DPA 2018 Part 4: Intelligence services processing
Part 4 of the DPA (Data Protection Act) 2018 applies to the UK intelligence services’ processing of personal data where it occurs:
- Wholly or partly by automated means; and
- Not by automated means where it forms, or is intended to form, part of a filing system.
The intelligence services are the Security Service (MI5), the Secret Intelligence Service (MI6) and the GCHQ (Government Communications Headquarters).
UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.
Data protection principles
The six data protection principles in Part 4 are the same as the GDPR’s data processing principles, except for a slight variation in wording in the sixth principle, which refers to ‘security measures’ rather than ‘technical and organisational measures’.
Personal data must be:
- Processed lawfully, fairly and transparently;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and not excessive in relation to the purpose for which it is processed;
- Accurate and, where necessary, kept up to date;
- Kept for no longer than is necessary; and
- Processed in a secure manner, using appropriate security measures.
If processed for the purpose of national security, only the first principle’s requirement for lawfulness applies.
In order to be lawful, at least one of the conditions in Schedule 9 for processing personal data and Schedule 10 for sensitive processing must be met.
Schedule 11 sets out further exemptions.
Part 4 of the DPA 2018 is functionally unaffected by the changes introduced by the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 on 1 January 2021.