BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just Β£1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

United Kingdom Information Tribunal including the National Security Appeals Panel


You are here: BAILII >> Databases >> United Kingdom Information Tribunal including the National Security Appeals Panel >> Hitchens v Secretary Of State For The Home Department [2003] UKIT NSA5 (04 August 2003)
URL: http://www.bailii.org/uk/cases/UKIT/2003/NSA5.html
Cite as: [2003] UKIT NSA5

[New search] [Printable PDF version] [Help]


    IN THE INFORMATION TRIBUNAL
    (NATIONAL SECURITY APPEALS PANEL)
    BETWEEN
      PETER HITCHENS Appellant
      -AND-  
      SECRETARY OF STATE FOR THE HOME DEPARTMENT Respondent
    DECISION
  1. We were appointed members of the Data Protection Tribunal (now renamed the Information Tribunal) under section 6(4) of the Data Protection Act 1998 ("the Act") and designated by the Lord Chancellor to hear national security appeals pursuant to Schedule 6 paragraph 2(1). This appeal was brought by Peter Hitchens ("the Appellant") under section 28(4) of the Act.
  2. Jurisdiction
  3. The Security Service ("the Service" is a data controller who processes personal data within the scope of the Act. "Processes includes "holds" (section 1(1)). Section 7 of the Act requires data controllers to respond to requests made by individuals for information as to whether their personal data are being processed (section 7(1)(a)) and, if they are, to have them described and communicated to them (section 7(1)(b-c)).
  4. By section 28, personal data are exempt from these, and other, provisions of the Act
  5. "if the exemption from that provision is required for the purpose of safeguarding national security" (section 28(1)).
  6. When a data controller fails to comply with a request made in accordance with the Act, the individual may apply to the Court for an order that he shall comply with the request (section 7(9)). An application to the Court, in a case where the data controller relies upon the national security exemption, is regulated by further provisions of section 28. By section 28(2),
  7. "a certificate signed by a Minister of the Crown certifying that exemption ……… is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact".
  8. An individual who is "directly affected" by the Minister's Certificate may challenge it by appealing to this panel of the Information Tribunal, under section 28(4) of the Act. The powers of the Tribunal on such an appeal are set out in section 28(5) –
  9. "(5) If on an appeal under subsection (4), the Tribunal finds that, applying the principles applied by the court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate."
  10. A second branch of the jurisdiction of the Tribunal in national security cases, under section 28(6) of the Act, is not relevant to its jurisdiction in this appeal.
  11. Background
  12. By its Decision in Baker v Secretary of State for the Home Department (1 October 2001, reported in [2001] UKHRR 1275], the Tribunal quashed a Certificate issued by the Respondent dated 22 July 2000 relating to personal data processed by the Security Service.
  13. The Respondent issued a revised form of Certificate relating to personal data processed by the Service, dated 10 December 2001 (hereinafter "the Certificate").
  14. The Appellant challenges the validity of the Certificate by this appeal under section 28(4) of the Act (paragraph 5 above).
  15. Facts
  16. By letter dated 16 January 2002 the Appellant made a formal request "under the Data Protection Act 1998, Section Seven, to a) ask if the Security Service processes data about me and b) to ask to see such data as soon as may be arranged".
  17. The Service replied by letter dated 24 January 2002 enclosing an Application Form, which the Appellant completed and returned on 1 February 2002. He stated that he was born on 28 October 1951 and gave his place of birth (Sliema, Malta GC) and his current and previous addresses, as required by the Form. In response to the question –
  18. "DESCRIPTION OF THE DATA THAT YOU BELIEVE WE MAY HOLD ON YOU"
    he replied –
    "1970 – 1975 ACTIVITY AS MEMBER OF THE INTERNATIONAL SOCIALISTS, MAINLY IN YORK 1970-73".
  19. The Service replied by letter dated 03 April 2002 that it holds no data about the Appellant in any of the three categories which it has notified to the Information Commissioner (these are staff administration, building security CCTV and commercial agreements), and continued "3. Any other personal data held by the Security Service is exempt from the notification and subject access provisions of [the Act] to the extent that such exemption is required for the purposes of safeguarding national security, as provided for in section 28(1) of the Act. It has been determined that the Security Service holds no personal data to which you are entitled to have access. This response should not be taken to imply that the Security Service does or does not hold any data about you."
  20. This was a form of the non-committal NCND ("neither confirm nor deny") response, the validity of which, in appropriate cases, was not challenged in the Baker appeal, nor is it challenged by the Appellant in this appeal (see paragraph 33 below).
