The DPA
13. The Complainant's subject access request was made to the Respondent under
s 7 of the DPA. The DPA was enacted to implement Directive 95/46/EC on the
Protection of Individuals with regard to the Processing of Personal Data and the
Free Movement of such Data. The objective of the Directive was to protect rights
to privacy and the accessing of personal data held by others (data controllers),
while facilitating the free movement of data between Member States. The
Directive did not apply to the processing of personal data in operations
concerning public security, defence and State security (Article 3) and it permitted
measures by Member States restricting the scope of the right of access of a data
subject, when such a restriction constitutes a necessary measure to
safeguard national security (Article 13(1)). Those Articles reflect the derogation
provisions in Article 9(2) of the 1981 Council of Europe Convention for the
Protection of Individuals With Regard to Automatic Processing of Personal Data
(Cmnd 8341). The 1981 Convention took a broad view of "private life" in
establishing basic principles for data protection and in enabling people to
establish the existence of an automated personal data file.
14. While s 7(1) of the DPA conferred on an individual the right to be informed by
any data controller whether personal data, of which that individual is the data
subject, are being processed by or on behalf of the data controller, s 28(1)
exempts personal data from s 7(1), if exemption is required "for the purpose of
safeguarding national security." Under s 28(2) the Secretary of State has power to