Insights Information Commissioner’s Office publishes new guidance on the national security exemption in Part 2 of the Data Protection Act 2018 (DPA)


The ICO has added the new guidance to its Guide to the UK General Data Protection Regulation (UK GDPR). In the summary section, the new guidance explains that in order to safeguard national security or for defence purposes, there is an exemption at s 26 of the DPA, which is capable of exempting personal data from most of the data protection principles and obligations, and individuals’ rights, where required to safeguard national security or for defence purposes. The guidance only considers the national security aspects of the exemption. In the future, the ICO will develop additional content on the defence aspects of the exemption and will publish an amended version of the guidance in due course.

The guidance explains that the exemption is not a blanket exemption. An organisation must be able to show that the exemption from specified data protection standards is required for the purposes of safeguarding national security. The ICO suggests considering whether complying with the UK GDPR would raise a real possibility of an adverse effect on national security when deciding whether to use the exemption.

The guidance further explains that a Minister of the Crown (specifically a member of the Cabinet, the Attorney General or the Advocate General for Scotland) can issue a certificate which covers the processing in relation to national security. If an organisation decides that it is necessary to rely on the exemption, it can rely on this certificate as conclusive proof that the exemption applies. However, the guidance warns, organisations should not assume that they must apply the exemption simply because a certificate has been issued.

In any event, the guidance explains, organisations must always have a lawful basis under Article 6 and show that the processing is more generally lawful. There is no exemption from the requirement to process lawfully. Further, organisations must always comply with their general accountability and governance obligations.

Finally, the guidance explains that modified rules apply to how organisations process special category data and to their security obligations.

The guidance also includes a checklist for using the exemption. It then explains in more detail, with examples, what “national security” covers, how the exemption works, when it is likely to apply, what a ministerial certificate is, what the special rules are for special category data, and how security obligations are affected. To access the guidance, click here.