  21. The letter concluded "Yours sincerely ……………..For Data Controller" and was subscribed only by a manuscript "squiggle" which could not be described as a signature.
  22. The Appeal
  23. The Appellant gave notice of appeal by letter dated 19 June 2002. He is a journalist, and his grounds of appeal should be quoted in full –
  24. "My request was for files held on my activities as an extreme left-wing student in the early 1970s, mainly while I was at the University of York between 1970 and 1973. As it happens I think it would have been quite legitimate for the Security Service to keep an eye on the organisation to which I then belonged, a Marxist grouplet called the International Socialists. I already have a fair idea who its informants were in our organisation, and have no intention of disclosing their identity or publicising it. My aim is purely to know what, if anything, is in these records, mainly because I feel I am entitled to know the details of such records as a matter of natural justice. Since I am no longer a revolutionary Marxist, and the politics of this country have been utterly transformed in the intervening period, and it is most unlikely that any individual mentioned in these files still holds a sensitive position of any kind, I can see no argument for withholding these files from me. I would, if asked, be quite happy to co-operate with the Security Service to ensure that no sensitive information was accidentally disclosed. Their response, however, is simple blank refusal …… covered by the meaningless and hard-to-justify claim that this is "safeguarding national security".
    I think the Security Service needs to do better than this to justify secrecy over files almost 30 years old concerning my own youthful follies and their attempts to monitor them."
  25. The Respondent's Notice included "A. Summary of circumstances relating to the issue of the certificate and the reasons for doing so" and a copy of the Certificate dated 10 December 2001. Also annexed was the document referenced DPA/S28/TSS/2- REASONS referred to in the Certificate, paragraph 2. The Respondent's grounds were stated as follows –
  26. "11. The Appellant challenges the "neither confirm nor deny" policy itself. The Security Service's exemption from section 7(1)(a) of [the Act] exists in order to allow it to operate that policy. The reasonableness and lawfulness in general of the "neither confirm nor deny" policy, and the lawfulness in general of a certificate permitting the operation of that policy, was upheld in [Baker v SSHD]. This point is a mere attempt to reargue this.
  27. Further or in the alternative, the Respondent submits that he had reasonable grounds for issuing the certificate, which are outlined in the Reasons Document (Annex C)."
  28. The Appellant wrote to the Tribunal Secretary amplifying his grounds of appeal, by letter dated 10 September 2002. He made three main points –
  29. (1) the terms letter from the Service to him dated 3 April 2002 was in almost identical terms to those of the letter to Norman Baker MP dated 11 August 2000. "Spot the difference. One letter was written BEFORE the quashing of the Home Secretary's certificate dated July 22, 2000…….the second was written AFTER that decision….we might expect to see a substantive difference in the Security Service's response to request made before and after this event. However, the two letters merely say the same thing in a different way." The only difference was that the Service claimed, in the letter to him to have given individual consideration to his particular request, not relying merely on a blanket exemption as it had don in the early case;
    (2) his individual circumstances are such that there can be no possible damage to national security in either acknowledging the existence of any files held on him, or stating that no files exist, or in letting him examine those files under certain conditions; and
    (3) he has strong anecdotal reasons to believe that some such files do exist.
  30. The Respondent informed the Tribunal that he did not intend to lodge any Amended response to this letter.
  31. The Certificate and Reasons
  32. These documents are annexed to this Decision. Passages of particular relevance to the parties' submissions can be summarised as follows –
  33. Certificate
    Personal data processing in performance of the functions of the Security Service described in Section 1 of the Security Service Act 1989 as amended by the Security Service Act 1990 is exempted from inter alia section 7 of the Act, "all for the purpose of safeguarding national security, provided that: "(I) no data shall be exempt from the provisions of section 7(1)(a) …… if the Security Service, after considering any request by a data subject for access to relevant personal data, determines that adherence to the principle of neither confirming nor denying whether the Security Service holds data about an individual is not required for the purpose of safeguarding national security; (ii) no data shall be exempt from the provisions of section 7(1)(b) (c) or (d) …..if the Security Service, after considering any request by a data subject for access to relevant personal data, determines that non-communication of such data or any description of such data is not required for the purpose of safeguarding national security."
    The exemption does not include the fourth data protection principle ("Personal data shall be accurate and, where necessary, kept up to date" – Schedule 1 part 1 para. 4 of the Act).
    The Reasons
    The Reasons are summarised in the Certificate, as follows –
    "2.1 The work of the security and intelligence agencies of the Crown requires secrecy.
