National security exemption

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

Latest updates - 04 November 2025

04 November 2025 - We have updated this section of the guidance to reflect amendments from the Data (Use and Access) Act.

This guidance explains in detail the national security exemption under part 3 of the Data Protection Act 2018 (DPA). It is aimed at ‘competent authorities’ who process personal information for any of the law enforcement purposes.

To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative requirements

Must refers to:

legislative requirements within the ICO’s remit; or
established case law (for the laws that we regulate) that is binding.

Good practice

Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law. 

Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.

At a glance

Section 78A of the DPA provides an exemption for safeguarding national security. It can exempt personal information from most of the data protection principles and obligations, and people’s rights, where this is required.
You may be able to apply this exemption if you process information under part 3 of the DPA.
This is not a blanket exemption. You must be able to show that the exemption from specified data protection standards is required for the purposes of safeguarding national security. When deciding whether to use this exemption, we suggest you consider whether complying with part 3 of the DPA raises a real possibility of an adverse effect on national security.
You can apply to a Minister of the Crown (specifically a member of the Cabinet, the Attorney General or the Advocate General for Scotland) to issue a certificate which covers your processing in relation to national security. You may rely on the certificate as conclusive evidence that the provision is a necessary and proportionate measure to protect national security.
You must always show that your processing is lawful. You must always comply with your general accountability and governance obligations.

Checklist for applying the national security exemption

☐ We are a competent authority processing for law enforcement purposes under part 3 of the DPA.

☐ We comply with the data protection principles, rights and obligations unless an exemption is required to safeguard national security.

☐ We have a lawful basis for using personal information and comply with our documentation and other accountability obligations.

☐ We can point to a clear link between compliance with a specific part 3 provision and a potential adverse effect on national security.

☐ We do not apply the exemption in a blanket manner, but only to the extent required to protect national security.

☐ We have considered whether a ministerial certificate applies in the circumstances.

In brief

Does this guidance apply to us?
What does “national security” cover?
What is the national security exemption?
How does the exemption work?
What are the effects of the exemption on law enforcement processing?
What is a ministerial certificate?

Does this guidance apply to us?

This guidance applies to you if you’re a competent authority and you’re using personal information for law enforcement purposes that also relate to national security.

The rules governing law enforcement processing are set out in part 3 of the DPA.

Different provisions apply, if you’re using personal information under the UK GDPR, or you’re not a competent authority.

The intelligence services (and processors acting on their behalf) are covered by a separate regime under part 4 of the DPA.

Further reading – ICO guidance

What does national security cover?

National security is not specifically defined and can be interpreted in a flexible way to adapt to changing threats. It is generally understood to cover the security and well-being of the UK as a whole, its population, and its institutions and system of government. For example, it can cover:

protection against specific threats, such as from terrorists or hostile states;
protection of potential targets even in the absence of specific threats; and
international co-operation with other countries.

What is the national security exemption?

Section 78A of the DPA sets out a broad exemption from specified provisions if it is required to safeguard national security.

If the exemption applies, it can exempt you from provisions including:

any of the data protection principles (except lawfulness requirements and those relating to sensitive processing);
any of the individual rights;
notification of a personal data breach to the ICO;
communication of a personal data breach to an affected person;
some international transfer requirements; and
some of the ICO’s functions and enforcement powers.

You must always ensure that your processing is lawful and you must always comply with your accountability and governance obligations.

Relevant provisions in the legislation

See DPA 2018 sections 35; 42; 45-48; 51; 67; 68; 73; 78 78A, 79,119; 119A, 142-154; 170-173; 187 and schedule 8; schedule 13 paragraph 1(1)(a) and (g), 2; schedule 15

Further reading – ICO guidance

How does the exemption work?

Given the importance of national security, you can apply this exemption to a greater number of provisions than many other data protection exemptions.

The exemption applies if it is “required’” to safeguard national security. In this context, “required’” means that using the exemption is ’reasonably necessary’. This is linked to human rights standards. This means that you should ensure that any interference with privacy rights is necessary and proportionate in a democratic society to meet a pressing social need.

You should consider your use of the national security exemption on a case-by-case basis. It is not a blanket exemption, and national security does not automatically override individual rights. You should be able to show some link between complying with the specific provision in part 3 of the DPA and the need to safeguard national security, even if that link is indirect. If necessary, we expect you to be able to provide us with evidence about why you used this exemption.

You don’t need to show that compliance would lead to a direct or immediate harm or threat. It is enough to show that there is a real possibility of an adverse effect on national security in a broader sense.

You cannot use the exemption if the impact of compliance would be trivial or not linked to national security (eg to avoid embarrassment). Keep in mind that there may be circumstances where the adverse effect on a person could outweigh any trivial or hypothetical risk to national security.

You should consider the actual threat to national security if you had to comply with a particular provision. It is not enough that the information is used for national security purposes.

You should reasonably comply with a provision if you can without affecting national security. This is subject to any other exemptions that might apply in the specific circumstances.

Further reading – ICO guidance

The courts have considered a very similar exemption in the context of freedom of information requests. For more information, see our guidance on the FOI exemption for safeguarding national security.

What are the effects of the exemption on law enforcement processing?

You can use the national security exemption if you can show that complying with the specified provision in part 3 of the DPA is incompatible with safeguarding national security.

It can exempt you from complying with certain data protection principles. You must still ensure that your processing is lawful.

