The ICO exists to empower you through information.

At a glance

  • Part 4 contains six data protection principles:
    • Principle 1 – Lawful, fair and transparent processing
    • Principle 2 – Purpose limitation
    • Principle 3 - Adequate, relevant and not excessive
    • Principle 4 – Accuracy
    • Principle 5 – Storage limitation
    • Principle 6 – Security
  • For the processing to be lawful, you must have a Schedule 9 condition for processing.
  • If you are carrying out sensitive processing, you also need a Schedule 10 condition for processing.
  • You must be able to demonstrate overall compliance with all of the Part 4 principles, except where you can legitimately apply an exemption.

In brief

What are the Part 4 data protection principles?

There are six data protection principles in Part 4:

The first data protection principle is that processing must be lawful, and fair and transparent.

The second data protection principle is that processing must be for a specified, explicit and legitimate purpose; and must not be processed in a manner incompatible with the purpose for which it is collected.

The third data protection principle is that personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

The fourth data protection principle is that personal data must be accurate and, where necessary, kept up to date.

The fifth data protection principle is that personal data must be kept no longer than is necessary for the purpose for which it is processed.

The sixth data protection principle is that personal data must be processed taking appropriate security measures for the risks that arise from the processing.

What is the first principle?

The first data protection principle is that the processing of personal data must be —

(a) lawful, and
(b) fair and transparent.

The three elements of lawfulness, fairness and transparency overlap, but you must make sure you satisfy all three. It is not enough to show your processing is lawful if it is fundamentally unfair or lacks transparency.

Fair and transparent processing means that you should, wherever possible, be clear, open and honest about what personal data you process, and what you process it for. We recognise that in many operational matters, given the nature of some intelligence services processing, it may not be possible to be transparent about some of your specific processing activities. You should only handle personal data in ways that people would reasonably expect, and not use it in ways that have unjustified adverse effects on them.

Adverse effects may be fair, if necessary and proportionate. For example, if the use of the data is in the wider public interest. However, you should be able to explain and justify any adverse effects on a case-by-case basis, rather than taking a blanket approach.

How you obtain the data will also have a bearing on fairness. You can only use covert powers where necessary and proportionate. Wherever possible you should avoid misleading the person who is providing the data, as this is more likely to be unfair – unless it is justified in the specific circumstances. The data is deemed to be obtained fairly if you receive it from a person who is:

  • authorised by enactment to supply it; or
  • obliged to do so by either an enactment or by an international obligation of the UK.

“Lawful processing” means the processing firstly complies with the law, which means any relevant UK law, in particular the legislation governing the activities of the intelligence services. Where relevant, this may also include ensuring that personal data is obtained in accordance with applicable investigatory powers legislation, and that data is not obtained without a warrant or other authorisation where such a warrant or authorisation is required. It also includes any considerations of necessity and proportionality set out in the European Convention on Human Rights, which the Human Rights Act 1998 incorporates into UK law. Compliance with investigatory powers legislation is overseen by the Investigatory Powers Commissioner.

For the processing to be lawful you must also ensure that you have a Schedule 9 condition for the processing. These conditions are:

  • consent;
  • contract;
  • legal obligation;
  • vital interests;
  • public functions; and
  • legitimate interests.

If you are carrying out sensitive processing you also need to have a Schedule 10 condition for processing. These conditions are:

  • consent to particular processing;
  • right or obligation relating to employment;
  • vital interests of a person;
  • safeguarding of children and of individuals at risk;
  • data already published by data subject;
  • legal proceedings;
  • the administration of justice, parliamentary, statutory etc and government purposes;
  • medical purposes; and
  • equality.

There is no exemption from the lawfulness element of the first principle, even if you apply the national security exemption. Your processing must always be lawful.

What is the second principle?

The second data protection principle is that –

(a) the purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and

(b) personal data so collected must not be processed in a manner that is incompatible with the purpose for which it is collected.

The collection of personal data on any occasion must be for specified, explicit and legitimate purposes. In many cases, the intelligence services collect data using powers which are authorised under a warrant or other legal authorisation. For example, under various provisions in the Investigatory Powers Act 2016 (IPA 2016) or the Regulation of Investigatory Powers Act 2000 (RIPA 2000). There are safeguards provided around the issuing of warrants and other authorisations. For instance, what is often referred to as the “double-lock” mechanism, whereby the use of the most intrusive investigatory powers under the IPA 2016 is subject to a two-stage approval process. Rigorous adherence to these safeguards will help to ensure that the purpose for the processing is legitimate.

In cases where the data is collected without a warrant (because a warrant is not required), having first satisfied yourself that the collection is lawful, you need to ensure that have a specified, explicit and legitimate purpose for the collection of the data, and that you record that purpose.