    2.2 The general principle of neither confirming nor denying whether the Security Service possesses data about an individual …………… is an essential part of that secrecy.
    2.3 In dealing with subject access requests under [the Act], the Security Service will examine each individual request to determine: (i) whether adherence to that general principle is required for the purpose of safeguarding national security; and (ii) in the event that such adherence is not required, whether to and to what extent the non-communication of any data or any description of data is required for the purpose of safeguarding national security.
    2.4 ………………………………………………………………………"
    The Reasons also include the following –
    "5. The need for and use of the "neither confirm nor deny" policy
    5.1 ……….Put simply, the policy is a way to preserve the secrecy described above by giving a vague and non-committal answer.
    5.3 ……….To ask whether the Security Service holds personal data on an individual often amounts to asking whether there is or has been an investigation.
    5.4 ……….By logical extension, the policy must apply even if no investigation has taken place. If the Security Service said when it did not hold information on a particular person, inevitably over time those on whom it did not hold information would be able incrementally to deduce that fact……………
    5.5 If individuals intent on damaging national security could confirm that they were not the subjects of interest to the Security Service, then they could undertake their activities with increased confidence and vigour…………
    5.6 Conversely, confirmation to individuals that they are subjects of interest may create or fuel suspicions that associates of theirs are assisting the Security Service……."
    6. The safeguards and statutory controls that exist on the activities of the Security Service
    6.1.1 Legal constraints placed on the Security Service and its work ….. by Parliament through:
    iii The Regulation of Investigatory Powers Act 2000. This law governs the interception of communications, the carrying out of surveillance and the use of "covert human intelligence sources" eg undercover officers or agents.
    6.1.9 The Regulation of Investigatory Powers Act 2000 also set up the Investigatory Powers Tribunal……
    7. Non-Data-Protection-Act Remedies
    7.1 Anyone who feels aggrieved by anything which he or she believes the Security Service has done in relation to them or their property may complain to the independent Investigatory Powers Tribunal………………There is no bar to what Tribunal members can see when looking into a complaint………………"
    8. The test that should be used to balance the need to safeguard national security and purposes of the Data Protection Act 1998
    8.2…….the Home Secretary has balanced the need to safeguard natinal security against the purposes and entitlements conferred by the DPA……………….."
    Evidence
  34. The Respondent relied on (1) a Witness Statement by A J Tester, a civil servant of the Home Office; he produced a Witness Statement, with enclosures, that he made in connection with the Baker appeal, and confirmed that the Security Service asked the Home Secretary to sign a new certificate "whose terms took account of that decision": and (2) two statements by an unnamed Security Service witness, who described the operational duties and needs of the Service and justified the "neither confirm nor deny" policy adopted by it. He also produced evidence of corresponding laws and practices in other jurisdictions.
  35. Public Hearing
  36. The hearing of the appeal to place on Tuesday 4 March 2003. At the Appellant's request, and with the Respondent's consent, the Tribunal directed that the hearing should take place in public, pursuant to rule 23(1) of The Data Protection Tribunal (National Security Appeals) Rules 2000. An application by the Appellant that he should have leave to tape record the hearing was refused, but Court Reporters produced a transcript in the usual way. Submissions
  37. The Appellant spoke to a written Submission in which he amplified the argument set out in his appeal letter (paragraph 16 above). He stated that his object was to view, under whatever conditions were regarded as sensible, the Security Service files relating to him when he was at University, files which he was certain existed. He was an extreme left-wing student and would be disappointed if he was not under surveillance at that time. Even the identities of the officers and agents involved were fairly obvious, and he approved of what they were doing. He challenged the Respondent to explain how the national security could be imperilled, today, by confirming to him that a 30-year old file recording his activities then does exist.
  38. He referred to a recent newspaper report that Cabinet documents were released on 1 January 2003 under the "30-year rule" which stated that the Prime Minister in 1972, Edward Heath, asked the Security Service to "spy on school agitators" at a time when certain persons were suspected of fomenting student unrest; one of the suspected persons was named in the report. If this could be published now, he asked, how could the national security be harmed by revealing whether he was under surveillance, as he believed that he was, at about the same time?
  39. He added that his political outlook now is diametrically different from the Marxist views he held at University. "There is no continuity………..I'm a conservative journalist, not a student Marxist."
  40. As for the Respondent's arguments that responding to his request might reveal methods of surveillance which ought to be kept secret in the interest of national security, he answered in terms of a dilemma: either the methods were traditional and timeless, so that no harm could result from revealing what they were, or they were technical, in which case the techniques must certainly be outdated.
