Obligations
At a glance
- It is your responsibility to ensure compliance with the provisions of Part 4, and to be able to demonstrate this to the ICO.
- You must consider the impact of processing on individuals, and implement measures to ensure you comply with the principles and minimise the risks to the rights and freedoms of individuals.
- You must implement appropriate security measures.
- You must report serious personal data breaches to the ICO. A breach is serious if it seriously interferes with individuals’ rights and freedoms.
- You may only transfer personal data outside the UK if this is necessary and proportionate for your statutory functions or certain statutory purposes.
In brief
- What accountability obligations do controllers have?
- What obligations do processors have?
- What are our security obligations?
- What do we have to do if there is a personal data breach?
- What are the rules on transfers?
What accountability obligations do controllers have?
If you are a controller, you have an obligation to ensure that your processing complies with the requirements of Part 4, and that you are able to demonstrate this to the ICO. The national security exemption does not apply to this obligation, so you must ensure that your processing remains compliant and that you are able to demonstrate this at all times. Although there is no legal requirement to appoint a Data Protection Officer (DPO) under Part 4, you may decide to appoint a member of staff with a similar role in order to assist you in ensuring and demonstrating compliance to the ICO.
You also have to implement the principles of data protection by design, by introducing measures to consider the impact of your processing on the rights and freedoms of individuals and minimise the risks to them. While there is no specific obligation to conduct a Data Protection Impact Assessment (DPIA) it is one good way to assess and demonstrate your compliance. The ICO has issued guidance about how you can undertake a DPIA under the UK GDPR, which may give you useful points to consider.
Two or more intelligence services can operate as joint controllers when they jointly determine the purposes and means of processing. In these cases, you are obliged to determine who is responsible for:
- the different aspects of the processing; and
- responding to individuals who are exercising their information rights under Part 4.
There may be working relationships between the intelligence services and Part 3 competent authorities (eg police counterterrorism units) or UK GDPR controllers. However, these cannot be joint controller relationships. This does not prevent other controllers working with the intelligence services. It just means that they will each operate as controllers independently for their own processing, not in a joint controller arrangement.
You may use processors to carry out processing of personal data on your behalf. You may only use a processor that implements sufficiently appropriate measures to ensure their processing complies with Part 4, and provides you with all the necessary information to demonstrate their compliance.
While there is no explicit requirement for a contract between you and a processor, the requirements mean that you need a clear agreement. This should set out not only the extent and limits of the processing, but also the measures they are taking to ensure compliance with Part 4.
What obligations do processors have?
As a processor you must undertake to the controller to:
- implement appropriate measures to ensure that processing complies with Part 4; and
- provide information to the controller to demonstrate compliance.
Processors do not have the same obligations or responsibility as controllers. However, if you are a processor, you do have some direct obligations of your own under Part 4:
- You may only process personal data on instructions from the controller, or to comply with a legal obligation that applies to you. Remember that if you process data to comply with your own legal obligations, you are a controller for this element of the processing and need to comply with the UK GDPR or Part 3 of the DPA, as appropriate.
- You must implement appropriate security measures.
- You must inform the controller without undue delay if you become aware of a personal data breach.
The ICO may take action against a processor who fails to comply with these obligations.
As a processor, you may not determine the purposes and means of the processing. If you act outside the controller’s instructions, the processing will be in breach of the DPA. You will be treated as the controller, and held responsible for that unlawful processing.
What are our security obligations?
Each controller and processor must implement security measures appropriate to the risks arising from that processing. Although this obligation applies to both, it is the controller’s responsibility to:
- satisfy yourself that any processors you engage are able to meet appropriate security standards; and
- set out clearly what security measures processors are required to adhere to.
When considering what’s appropriate, you should think about:
- the potential adverse consequences for an individual of any compromise;
- the nature and volume of the data you process;
- the degree of vulnerability in the processing environment;
- any need to restrict access to the data; and
- any requirements concerning long-term storage (eg any security or integrity issues brought about by the need to retain information).
These are not exhaustive examples. However, given that the purposes, in a national security context, are likely to be highly sensitive, and the data therefore is sensitive to loss, misuse or damage, it follows that appropriate security measures need to reflect this. You may need to maintain security at a much more rigorous level than for less sensitive purposes.
The measures you put in place should also take into account the:
- state of the art of available security techniques and methods – taking into account their suitablility for the specific processing in question;
- likelihood and severity of the potential risks; and
- need for regular review and updating, where necessary.
Remember that putting in place appropriate security measures isn’t just about cyber-security or technical measures, which concern protecting network and information systems from attack. It also includes physical and organisational security measures that are appropriate in the context of your processing. These may include policies and procedures about
administrative measures, vetting, access controls, training, codes of practice and disciplinary provisions.
You also need to ensure suitable provisions are set out and followed by any processors you use.
