National Security Certificates under the Data Protection Act 2018

Reading Time: 3 minutes
national security certificate scaled 1


Dr Rachel Finn
- Director, Data Protection & Cyber-risk Services / Head of Irish Operations

Date: 17 September 2020

Data protection often necessitates the balancing of the rights of the individual against matters of public interest. In order to strike this balance, data controllers processing personal data for public interest purposes, namely national security and law enforcement, on a routine or extraordinary basis must demonstrate how they meet complex compliance requirements while protecting and serving public interest. Organisations that undertake these important tasks carried out in the public interest must consider how to achieve these objectives without unlawfully infringing upon the rights and freedoms of the individual.

To enable this assessment, the UK Data Protection Act 2018 (DPA) creates a mechanism called the National Security Certificate. This is a certificate, signed by the Minister of State, which certifies that exemptions from the provisions of the DPA. This allows exempt controllers to engage in processing activities carried out for the purposes of public interest. These exemptions cover most of the critical data protection provisions and safeguards, including:

  • The data protection principles (apart from the principle of lawfulness)
  • The rights of data subjects
  • Notification of personal data breaches to the Information Commissioner’s Office (ICO) and the affected data subjects
  • Transfers of personal data to third countries or international organisations

The National Security Certificate is an optional public document and controllers are not obliged to have this document to process personal data. Nonetheless, it may help controllers in assessing and demonstrating their data protection compliance in complex situations and legal proceeding as well as against concerned data subjects. In addition, this could also facilitate controllers in raising awareness within their organisation about high-risk data processing activities and creating consistency in how data protection law applies. Indeed, this certificate can support any data controller that processes personal data for law enforcement, national security and intelligence purposes alongside their general operations which fall under the scope of GDPR and DPA. Another element to take into account is that this certificate acts as conclusive evidence that a national security exemption is required for the stated purposes, supporting legal clarity and certainty.

The decision to apply for such a certificate lies with the controllers. They should consider whether they:

  • process personal data for the above-mentioned purposes and
  • need to rely on this legal basis to be exempt from provisions of data protection law.

If controllers reply positively to the above two questions, they are entitled to apply for this certificate, which can have both retrospective and prospective effect. The Home Office has updated its guidance recently and advises that the below factors should also be considered before applying:

  • the volume of data
  • the frequency of data processing and
  • the specific conditions and complexities that advocate in favour of a certificate

Following these considerations, controllers should apply and specify the data protection regime the certificate applies to and its duration. Detail should be also included about the reasons why exemption from data protection law is required and why this certificate is necessary. In terms of their duration, the Home Office suggests that certificates should be for a fixed duration of no more than five years. This would enable the periodic review of the certificate and, by extension, of the processing activities in question.

To conclude, the National Security Certificate can be a prudent and beneficial tool in the hands of controllers who process personal data for public interest purposes, under the circumstances provided for under the DPA. If considering applying for one, Trilateral’s DPIA and audit and assessment services can help you map and assess your processing operations and the need for such a certificate. For more information please refer to our list of services or get in touch with one of our advisors who would be happy to discuss your data protection needs and advise you on how to safeguard your operations for public interest reasons.


Related posts