  41. He related his own position to that of his contemporaries who occupy high offices of state in the present government, and he referred to questions asked in Parliament as to whether the Security Service has records of surveillance carried out on them about thirty years ago.
  42. He recognised that the issues for this Tribunal is whether to Respondent's Certificate is valid, but he contended that the Security Service could not be relied upon to exercise the power delegated to it by the Respondent reasonably. His case demonstrated, he submitted, that the position is no different under the new (10.12.01) Certificate from what it was under its predecessor, which the Tribunal quashed in Baker. For the same reasons, this Certificate ought to be quashed also.
  43. Mr Robin Tam, counsel for the Respondent, reminded us that we were concerned only with the validity of the Certificate, not with its application or operation in the individual case. He submitted that the Appellant's complaints should be taken to the Investigatory Powers Tribunal which, as the Respondent had accepted in correspondence following the Gosling appeal, has jurisdiction to entertain them.
  44. Members of the Tribunal referred to the fact that when broad discretionary powers are delegated it is often the case that rules or guidelines are established which are binding on the delegatee. This tends to promote greater transparency and permits a more effective review of his decisions. Mr Tam submitted that it would not be possible to lay down guidelines based on the age of a file, and that detailed criteria are unnecessary and would be inappropriate. Certain guidelines have been agreed, it appears, between the Service and the Public Records Office regarding the destruction of records which the Service no longer requires, but in the present context the test of harm to national security "is precise enough and one cannot really do much more than that".
  45. He further submitted that, as the Service is the relevant data controller, delegating the responsibility for responding the requests for information to him was I accordance with the requirements of the Act, and he returned to his principal submission, that any complaint about individual decisions made by the Service should properly be taken to the IPT.
  46. In summary, the Service is in the best position to judge what national security requires, and the correct approach in law is to entrust decision of this sort to them: Rehman v SSHD [2001] 3 WLR 877. Mr Tam also referred to us the decision of Mr Justice David in Ewing (20 December 2002 unreported).
  47. In reply, the Appellant submitted (1) that it had not been suggested to him previously that he should take his complaint to the IPT; (2) he does not challenge the policy of NCND replies generally, but only its application to the present case where the relevant events, as he sees them, took place 30 years ago, they are no longer of any political relevance, and there are no grounds for suggesting that he has done anything since then which might call for surveillance by the Service; and (3) that the release of Cabinet papers (paragraph 24 above) was inconsistent with the Service's reliance on the national security exemption in the present case.
  48. We are grateful both to the Appellant and to Mr Tam for their concise and helpful submissions.
  49. Discussion
  50. Mr Tam is correct in his submission that the jurisdiction of the Tribunal under section 28(4) of the Act is limited to determining whether the respondent had reasonable grounds for issuing the Certificate dated 10 December 2001. We are not directly concerned with the issue whether the Security Services' response to the Appellant's request was justified in this particular case.
  51. This does not mean, however, that the facts of the case are not relevant to the issue under section 28(4). The Appellant's underlying submission is that a certificate which enables the Security Services to invoke "national security" in a case where that claim is manifestly unreasonable and excessive, as he says that it is in his case, cannot be said to have been issued on reasonable grounds. The result, he says, is absurd, and the Certificate which permits it must be regarded as unreasonable.
  52. We can focus this submission on the situation which arises when the national security exemption is relied upon in relation to a request under section 7(1)(a) of the Act, and the NCND reply is given. Among the Respondent's published Reasons is the following broad statement –
  53. "If the Security Service said when it did not hold information on a particular person inevitably over time those on whom it did hold information would be able incrementally to deduce that fact." (paragraph 5.4).
  54. The Reasons also confirm that this approach is used to justify a non-committal answer, except when the fact that the Services hold relevant data has already been published, or when the Services themselves are willing to acknowledge it –
  55. "5.7 There are circumstances when the neither confirm nor deny policy is not used. Usually when it has been officially confirmed that the Security Service had undertaken an investigation, for example when a terrorist has been prosecuted, or when the interests of national security require a disclosure."
  56. The Appellant therefore is justified in his comment that in practice the revised form of Certificate is likely to have exactly the same effect as the original form which the Tribunal quashed in Baker. Although the revised form requires an exercise of discretion by the Security Services in every case, it permits the NCND reply even in a case where a definite response to a particular request would not itself be directly harmful to national security, because of the possible inference that might then be drawn in other cases where the NCND reply was given.
