Feeds

How GCHQ keeps tabs on FOI requestors

Are widely available IT docs really a 'national security' matter?

Choosing a cloud hosting partner with confidence

The handling of my FOIA request for an innocuous document provides evidence that the national security agencies will apply whatever exemption it can get it hands on, to be applied whenever it can, irrespective of the circumstances of the case. The mantra appears to be “if it can be kept secret, it will be kept secret”.

This is a worrying conclusion because the meaning of “national security” is expanding almost as fast as the universe. In the latest “Wikileaks” episode, the press were full of reports that a “snake venom facility” in Australia was a national security concern for the USA. Are we to assume, therefore, in the UK that “national security powers” could be applied to justify the processing of personal data in connection with the production of snake venom?

It is interesting to note that the Intelligence Services Act of 1994 provides the legal basis for GCHQ’s purpose associated with the provision of “bog standard”, declassified, IT security advice. This states that GCHQ’s role is to “to provide advice and assistance about ... the terminology used for technical matters, and cryptography and other matters relating to the protection of information and other material” to central government or any other organisation chosen by the Prime Minister.

That explains why “national security” now embraces “providing advice and assistance on the security of communications and electronic data...”, business continuity and resilience planning (eg against Acts of God) and delivering “information assurance policy services” to public bodies. In fact, all situations envisaged by the Civil Contingencies Act 2004 are arguably now matters of “national security”.

The inclusion of these areas such as IT security is an example of “national security function creep”. These wider dimensions add to that creeping which has already arisen in the area of policing, as both the Intelligence Services Act of 1994 and Security Service Act of 1996, extended the function of the national security agencies to additionally support “the activities of police forces and other law enforcement agencies in the prevention and detection of serious crime”.

So when these national security agencies process personal data to support the police, these agencies do not process personal data for a “crime purpose” (which is the obvious purpose when the processing is to assist the police in connection with serious crime) but rather for the “national security purpose”. This position was upheld by previous Home Secretaries in the previous administration (see here).

Why the difference? Well both exemptions are designed to protect the processing interests of the respective bodies, and they have successfully achieved this objective. For example, I have not heard the police arguing that the Data Protection Act stops them processing their criminal intelligence. However, the policing exemption in Section 29 of the Data Protection Act is fully subject to the Information Commissioner’s independent oversight, while the broader “national security purpose” in Section 28 is not. Hence the inevitable conclusion that the objective of morphing the “national security” purpose to include the “policing purpose” is to minimise and avoid independent supervision by the Commissioner.

I should add that this position cannot be effectively challenged, because Section 28 states that if a Minister signs a certificate that equates the “national security purpose” with the “policing purpose”, then that is the end of the matter.

The dilemma associated with balancing the national security purpose with individual privacy and transparency concerns is not a new issue. Back in 1979, the Lindop Report into Data Protection (Cmnd 7341, paras 23.21-23.24) stated that the national security agencies should be subject to a data protection Code of Practice that was independently supervised.

The report concluded that it was important to take the national security agencies out of their "hermetically sealed" environment in order to ensure that these agencies would be "open to the healthy – and often constructive – criticism and debate which assures for many other public servants that they will not stray beyond their allotted functions".

So I end this article by asking a basic question. Do you think that the national security agencies have “strayed”? Does an expanding definition of “national security”, supported by a lack of transparency and accountability, carry the risk of encouraging such “straying”?

Currently, the national security agencies effectively decide for themselves how far the “national security purpose” stretches. This risks increasing the “national security function creep” and establishing a position that is less and less accountable by the day.

In short, I think the time has come to urgently revisit how the exemptions in Data Protection Act and FOI Act should apply national security agencies.

References: See “Human Rights Legislation and Government Policy towards national security – 2006”, which explores data protection in the context of weak regulation, a lack of Parliamentary and judicial scrutiny, and the national security purpose, or click here .

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Bono apologises for iTunes album dump
Megalomania, generosity and FEAR of irrelevance drove group to Apple deal
HBO shocks US pay TV world: We're down with OTT. Netflix says, 'Gee'
This affects every broadcaster, every cable guy
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
French 'terror law' declares WAR on the INTERNET itself, say digi-rights folks
Liberté, Égalité, Fraternité: Two out of three ain't bad
SCREW YOU, EU: BBC rolls out Right To Remember as Google deletes links
Not even Google can withstand the power of Auntie
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
America's super-secret X-37B plane returns to Earth after nearly TWO YEARS aloft
674 days in space for US Air Force's mystery orbital vehicle
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.