If you want to use personal data for a different purpose from the one you originally collected it for, you need to ensure your new purpose is compatible with your original purpose (or as the DPA says, “not incompatible”). As a general rule, it is likely to be incompatible with your original purpose, if the new purpose:

  • is very different from the original purpose;
  • would be unexpected; or
  • would have an unjustified impact on the individual.

However, the DPA is clear that you can use the data for any purpose if you are authorised by law to do so, and the processing is necessary and proportionate. Part 4 controllers are in general permitted to process data in so far as it is necessary for their statutory functions, having regard, respectively, to the provisions of the Security Service Act 1989 and the Intelligence Services Act 1994. You must therefore consider necessity and proportionality. The processing will not comply with the second principle if the new purpose is authorised by law, but in the specific context is not necessary or proportionate.

If your new purpose is archiving in the public interest, scientific or historical research, or statistics, this is a compatible purpose – as long as you have put in place appropriate safeguards to protect the rights and freedoms of individuals. You can do this by ensuring that any data processed for these purposes cannot be used to make decisions about individuals, for example by anonymising the data.

What is the third principle?

The third data protection principle is that personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

This principle is often referred to as the data limitation principle. It aims to ensure the data you are processing is of sufficient relevance for your processing. It is important to identify the personal data you need to fulfil your lawful purpose and ensure you are not processing more than you need.

Prior to obtaining the intelligence data, it can be difficult to assess what is relevant, and hence what might be excessive. Similarly, insufficient intelligence may not be adequate for your purpose if you make decisions about individuals based on too little information to make a properly informed decision.

Compliance with the third principle in this context requires you to consider the intelligence data you collect in order to identify and discard any which is irrelevant or excessive for the purposes for which you collected it. It is inherent to the gathering of intelligence that it is not always possible to immediately assess which information is relevant and of value to your purpose. We recognise that in these circumstances it may be appropriate to retain data for which you have no immediate use. However it is important that you do not collect and retain data indiscriminately. You should be able to justify the retention of any data you hold.

You should also keep in mind the individual’s right to erasure of data.

What is the fourth principle?

The fourth data protection principle is that personal data undergoing processing must be accurate and, where necessary, kept up to date.

The DPA says that inaccurate means “incorrect or misleading as to any matter of fact”.

You must always be clear about what you intend the record of the personal data to show and take reasonable steps to ensure the accuracy of any personal data.

You should ensure that the source and status of personal data is clear in your records. This will help provide context to the information, and assist in your efforts to ensure its accuracy.

Assessment of intelligence is outside the scope of this guidance and is a matter of operational expertise. However, you should assess the accuracy of any data which you rely on when making decisions or taking action, correcting inaccuracies when appropriate and possible to do so. Individuals have a right to rectification or erasure of their personal data and you should carefully consider any challenges you receive from individuals about the accuracy of data you hold about them.

What you use personal data for may affect whether it is accurate or not. You should take this into account when considering the accuracy of the data, alongside other relevant factors. For example, just because personal data has changed doesn’t mean that a historical record is inaccurate – but you must be clear that it is a historical record, why you need to retain it, and that doing so is not in itself “excessive”.

You should also consider whether you need to periodically update the information, and also set out how long you expect to continue to hold the information, reviewing this periodically as necessary. This is also relevant to the next principle.

What is the fifth principle?

The fifth data protection principle is that personal data must be kept for no longer than is necessary for the purpose for which it is processed.

This is about retention, which must be for no longer than is necessary for the purpose for which the personal data is processed. Although a periodic review is not required, you must be able to demonstrate compliance with the other principles. As a controller you are required, under your accountability obligations, to implement appropriate measures to ensure compliance, and be able to demonstrate these to the ICO. This includes considering the impact on individuals, and implementing measures to ensure that you minimise any risks to their rights and freedoms. Therefore, you are likely to require policies to ensure compliance. A data retention policy is one that would be useful in demonstrating your compliance with the storage limitation principle. There is no maximum retention period set out in the legislation, but you still need to be able to rely on some objective justification for any retention period you set.

What is the sixth principle?

The sixth data protection principle is that personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data.

This is about the security of your processing. It means you must have appropriate security in place to take account of the risks of processing personal data. For example, to prevent the personal data you process from being accidentally or deliberately compromised.

This concerns the broad concept of information security, and applies to the processing you do and the environment in which you do it. In particular, you need to:

  • design and implement your measures to fit the context of the data you hold and the harm that may result from any incident;
  • be clear about who in your organisation is responsible for information security;
  • put in place physical and technical security measures to support robust policies and procedures, alongside well-trained staff; and
  • make sure you can detect and respond to a breach in a timely manner.

It is your responsibility to determine what these “appropriate security measures” are in the context of your processing and the risks it poses. You should take into account the sensitivity of the data and the consequences for the individual, or for the purpose for processing, of any loss, misuse or damage to the data. You should also consider the current state of the art security methods and techniques.

See What are our security obligations? for more detail on this.