  57. We find it difficult to accept that the NCND reply can always be justified on this ground, because of a matter of commonsense it may be thought that there are some cases where a definite response would not enable any inference to be drawn in other cases. The Appellant's case at first sight could be an example of this, if his belief that he cannot have been the subject of surveillance or data processing by the Secret Services during the past thirty years is correct. But even this example shows how readily an inference might be drawn. If he and a university contemporary both made requests under section 7(1)(a) for records which, if they exist, are more than thirty years old, a NCND reply in one case but not the other might suggest that more recent data are held in that case alone. This would be so, even if NCND replies were given in both cases regarding more recent data.
  58. However, despite our intuitive view, we have not been able to formulate any definition of those cases, possibly rare, where a definite reply could be given, as a general rule, without a potential risk to national security by reason of inferences which might be drawn in other cases. It seems inevitable that the decision in individual cases must be left to the Security Services themselves. The question is whether the Respondent had reasonable grounds for issuing the Certificate in a form which leaves the assessment of "national security" entirely to them.
  59. It has not been argued in this or in the related appeal by Tony Gosling that the Respondent was required by the Act to make this decision himself in every case, or to put it another way, that he was not entitled to delegate the power of decision making to the data controller concerned, though Mr Gosling came close to this when he submitted that it ought not to be delegated to the Security Services, who become 'judge and jury in their own cause'. He contended that the decision should be entrusted to some "independent adjudicator", whom understandably he could not identify more precisely. But we remind ourselves that we have to interpret and apply the Act as it stands, and it is no part of our function to consider what other and possibly better scheme Parliament might have established.
  60. On the other hand, we also reject Mr Tam's submission that delegating the power to decide whether an exemption applies to the data controller is consistent with other provisions of the Act, specifically section 7(4). There, the data controller's decision is subject to review by the Court (section 7(9). The issue raised by this appeal is whether the Respondent had reasonable grounds for delegating the power to the Security Services when they were the data controller in question, and there is no corresponding provision for an appeal or review.
  61. This leads to the question whether, if the Certificate is valid, such decisions made by the Security Services are subject to control and supervision under the Act. This Tribunal has no power to review individual cases under section 28(4) (paragraph 35 above). Its jurisdiction under section 28(6) is not relevant where a NCND reply is given to a request under section 7(1)(a) of the Act, because by definition no personal data are identified. An application to the Court under section 28(9) would be met by the Certificate, which would stand as conclusive evidence under section 28(2). The only possible course for the applicant would be to bring proceedings against the Security Services for judicial review of their decision in the particular case. It seems unlikely that Parliament intended this in a case where national security considerations arise, having regard to the fact that this Tribunal was created for such cases under section 28. However, the limited scope of section 28 may have that possibly unintended effect.
  62. It is in these circumstances that the Respondent places much reliance on the fact that the Security Services are subject to supervision and control by state agencies and bodies other than the Courts. He refers in particular to the Investigatory Power Tribunal ("IPT") established by the Regulation of Investigatory Powers Act 2000. For the reasons given in our Decision in Mr Gosling's appeal, we hold that –
  63. (1) the jurisdiction of the IPT is defined widely enough to include a complaint that the Security Services were not justified in claiming that a NCND response was necessary to safeguard national security in the particular case (though we are doubtful whether Parliament intended that it should routinely decide matters of this sort); and
    (2) delegating to the Security Services the power of deciding these issues of national security is lawful and consistent with decisions of English and European Courts.
    Relevant pages of the Gosling Appeal Decision are attached hereto as Annex A.
  64. The Tribunal has also considered whether the Certificate ought reasonably to include express restrictions on the exercise of the power delegated to officials in the Security Service. Among the possibilities are –
  65. (1) express guidelines as to what factors are relevant and should be taken into account by the decision-maker;
    (2) a requirement that the decision shall be made by an official of certain seniority;
    (3) the Certificate might contain an expanded definition of "national security"; and
    (4) the Certificate might be worded so that there is a presumption against using the NCND reply, rather than expressing it s a proviso to an instruction that generally does apply.
  66. We do not regard either (2) or (3) as practicable or useful, and in relation to (3) we should add that we have been unable to find any judicial definition of "national security", even in those cases where the Courts have considered the extent of their powers to review executive decisions of that kind. Nor do we consider that (4) would be likely to have more than a cosmetic effect, though that alone may be regarded as a worthwhile improvement if the Certificate is re-issued at some future date.
