Basket
United Kingdom
Select regional store:
GRC Solutions x Digital Trust Consulting. One partner for complete cyber resilience
Data privacy solutions The DPA 2018 and UK GDPR Data Protection Act 2018 Part 4

Data Protection Act 2018 Part 4

Data protection rules for the UK intelligence services

Speak to an expert

For more information about processing personal data in line with the DPA 2018 and GDPR, contact us today.

DPA 2018 Part 4: Intelligence services processing

Part 4 of the DPA (Data Protection Act) 2018 applies to the UK intelligence services’ processing of personal data where it occurs:

  • Wholly or partly by automated means; and
  • Not by automated means where it forms, or is intended to form, part of a filing system.

The intelligence services are the Security Service (MI5), the Secret Intelligence Service (MI6) and the GCHQ (Government Communications Headquarters).

UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information Bill through parliament and will keep you updated on how it might affect your data processing obligations.

The DUAA (Data (Use and Access) Act 2025) came into law on 19 June 2025. We are currently reviewing and updating our information pages to account for the changes to UK data protection law introduced by the Act. If you need any expert guidance on how your data processing obligations will change, contact our experts today.

Data protection principles

The six data protection principles in Part 4 are the same as the GDPR’s data processing principles, except for a slight variation in wording in the sixth principle, which refers to ‘security measures’ rather than ‘technical and organisational measures’.

Personal data must be:

  1. Processed lawfully, fairly and transparently;
  2. Collected for specified, explicit and legitimate purposes;
  3. Adequate, relevant and not excessive in relation to the purpose for which it is processed;
  4. Accurate and, where necessary, kept up to date;
  5. Kept for no longer than is necessary; and
  6. Processed in a secure manner, using appropriate security measures.

If processed for the purpose of national security, only the first principle’s requirement for lawfulness applies.

In order to be lawful, at least one of the conditions in Schedule 9 for processing personal data and Schedule 10 for sensitive processing must be met.

Schedule 11 sets out further exemptions.

Part 4 of the DPA 2018 is functionally unaffected by the changes introduced by the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 on 1 January 2021.

Find the expert you need

Choose a service
Or choose a subject

If you need technical support please, contact us .

Fill in the form to request a callback