My Lords, I thank all noble Lords who have spoken to these amendments on the scope of the national security and defence exemptions in Parts 2 and 4 and the provisions in respect of national security certificates.
Amendments 124A, 124M and 124N relate to the exemption in Clause 24 for defence purposes. Amendments 124A and 124N seek to reinstate wording used in the Data Protection Act 1998 which used the term “combat effectiveness”. While it may have been appropriate for the 1998 Act to refer to “combat effectiveness”, the term no longer adequately captures the wide range of vital activities that the Armed Forces now undertake in support of the longer-term security of the British islands and their interests abroad and the central role of personal data, sometimes special categories of personal data, in those activities. I think that is what the noble Lord was requiring me to explain.
Such a limitation would not cover wider defence activities which defence staff are engaged in, for example, defence diplomacy, intelligence handling or sensitive administration activities. Indeed, the purpose of many of these activities is precisely to avoid traditional forms of combat. Yet without adequate provision in the Bill, each of the activities I have listed could be compromised or obstructed by a sufficiently determined data subject, putting the security, capability and effectiveness of British service personnel and the civilian staff who support them at risk.
Let me be absolutely clear at this stage: these provisions do not give carte blanche to defence controllers. Rights and obligations must be considered on a case-by-case basis. Only where a specific right or obligation is found to be incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. In every other circumstance, personal data will be processed in accordance with GDPR standards.
Amendment 124M probes the necessity of the applied GDPR’s article 9 exemption for defence purposes. Article 9 provides for a prohibition on processing of special categories of personal data. If we did not modify the application of article 9 for defence purposes, we would be hampering the ability of the Armed Forces to process certain personal data, for example, biometric data. This could have a detrimental impact on operations and other activities carried out by the Armed Forces.
I firmly believe that it is in the UK’s national interest to recognise that there may sometimes be a conflict between the individual’s right to have their personal data protected and the defence of the realm, and to make appropriate provision in the Bill to this end. I think that the noble Baroness, Lady Hamwee, asked about the publication of security certificates. National security certificates are public in nature, given that they may be subject to legal challenge. They are not secret and in the past they have been supplied if requested. A number are already published online and we will explore how we can make information about national security certificates issued under the Bill more accessible in future. She also asked about the timelessness of these certificates. They are general and prospective in nature, and arguably no purpose would be served by a requirement that they be subject to a time limitation. For example, in so far as a ministerial certificate allows the intelligence services to apply a “neither confirm nor deny” response to a subject access request, any certificate will inevitably require such a provision.
Amendments 124C, 124D, 124E, 124F, 124P and 148E seek to restrict the scope of the national security exemption provided for in Parts 2 and 4 of the Bill. I remind the Committee that Section 28 of the Data Protection Act 1998 contains a broad exemption from the provisions of that Act if the exemption is required for the purpose of safeguarding national security. Indeed, Section 28 provides for an exemption on such grounds from, among other things, all the data protection principles, all the rights of data subjects and all the enforcement provisions. Although we have adopted a more nuanced approach in the Bill, it none the less broadly replicates the provisions in the 1998 Act, which have stood the test of time. Crucially, under the Bill—as under the 1998 Act—the exception can be relied upon only when it is necessary to do so to protect national security; it is not a blanket exception.
It may assist the Committee if I provide a couple of examples, first in the context of Part 4, of why the exemption needs to be drawn as widely as it is. Clause 108 includes an exemption from Clauses 137 to 147 relating to information, assessment and enforcement notices issued by the Information Commissioner. It may be necessary for an intelligence service to apply this exemption in cases of extreme sensitivity or where the commissioner requested sensitive data but was unable to provide sufficient assurances that it would be held securely enough to protect the information.
In relation to the offence of unlawfully obtaining personal data, much intelligence work involves obtaining and then disclosing personal data without the consent of the controller. For example, if GCHQ intercepts personal data held on a foreign terrorist group’s computer, the data controller is the terrorist group. Without the national security exemption, the operation, although authorised by law, would be unlawful as the data controller has not consented. Similarly, reidentification of deidentified personal data may be a valuable source of intelligence if it can be reidentified. For example, an intelligence service may obtain from a computer a copy of a list of members of a terrorist group who are identified using code names, and from other sources the service believes that it can tie the code names to real identities.
The need for a wide-ranging exemption applies equally under Part 2 of the Bill. Again, a couple of examples will serve to illustrate this. Amendment 124C would mean that a controller processing data under the applied GDPR scheme could not be exempted from the first data protection principle as it relates to transparency. This principle goes hand in hand with the rights of data subjects. It cannot be right that a data subject should be made aware of a controller providing information to, say, the Security Service where there are national security concerns, for example because the individual is the subject of a covert investigation.