You must comply with the additional requirements provided for in section 35 of the DPA, if you are carrying out sensitive processing. For more information on this see the 'principles’ section of the guide to law enforcement processing.

You may be permitted to restrict people’s data protection rights by applying the national security exemption. The effects vary depending on the different rights.

In each instance, you can only apply the exemption where it is required to safeguard national security.

You may not need to inform people who are exercising their right to rectification, or right to erasure and the restriction of processing that you have refused their rights.

Under the right to be informed, people have the right to be given privacy information about how you are collecting and using their personal information. By applying the exemption, you may be able to withhold information about:

the lawful basis for your processing;
the length of time you’ll retain the information;
the categories of any recipients of the information; and
any other further information you may normally provide to enable people to exercise their right of access.

You may be able to use the exemption under the right of access to withhold confirmation that you are processing personal information about a particular person. You can do this by providing a “neither confirm nor deny” (NCND) response. You should provide access to as much of the information as you can.

You may need to do this even in a case where there is no direct impact on national security. This is to ensure that nothing can be inferred in other cases which might have more of an impact on national security.

You don’t have to confirm that you’re relying on the exemption or give any details which allow a person to infer that you’re processing additional information.

You can apply this type of NCND response as a general policy. However, you should be able to make a reasoned argument about using it, and demonstrate it to us, if required. You should still consider whether there are any special circumstances that mean you don’t need to rely on the general NCND policy in a particular case.

Instead of an NCND response, you could also give a different form of non-committal response. There may be circumstances when it is not appropriate to inform a person that you’re relying on the national security exemption and you may wish to word your response appropriately.

You must record the fact that you applied the exemption, and your reasons for applying it. You should be able to make a reasoned and convincing argument about its use. We may ask you for these arguments if we receive a complaint. You may base these on hypothetical scenarios, as long as they are realistic and credible.

Remember that you can apply the exemption wholly or partly to the specified provision. You should avoid applying it wholly unless that is required to safeguard national security. You should be able to show that you’ve applied the exemption only as far as necessary.

Example

A police force receives a subject access request from a person who is a subject of a covert counter-terrorism investigation. It applies the national security exemption to restrict the person’s access to their personal information as this would risk harming the investigation.

Before applying the exemption, the police considers whether the person’s rights or legitimate interests would be adversely affected. It determines that the person’s right of access would clearly be adversely affected. The police then considers whether applying the exemption to the person’s right to access their personal information is a necessary and proportionate measure. It takes into account the purpose for which it is seeking to apply the exemption, and the importance of the investigation in safeguarding national security. It decides that it is necessary and proportionate in the circumstances.

The police does not inform the person that it has applied the exemption, or the reasons why, as doing so would harm the investigation and pose a risk to national security. However, it does inform them in general terms of their right to complain to the ICO or to apply to a court.

The police record the fact it has applied the exemption and the reasons why. It states that providing access could tip off the person about the investigation or provide them with an opportunity to evade or frustrate it. It also clearly sets out why it is a necessary and proportionate measure.

Once the investigation is complete, the police receives a new subject access request from the same person. It considers whether the application of the exemption is still necessary and also whether it could apply it fully or partially. It decides that it is still necessary to apply the exemption in full to protect confidential sources and other associated investigations. It again informs the person of their right to complain or apply to the court and updates its internal records to show that it has applied the exemption and the reasons why.

What is a ministerial certificate?

Section 79 of the DPA says that a Minister of the Crown (specifically, a member of the Cabinet, the Attorney General or the Advocate General for Scotland) can sign a certificate which is conclusive evidence that the exemption is required to safeguard national security.

It is important to remember that you do not require a certificate in order to rely on the national security exemption. In most cases, you can determine for yourself whether applying the exemption is required to safeguard national security.

The national security exemption and the ministerial certificate do different things. You may properly apply the national security exemption, with or without a ministerial certificate.

Ministerial certificates are meant to give greater legal certainty that the national security exemption applies for certain uses of personal information. This is because the certificate further validates that an exemption is required to safeguard national security in the circumstances.

In this context, a ministerial certificate is admissible as conclusive evidence that an exemption from the specified provisions is required to safeguard national security.

These certificates can be issued in advance or retrospectively for an exemption applied by a competent authority. The personal information the certificate applies to may be identified in general terms.

We are required to publish details of all national security certificates that have been issued, including the text of the certificate where possible. However, there may be some cases where the text of the certificate is sensitive and we cannot publish it. In these cases, we publish the fact that a certificate was issued, the date it was signed, and which minister signed it.

If you consider that a certificate is required, you can apply to a Minister of the Crown to issue a national security certificate under section 79. If a relevant certificate is in place, you can rely on it to demonstrate that an exemption applies.

Details of the application process are on the Home Office website and linked to from the National security certificate page of our website. You should still consider whether you need to apply an exemption or rely on the certificate in a particular case. You may need to check with relevant authorities whether you should rely on a certificate and guidance on who to consult can also be found on the Home Office website. A person directly affected by a certificate can appeal against it to the Upper Tribunal. The certificate may be quashed if the Tribunal considers that the minister did not have reasonable grounds for issuing it.

A person may also appeal to the Tribunal on the basis that the exemption the competent authority is relying on does not fall within the general description in the certificate.

Further reading

For more information on ministerial certificates, see the Guide to intelligence services processing exemptions.