequacy considerations to be set aside for transfers on a case-by-case basis if “transfer is necessary for reasons of substantial public interest”, it follows that a certificated exemption also allows transfers in the absence of any “substantial public interest” requirement.
In other words, the message sent by the Government’s certificated exemption is to permit a transfer to a country offering an inadequate level of protection for reasons not in the substantial public interest (e.g. for purposes unconnected with child protection, terrorism, serious crime and national security; purposes where there would be such a “substantial public interest” in a particular transfer).
I should add that the Government has never proffered any explanation as to why the national security agencies should be exempt from the above obligations. In the same way it has not offered any evidence that such bulk personal dataset collection is consistent with Article 8 of the Human Rights Act.
Of course, the Government might argue that the Code of Practice on Bulk Personal Datasets offers the protection afforded by the Data Protection Act (for example, this Code says that onward disclosures of a dataset would always be proportionate or necessary for the national security functions). In which case, the response has to be “if these protections are already enshrined in law via the Data Protection Act, why exempt them from the Act?”.
In my view, replacing statutory safeguards in an Act of Parliament by safeguards in a Code of Practice that does not have the equivalent legal status, where the Code is produced by those with political responsibility for the agencies that invade privacy on an industrial scale, is not “privacy protection”. It is the consequence of a conflict of interest; namely, the organisations that want to invade privacy are defining the rules to protect privacy, in the same way as an alcoholic would define the rules for when the pubs and off licences close.
Given the above, one can very much understand why the draft IP Bill Committee recommended the application of a national security exemption should be linked to each specific bulk personal dataset acquisition inside the double lock procedure.
The national security purpose can be transparent
The First Principle also contains a requirement to process personal data fairly and this usually means making a statement (e.g. in a Fair Processing Notice) about the processing of personal data. A certificate under Section 28 would exempt this requirement unconditionally for every single bulk personal dataset acquisition.
However, there is an example where the fairness provisions can be applied to a bulk personal dataset that is already streamed to the national security agencies.
For instance, with respect to Congestion Charge ANPR data, the Transport for London (TfL) website states: “…in 2007 … TfL's ANPR data … specifically for the purpose of using it to safeguard national security”. Clearly, if TfL’s statement had jeopardised any national security operation, then the national security agencies would have asked for it to be removed. They haven’t – therefore some bulk personal dataset acquisitions can be subject to fair processing requirements.
I should add that I can understand why the national security agencies would want an exemption from the above transparency obligations in some cases. However, a certificated exemption would mean that this obligation is exempt in every case, when the TfL example shows that such transparency is possible without any prejudice to the national security function.
Concluding comments
The application of the national security exemption in the Data Protection Act has to be included inside the double lock and not, as the Government propose, outside the double lock.
Enforceable safeguards in the Data Protection Act should be preferred to those proffered by the Home Office’s Bulk Personal Dataset Code of Practice.
In the IP Bill itself, any application of the national security exemption in data protection should to be tailored on a case-by-case basis to any specific bulk personal dataset acquisition; the case for such an exemption should be subject to review by a Judicial Commissioner before dataset acquisition.
If the police with their sensitive criminal intelligence databases on mafia members can co-exist with data protection requirements since 1984 with a narrow exemption, the Government or national security agencies need to explain why bulk personal datasets on ordinary members of the public, who they admit are of no interest to them, have to be subject to such a broad exemption.
At the end of the day the national security agencies want data subjects to trust them. I therefore cannot understand a reliance on an out-dated data protection exemption that is so broad that it transmits horrendous, privacy-busting messages to data subjects.
I am, of course, assuming that such messages do not reflect what these agencies do in practice.
Publicity
To train your Data Protection Officer, we have a BCS DP Practitioner Qualification (starting in London on July 12). Need to know more about information security management: BCS Foundation CISMP course starts in London on June 13; a BCS DP Foundation course qualification is being held in London on 20 June. Full details of courses from September (e.g. FOI, Foundation DP courses) are on the Amberhawk home page: www.amberhawk.com
Amberhawk is holding all day GDPR Regulation Workshops in London , Leeds, Douglas (Isle of Man) and Edinburgh in the next three months; details on http://www.amberhawk.com/bookevents3.asp
References
If you want to look at several national security certificates, look at the links at the end of “Should national security certificates exclude the Data Protection Principles?” http://amberhawk.typepad.com/amberhawk/2014/02/should-national-security-certificates-exclude-the-data-protection-principles.html
Tfl statement on national security is under “Police access to ANPR cameras Police access to ANPR cameras” https://tfl.gov.uk/corporate/privacy-and-cookies/road-user-charging
Joint Committee on the Draft Investigatory Powers Bill Report: http://www.parliament.uk/draft-investigatory-powers
Draft Code of Practice on bulk personal datasets: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/504237/Bulk_Personal_Datasets_SIA_draft_code_of_practice.PDF
Comments
You can follow this conversation by subscribing to the comment feed for this post.