  67. As regards (1), we are aware of the corresponding Certificate dated 8 December 2001 issued by the Secretary of State for Foreign and Commonwealth Affairs, in respect of the SIS and GCHQ. That Certificate was accompanied not only by a statement of the Minister's Reasons, as here, but also by a document headed "GCHQ Arrangements" which, as we understand the position, is in the public domain. This document sets out clearly both the Minister's policy in relation to requests made under section 7 of the Act ad the procedure to be followed by GCHQ when responding to them. These further instructions, in our view, are certainly desirable, but the question we have to consider in this appeal is whether the Respondent acted unreasonably in issuing the Certificate unaccompanied by an "Arrangements " document of that sort. We have concluded that he did not. It seems to us that, in the context of Security Service operations, such guidelines to be useful would have to be reasonably specific, yet they would have to cover a wide range of possible situations where a decision was required. We have noted above the difficulty of attempting to define "national security " more precisely, and the "GCHQ Arrangements" document does not attempt to do this. Moreover, there would be no means of ensuring that guidelines were complied with, except by complaining to the IPT or (possibly) applying to the Court for judicial review. (Such application could be refused on the ground that the IPT provides a sufficient safeguard against abuse). Conclusions
  68. We conclude that the Respondent had reasonable grounds for issuing the Certificate dated 10 December 2001. Our primary reason is that an unjustified claim to give a NCND response or to withhold personal data on national security grounds can be made the subject of a complaint to the Investigatory Powers Tribunal under the Regulation of Investigatory Powers Act 2000.
  69. We have jurisdiction to rule on whether a NCND response by the Security Services given in accordance with the Certificate was justified in any particular case. The Data Protection Act, in our view, does not provide any means of challenging the Security Services' decision, either before this Tribunal or before the Courts. It appears to us that the appropriate statutory method of challenging the Security Services' decision in an individual case is by making a complaint to the Investigatory Powers Tribunal.
  70. The appeal therefore is dismissed.
  71. Further Comment
  72. In this case, as in Gosling, the Appellant rightly complains that the letter of response from the Security Services was effectively unsigned. It was subscribed by a "squiggle" which does not identify the writer and which cannot, in our view, be regarded as a signature.
  73. This unfortunate factor does not appear to be relevant to the present appeal, but it should not go unrecorded.
  74. (Signed)
    Sir Anthony Evans (President)
    James Goudie Q.C.
    Kenneth Parker Q.C.
    Dated 4 August 2003
    Annex A
    Gosling v Secretary of State for the Home Department
    (pages 14-25)
    (a) Delegation to the Security Services.
  75. Mr. Tam pressed the following argument upon us. He submitted that the Service was best placed, through its experience and expertise, to make the relevant decisions. It is true that the courts in the United Kingdom have traditionally accorded a high degree of deference to the executive on matters affecting national security, the high water mark perhaps being the Zamora [1916] 2 AC 77, where Lord Parker said:
  76. "Those who are responsible for the national security must be the sole judge of what the national security requires. It would be obviously undesirable that such matters should be made the subject of evidence in a court of law or otherwise discussed in public"
  77. The Zamora was cited in Council of Civil Service Unions v Minister for the Civil Service [1985] 1 AC 374 ("CCSU") where Lord Scarman put the matter as follows:-
  78. "The point of principle in the appeal is as to the duty of the court when in proceedings properly brought before it a question arises as to what is required in the interest of national security. The question may arise in ordinary litigation between private persons as to their private rights and obligations: and it can arise, as in this case, in proceedings for judicial review of a decision by a public authority. The question can take one of several forms. It may be a question of fact which Parliament has left to the court to determine: see for an example section 10 of the Contempt of Court Act 1981. It may arise for consideration as a factor in the exercise of an executive discretionary power. But, however it arises, it is a matter to be considered by the court in the circumstances and context of the case. Though there are limits dictated by law and common sense which the court must observe in dealing with the question, the court does not abdicate its judicial function. If the question arises as a factor to be considered in reviewing the exercise of discretionary power, evidence is also needed so that the court may determine whether it should intervene to correct excess or abuse of the power…….