To take another example which touches on Amendment 124D, it is wholly appropriate to be able to limit the obligation on controllers under article 33 of the applied GDPR to disclose information to the Information Commissioner where the disclosure would be damaging to national security because, say, it would reveal the identity of a covert human intelligence source. As is the case under Part 4, this exemption would be applied so as to restrict the information provided to the commissioner, not to remove entirely the obligation to report appropriate details of the breach.
I hope that this has given the Committee a flavour of why the national security exemption has been framed in the way that it has. As I have indicated, the Bill’s provisions clearly derive from a similar provision in the existing Data Protection Act and are subject to the same important qualification: namely, that an exemption may be applied in a given case only where it is required for the purpose of safeguarding national security.
Amendment 137P would make publicly available national security certificates issued under Clause 77 by ensuring that everyone who is directly affected by the issuing of a certificate is informed about it. The intended effect is to make it easier for data subjects to challenge a certificate and to provide for greater transparency. As I said to the noble Baroness earlier, a number of national security certificates issued under the Data Protection Act are already publicly available—albeit that the 1998 Act provides for no formal process for this to happen. Also, anyone who believes that they are directly affected can challenge a certificate. That remains the case under the Bill.
I have some concerns about the approach taken in Amendment 137P. Where a certificate was limited to specific data in respect of one or more data subjects, the effect of the amendment could well be to alert a terrorist to the fact that they are under investigation, thereby run counter to the operation of the “neither confirm nor deny” principle and therefore undermine intelligence service operations. That said, I recognise that more can be done to publicise the existence of such certificates and will consider this further before Report.
Amendment 124L would radically change the national security certificate regime provided for in Clause 25, which is consistent with that contained in other parts of the Bill and of course with that currently provided for in the Data Protection Act 1998. It would replace the existing scheme with one which requires a Minister of the Crown to apply to a judicial commissioner for a certificate if an exemption is sought for the purposes of safeguarding national security, and for a decision to issue a certificate to be approved by a judicial commissioner.
This amendment is a wholly unnecessary, unjustified and disproportionate departure from a scheme which has been relied on under the Data Protection Act 1998 for many years and which works well. That is why it is entirely appropriate to replicate it in the Bill. In addition to creating an inconsistency within the current scheme, it would create huge inconsistency with national security certificates in the rest of the Bill. Moreover, it is important to recognise that these certificates are already subject to judicial oversight, given that they may be appealed to the Upper Tribunal.
I hope that noble Lords will recognise and accept that the national security exemption and certification provisions provided for in Clauses 24 and 25 maintain precisely the same safeguards that currently apply, which are clearly understood and work well. There is no weakening of a data subject’s rights or of the requirements that must be met before an exemption can be relied on.
Amendment 148C would require an exemption from a provision in Part 4 of the Bill to be “necessary” rather than “required”— the noble Baroness, Lady Hamwee, made that point. Although this does not appear to alter the threshold for relying on the national security exemption, it would be a change from the language used in the equivalent Section 28 of the Data Protection Act 1998, which the Bill is seeking to replicate in Clause 108. I might add that Clause 25 adopts the same language as in Clause 109. This amendment would create an unnecessary inconsistency which might only cause confusion and reduce clarity.
Amendment 148D would provide that the national security exemption provided for in Clause 108, which allows exemption from specified provision in Part 4 of the Bill, can be relied on only if a Minister of the Crown has signed a certificate under Clause 109. A certificate signed by a Minister certifies that the need for reliance on an exemption is conclusive evidence of that fact. It is not a prerequisite for the reliance on an exemption; to make it so would be operationally damaging. It would introduce delays that would be likely to significantly hamper, if not wholly frustrate, proper processing. Clearly, if processing was dependent on the issuing of a ministerial certificate, it could not proceed without one—by which time a threat that could have been identified by the processing may have crystallised into actual damage to national security.
I hope that the noble Baroness recognises that the national security exemption provisions in the Bill maintain precisely the same safeguards that currently apply and work well. They represent no weakening of a data subject’s rights or of the requirements that must be met before an exemption can be relied on.
Finally, Amendments 124K, 148H and 148J seek to clarify the grounds for an appeal against a certificate—a point raised by the Constitution Committee in its report on the Bill. I hope that I can persuade noble Lords that these amendments are similarly unnecessary. In applying judicial review principles when considering an appeal under Clause 109, the tribunal would already be able to consider a wide range of issues, including necessity, proportionality and lawfulness—enabling, for example, the tribunal to consider whether the decision to issue the certificate was reasonable, having regard to the impact on the rights of data subjects and balancing against the need to safeguard national security. As a result, the matters mentioned in Amendment 148H would already be covered by the existing drafting of Clause 109.
I apologise for the lengthy explanation of the Government’s views on these amendments, but I hope noble Lords will feel free not to press them.