You must evaluate the risks for any form of automated processing (ie any processing done on automated systems, which is generally taken to mean IT systems). This includes both you or any processors working on your behalf. You and your processors have to implement measures designed to:
- prevent unauthorised processing or unauthorised interference with the systems used in connection with the processing;
- establish the precise details of the processing;
- ensure systems function properly and can be restored in the case of interruption; and
- ensure that stored data can’t be corrupted in the event of a malfunction of a system.
These measures could include:
- records management and logging processes that enable you to audit access to, and processing of, personal data;
- technical and organisational methods to verify the integrity of the data you hold, and ensure you can restore it;
- establishing specific security clearance levels for staff in terms of physical access as well as network and information systems, in accordance with the principle of least privilege; and
- protections for your network and information systems to prevent unauthorised access.
Further reading – ICO guidance
The ICO has also produced guidance on Security for controllers operating under the UK GDPR which provides further useful detail.
The ICO and NCSC have jointly produced guidance on security outcomes.
What do we have to do if there is a personal data breach?
Section 84(4) defines a personal data breach as:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A breach of your data security measures may be accidental, or intentional (eg a deliberate or malicious breach of security). A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach:
- whenever any personal data is lost, destroyed, corrupted or improperly disclosed
- if someone accesses the data or passes it on without proper authorisation; or
- if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Section 108 sets out obligations on controllers to notify the ICO of a “serious personal data breach” without undue delay. There isn’t a statutory obligation to report within 72 hours of becoming aware of it, but if notification doesn’t occur within that period, you’ll need to include an explanation for the delay when you do notify.
The requirement to notify a ‘serious’ personal data breach means that you need to notify the ICO of all breaches that are considered serious. This will require you to consider:
- the severity of the impact on the rights and freedoms of the affected individuals;
- the scale of the data breach (ie how many people are affected);
- the extent of any interference with the right to privacy under Article 8 of the European Convention on Human Rights (ECHR);
- whether the breach involves any personal data whose processing constitutes “sensitive processing”; and
- the nature of the rights and freedoms which have been impacted (eg a breach leading to a risk to the right to life under Article 2 ECHR would be particularly serious).
Consequences could be anything which seriously interferes with an individual’s rights and freedoms. It is for you to decide whether a personal data breach meets the threshold to be considered serious.
When you report a serious data breach, you need to include:
- a description of the nature of the breach, including where possible the categories and approximate number of affected individuals, and the categories and approximate number of records concerned;
- a contact point for the ICO to obtain more details (if you have appointed a DPO it is likely this will be their details);
- a description of the likely consequences of the breach; and
- your proposals to deal with or mitigate the effects of the breach (eg you should consider whether to notify the affected individuals of the breach).
You may not be able to provide all this information straight away, and you shouldn’t delay reporting a breach until you have collated all this information. Instead, you can provide the information in phases as soon as you have it. The ICO and the intelligence services have set out, in a Memorandum of Understanding (MoU), the process whereby data breaches will be reported, and arrangements for any subsequent investigation or regulatory action the ICO intends to take.
If a personal data breach is also a “relevant error” as defined at section 231(9) of the IPA 2016, you don’t have to report it to the ICO. Instead you need to follow the reporting requirements in the IPA 2016 and report the error to the Investigatory Powers Commissioner’s Office.
Processors have to notify the controller “without undue delay” if they become aware of a breach. This is not restricted to ‘serious’ breaches, as defined above. It is the responsibility of the controller to determine whether a breach meets the criteria to be designated as serious (and therefore, reportable to the ICO). Therefore the processor should report all breaches to you, so you can make this assessment. You should include this requirement in any agreement setting out the arrangements between controller and processor.
What are the rules on international transfers?
There are restrictions on the transfer of personal data to a country or territory outside the UK, or to an international organisation. A transfer of personal data is only permissible if the transfer is a necessary and proportionate measure carried out for:
- the purposes of the controller’s statutory functions; or
- other purposes in relation to the controller, provided for in section 2(2)(a) of the Security Services Act 1989, or section 2(2)(a) or 4(2)(a) of the Intelligence Services Act 1994.
You need to consider whether the transfer is necessary and proportionate for the purposes of your statutory functions. This means those functions set out in the governing legislation about the service’s wider role in safeguarding national security or tackling serious crime.
Part 4 provides no further specific safeguards for transferring personal data outside the UK (although the other requirements of Part 4 still apply). However, you are subject to other legislative restrictions under the various enactments which govern the work of the intelligence services, such as (but not restricted to) those referred to in the second bullet point above. These contain measures to ensure that personal data is obtained, shared and handled lawfully and responsibly. You should also consider the extent to which you may require additional security measures to protect transfers. If a transfer under section 109 were to lead to a breach of Part 4 of the DPA, the ICO has powers to investigate and take action.