How GCHQ keeps tabs on FOI requestors
Are widely available IT docs really a 'national security' matter?
The handling of my FOIA request for an innocuous document provides evidence that the national security agencies will apply whatever exemption it can get it hands on, to be applied whenever it can, irrespective of the circumstances of the case. The mantra appears to be “if it can be kept secret, it will be kept secret”.
This is a worrying conclusion because the meaning of “national security” is expanding almost as fast as the universe. In the latest “Wikileaks” episode, the press were full of reports that a “snake venom facility” in Australia was a national security concern for the USA. Are we to assume, therefore, in the UK that “national security powers” could be applied to justify the processing of personal data in connection with the production of snake venom?
It is interesting to note that the Intelligence Services Act of 1994 provides the legal basis for GCHQ’s purpose associated with the provision of “bog standard”, declassified, IT security advice. This states that GCHQ’s role is to “to provide advice and assistance about ... the terminology used for technical matters, and cryptography and other matters relating to the protection of information and other material” to central government or any other organisation chosen by the Prime Minister.
That explains why “national security” now embraces “providing advice and assistance on the security of communications and electronic data...”, business continuity and resilience planning (eg against Acts of God) and delivering “information assurance policy services” to public bodies. In fact, all situations envisaged by the Civil Contingencies Act 2004 are arguably now matters of “national security”.
The inclusion of these areas such as IT security is an example of “national security function creep”. These wider dimensions add to that creeping which has already arisen in the area of policing, as both the Intelligence Services Act of 1994 and Security Service Act of 1996, extended the function of the national security agencies to additionally support “the activities of police forces and other law enforcement agencies in the prevention and detection of serious crime”.
So when these national security agencies process personal data to support the police, these agencies do not process personal data for a “crime purpose” (which is the obvious purpose when the processing is to assist the police in connection with serious crime) but rather for the “national security purpose”. This position was upheld by previous Home Secretaries in the previous administration (see here).
Why the difference? Well both exemptions are designed to protect the processing interests of the respective bodies, and they have successfully achieved this objective. For example, I have not heard the police arguing that the Data Protection Act stops them processing their criminal intelligence. However, the policing exemption in Section 29 of the Data Protection Act is fully subject to the Information Commissioner’s independent oversight, while the broader “national security purpose” in Section 28 is not. Hence the inevitable conclusion that the objective of morphing the “national security” purpose to include the “policing purpose” is to minimise and avoid independent supervision by the Commissioner.
I should add that this position cannot be effectively challenged, because Section 28 states that if a Minister signs a certificate that equates the “national security purpose” with the “policing purpose”, then that is the end of the matter.
The dilemma associated with balancing the national security purpose with individual privacy and transparency concerns is not a new issue. Back in 1979, the Lindop Report into Data Protection (Cmnd 7341, paras 23.21-23.24) stated that the national security agencies should be subject to a data protection Code of Practice that was independently supervised.
The report concluded that it was important to take the national security agencies out of their "hermetically sealed" environment in order to ensure that these agencies would be "open to the healthy – and often constructive – criticism and debate which assures for many other public servants that they will not stray beyond their allotted functions".
So I end this article by asking a basic question. Do you think that the national security agencies have “strayed”? Does an expanding definition of “national security”, supported by a lack of transparency and accountability, carry the risk of encouraging such “straying”?
Currently, the national security agencies effectively decide for themselves how far the “national security purpose” stretches. This risks increasing the “national security function creep” and establishing a position that is less and less accountable by the day.
In short, I think the time has come to urgently revisit how the exemptions in Data Protection Act and FOI Act should apply national security agencies.
References: See “Human Rights Legislation and Government Policy towards national security – 2006”, which explores data protection in the context of weak regulation, a lack of Parliamentary and judicial scrutiny, and the national security purpose, or click here .
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: 2016 Cyberthreat defense report