    My Lords, I conclude, therefore, that where a question as to the interest of national security arises in judicial proceedings the court has to act on evidence. In some cases a judge or jury is required by law to be satisfied that the interest is proved to exist: in others, the interest is a factor to be considered in the review of the exercise of an executive discretionary power. Once the factual basis is established by evidence so that the court is satisfied that the interest of national security is a relevant factor to be considered in the determination of the case, the court will accept the opinion of the Crown or its responsible officer as to what is required to meet it, unless it is possible to show that the opinion was one which no reasonable minister advising the Crown could in the circumstances reasonably have held. There is no abdication of the judicial function, but there is a common sense limitation recognised by the judges as to what is justiciable: and the limitation is entirely consistent with the general development of the modern case law of judicial review." (404 EG, 406 GH – 407A)
  79. In CCSU Lord Diplock stated his view trenchantly:
  80. "National security is the responsibility of the executive government, what action is needed to protect its interests is, as the cases cited by my learned friend, Lord Roskill, establish and common sense itself dictates, a matter upon which those upon whom the responsibility rests, and not the courts of justice, must have the last word. It is par excellence a non-justiciable question. The judicial process is totally inept to deal with the sort of problems which it involves" (at 412 EF); see also Lord Fraser at 410G – 403B; Lord Roskill at 420B – 421G.
  81. The reluctance of the courts to "second guess" the executive when questions of national security have been in issue has been a feature in more recent cases. In R v. Secretary of State for the Home Department, ex parte Cheblak [1991] 1 WLR 890 the applicant challenged a notice of intended deportation given by the Home Secretary on the grounds that his deportation "would be conducive to the public good for reasons of national security". The Home Office stated that the applicant's known links with an organisation which it was believed could take terrorist action against Western targets in support of the Iraqi regime made his presence in the United Kingdom an unacceptable security risk; and an affidavit sworn on behalf of the Home Secretary stated that further details could not be disclosed because it would be an unacceptable risk to national security to do so.
  82. Lord Donaldson MR, in rejecting the application, said:
  83. " … the exercise of the jurisdiction of the courts in cases involving national security is necessarily restricted, not by an unwillingness to act in protection of the rights of individuals or any lack of independence of the Executive, but by the nature of the subject matter. National security is the exclusive responsibility of the Executive and, as Lord Diplock said in CCSU: "It is par excellence a non-justiciable question"" (at 902 gh); see also Beldam L.J. at 912d ("the statement that to give further information might jeopardize national security is one that the court is bound to accept") and Nolan L.J. at 916b ("the practical result …. Is that the Secretary of State acting in good faith, is effectively protected not only from the risk of appeal, but from the risk of a writ of habeas corpus".
  84. Similarly, in R v. Secretary of State for the Home Department ex p. Chahal [1995] 1 WLR 526 the Home Secretary served a deportation notice on the applicant which stated that for reasons of a political nature, namely the international fight against terrorism, his continued presence in the United Kingdom would not be conducive to the public good. During the course of his judgment Staughton L.J. said:
  85. "But we cannot determine whether the Secretary of State was right, after the report of the advisory panel, to reach those conclusions. Nor can we review the evidence. That was explained by Dillon L.J. in NHS v. Secretary of State for the Home Department [1998] Imm AR 389 at 395 and by Geoffrey Lane L.J. in R v. Secretary of State for the Home Department ex p. Hosenball [1977] I WLR 766 at 783. We have to accept that the evidence justifies those conclusions" (at 531 ef) and later: "… we do not have the evidence on which the Secretary of State considers him a risk to national security, for the reasons already indicated. So we cannot balance the threat [sc. to the applicant's life] on the one hand against the risk on the other" (at 535 d); cf Neill L.J. at 543 d ("the court has the right to scrutinise a claim that a person should be deported in the interests of national security but in practice this scrutiny may be defective or incomplete if all the relevant facts are not before the Court") and at 545 b ("on the facts of this case the grounds of national security relied on by the Secretary of State cannot be challenged").
  86. In a somewhat different context in R v. Secretary of State for the Home Department, ex parte McQuillan [1995] 4 All ER 400 the applicant challenged exclusion orders against him under section 5 of the Prevention of Terrorism (Temporary Provisions) Act 1989 prohibiting him from being in or entering Great Britain on the ground that he was or had been involved in acts of terrorism. An assistant secretary of the Home Office deposed that it was not possible for the applicant, nor was it ever possible for any person against whom such an order was made, to be informed in greater detail of the reasons why the order had been made. Sedley J. was clearly troubled by the lack of judicial control but felt constrained by authority to hold that national security was sufficient to preclude any inquiry by the court into the rationality of the decision and the decision had to be accepted by the court without further scrutiny.
