25. Insofar as the obtaining of an item of information by any of the Intelligence
Services amounts to an interference with Art. 8 rights, that item of information
will in general amount to personal data.
26. Consequently as a data controller, the Respondents are in general required by
s. 4(4) of the DPA to comply with the data protection principles in Part I of
Sch. 1 to the DPA. That obligation is subject to ss. 27(1) and 28(1) of the
DPA, which exempt personal data from (among other things) the data
protection principles if the exemption “is required for the purpose of
safeguarding national security”. By s. 28(2) of the DPA, a Minister may
certify that exemption from the data protection principles is so required.
Copies of the ministerial certificates for each of the Intelligence Services are
available on request. Those certificates certify that personal data that are
processed in performance of the Intelligence Services’ functions are exempt
from the first, second and eighth data protection principles (and are also
exempt in part from the sixth data protection principle). Thus the certificates
do not exempt the Intelligence Services from their obligation to comply with
the fifth and seventh data protection principles, which provide:
“5. Personal data processed1 for any purpose or purposes shall not be kept
for longer than is necessary for that purpose or those purposes. …
1 The term “processing” is broadly defined in s. 1(1) of the DPA to include
(among other things), obtaining, recording and using.
2 The content of the obligation imposed by the seventh data protection
principle is further elaborated in §§9-12 of Part II of Sch. 1 to the DPA.
7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.”
27. Accordingly, when the Respondents obtain any information which amounts to
personal data, they are obliged:
(a) not to keep that data for longer than is necessary having regard to the
purposes for which they have been obtained and are being retained / used; and
(b) to take appropriate technical and organisational measures to guard against
unauthorised or unlawful processing of the data in question and against
accidental loss of the data in question.
The OSA
28. A member of the Intelligence Services commits an offence if “without lawful
authority he discloses any information, document or other article relating to
security or intelligence which is or has been in his possession by virtue of his
position as a member of any of those services”: s. 1(1) of the OSA. A
disclosure is made with lawful authority if, and only if, it is made in
accordance with the member’s official duty (s. 7(1) of the OSA). Thus, a
disclosure of information by a member of any of the Respondents that is e.g.
in breach of the relevant “arrangements” (under s. 4(2)(a) of the ISA) will
59