The ICO exists to empower you through information.

At a glance

  • The intelligence services, and those processing personal data on their behalf, are not subject to the UK GDPR or the law enforcement provisions of the DPA.
  • Instead, they must comply with Part 4 of the DPA, which sets out a separate data protection regime for intelligence services processing.
  • A controller is defined as the intelligence service who determines how and why the data is processed. Processors process data on their behalf, but may share some accountability for the processing.
  • There are additional rules which apply to “sensitive processing” of some specified types of particularly sensitive data.
  • This guidance is only directly relevant to the intelligence services (and processors acting on their behalf). Other organisations processing for national security purposes must comply with either Part 3 of the DPA (if a competent authority), or the UK GDPR.

In brief

What is Part 4?

Part 4 of the DPA sets out a specific, tailored data protection regime for the intelligence services and their processors. This is separate from the general processing regime (UK GDPR) or the law enforcement processing regime (Part 3).

The data protection principles, standards and obligations provided for in Part 4 have been drafted to reflect and ensure consistency with the standards in the Council of Europe’s Modernised Convention on the Protection of Personal Data (Convention 108+). Convention 108+ has been signed by numerous countries worldwide, including the UK.

This guidance will help you to understand who Part 4 applies to, and how it is different to the UK GDPR or the law enforcement provisions.

Who is covered by Part 4?

Part 4 only applies to the three specified intelligence services:

  • the Security Service (MI5);
  • the Secret Intelligence Service (SIS); and
  • the Government Communications Headquarters (GCHQ).

These are collectively known as “the intelligence services”.

If you are one of these intelligence services, or a body which is part of these services such as the National Cyber Security Centre (which is part of GCHQ), then all processing of personal data you undertake is governed by Part 4 of the DPA.

Part 4 also covers processors acting on behalf of one of the intelligence services.

It covers processing of personal data for any purpose, by the intelligence services and those processing on their behalf.

What are controllers and processors?

The definitions of “controller” and “processor” are contained in section 83. A controller is defined as the intelligence service which determines the purpose and means of the processing. A processor is defined as a person (other than an employee) who processes personal data on behalf of the controller. These definitions are essentially the same as for the UK GDPR. For more information, see our UK GDPR guidance on identifying the controller. The obligations of controllers and processors are set out in sections 102-106.

Two or more intelligence services can operate as joint controllers when they jointly determine the purposes and means of processing. But please note that the intelligence services can only enter into a joint controller relationship with each other. Intelligence services cannot be in a joint controllership relationship with a controller which is not itself an intelligence service processing under Part 4.

If you are a processor acting on the instructions of one of the intelligence services, you need to comply with the processor obligations in Part 4. See ‘What obligations do processors have?

Example

A company processes payroll data for an intelligence service. They are a processor and must comply with processor obligations under Part 4 for that processing.

What about other key definitions?

You should refer to our general guidance for more information on what is personal data, and what constitutes processing, as these definitions also apply to Part 4. Most definitions used in Part 4 are the same as those used in the rest of the DPA. Section 84 sets out some specific definitions for “consent”; “employee”; “personal data breach”; “recipient”; and “restriction of processing”. However, these are very similar to the UK GDPR, and the Guide to the UK GDPR provides useful guidance on their meaning.

What is sensitive processing?

Sensitive processing is defined in section 86(7) of the DPA as:

(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
(b) the processing of genetic data for the purpose of uniquely identifying an individual;
(c) the processing of biometric data, for the purpose of uniquely identifying an individual;
(d) the processing of data concerning health;
(e) the processing of data concerning an individual’s sex life or sexual orientation;
(f) the processing of personal data as to –

(i) the commission or alleged commission of an offence by an individual, or
(ii) proceedings for an offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of a court in such proceedings.

“Genetic data” is personal data relating to the inherited or acquired genetic characteristics of a person. It gives unique information about the physiology or the health of that person and results, in particular, from an analysis of a biological sample from the individual in question.

“Biometric data” is personal data that is obtained through specific technical processing relating to physical, physiological or behavioural characteristics of a person. This processing enables you to identify a particular person, eg fingerprint data and facial recognition.

“Data concerning health" is personal data relating to the physical or mental health of an individual. This includes the provision of health care services, which reveals information about their health status. It can be about an individual’s past, current or future health status. It not only covers specific details of medical conditions, tests or treatment, but includes any related data which reveals anything about the state of someone’s health.

There are close similarities between the types of personal data listed in the Part 4 sensitive processing provisions, and the definitions of special category and criminal offence data under the UK GDPR. The ICO has produced guidance on these provisions under the UK GDPR which contains useful explanations of the definitions of what constitutes Special category and Criminal offence data.

Who is not covered by Part 4?

You are not subject to Part 4 and will need to comply with a different data protection regime if you are not:

  • one of the intelligence services; or
  • a processor processing for one of the intelligence services.

If you are a competent authority processing for national security purposes related to your law enforcement purposes, read our Guide to Law Enforcement Processing.

If you are not a competent authority or are not processing for law enforcement purposes, but you are processing for national security purposes, you should read our Guide to the UK GDPR. The usual UK GDPR rules apply, although the DPA provides an exemption where required for the purposes of safeguarding national security, or for defence purposes.