  87. This traditional approach of the United Kingdom courts has not, however, met complete approval from the European Court of Human Rights or the Court of Justice of the European Union. Chahal (see paragraph 38 above) found its way to Strasbourg (Chahal v. United Kingdom (1997) 23 EHRR 413), and the European Court of Human Rights found a violation of Article 5(4) of the Convention. The Court recalled that because national security was involved, the domestic courts were not in a position to review whether the decisions to detain the applicant and to keep him in detention were justified on national security grounds (paragraph 130). In an important passage the Court said:
  88. "The Court recognises that the use of confidential material may be unavoidable where national security is at stake. This does not mean, however, that the national authorities can be free from effective control by the domestic courts whenever they choose to assert that national security and terrorism are involved. The court attaches significance to the fact that … in Canada a more effective form of judicial control has been developed in cases of this type. This example illustrates that there are techniques which can be employed which both accommodate legitimate security concerns about the nature and sources of intelligence information and yet accord the individual a substantial measure of procedural justice (paragraph 131, our emphasis).
  89. The Court repeated this formulation in Tinnelly & Sons Ltd v. United Kingdom (1999) 27 EHRR 249 where the applicant alleged unlawful religious discrimination in the allocation of a public contract and was met by a conclusive ministerial certificate under section 42 of the Fair Employment (Northern Ireland) Act 1976 that the decision not to grant the applicant the contract in question was an act done for the purpose of safeguarding national security or the protection of public safety or order.
  90. The Court in Tinnelly continued as follows:
  91. "The introduction of a procedure, regardless of the framework used, which would allow an adjudicator or tribunal fully satisfying the Article 6(1) requirements of independence and impartiality to examine in complete cognizance of all relevant evidence, documentary or other, the merits of the submissions of both sides, may indeed serve to enhance public confidence. The Court observes in addition that McCollum J. [the judge in Northern Ireland] was unable under the present arrangements to dispel his own doubts about certain disturbing features of the Tinnelly case since he, like Tinnelly and the Fair Employment Agency, was precluded from having cognizance of all relevant material in the possession of NIE, the respondent in the proceedings instituted by Tinnelly under the 1976 Act. This situation cannot be said to be conductive to public confidence in the administration of justice" (paragraph 78).
  92. In European Community law the most notable case remains Johnston v. Chief Constable of the Royal Ulster Constabulary (Case 222/84) [1986] ECR 1651 where the applicant, a former woman member of the RUC Reserve, alleged unlawful sexual discrimination and was met by a conclusive ministerial certificate that the act of refusing to offer the applicant further employment in the RUC Reserve was done for the purpose of safeguarding national security and protecting public safety and public order. As to the certificate, the Court of Justice held:
  93. "19. By virtue of Art 6 of Directive 76/207 [the equal treatment Directive], interpreted in the light of the general principle stated above, all persons have the right to obtain an effective remedy in a competent court against measures which they consider to be contrary to the principle of equal treatment for men and women laid down in the directive. It is for the member states to ensure effective judicial control as regards compliance with the applicable provisions of Community law and of national legislation intended to give effect to the rights for which the directive provides.
    20. A provision which, like Art 53(2) of the 1976 order, requires a certificate such as the one in question in the present case to be treated as conclusive evidence that the conditions for derogating from the principle of equal treatment are fulfilled allows the competent authority to deprive an individual of the possibility of asserting by judicial process the rights conferred by the directive. Such a provision is therefore contrary to the principle of effective judicial control laid down in Art 6 of the directive" (see also R v. Secretary of State for the Home Department, ex parte Gallagher [1996] 1 CMLR 557, in contrast to McQuillan above).
  94. We are fully conscious of the different contexts in which Chahal, Tinnelly and Johnston were decided. Chahal concerned the right not to be unlawfully detained in custody, and Tinnelly and Johnston concerned the right not to be discriminated against on sexual or religious grounds. However, we discern in the European jurisprudence a broader principle to the effect that claims to national security should, save perhaps in the most exceptional and extreme circumstances, be subject to some process of independent scrutiny, even if that process cannot perforce be as intense as might be expected in other situations, and even if a high degree of deference must continue properly to be accorded to the judgment of the executive, particularly to those within the executive who have long experience and unrivalled expertise in what is arguably the most delicate function of government. This principle is underpinned by the need in a modern democratic society to give fair and proportionate weight to the protected rights or interests of individuals (whether in freedom of person, rights against impermissible discrimination or rights to private life), even in situations where issues of national security are in play; and the principle is also supported by the aim of promoting public confidence in the results that are produced by the chosen procedures.
  95. We observe also that Parliament responded to Chahal by enacting the Special Immigration Appeals Commission Act 1997 which established the Special Immigration Appeals Commission with jurisdiction in cases where the Home Secretary decides to deport a person in the public interest and on national security grounds. The working of the Special Immigration Appeals Commission shows that a form of independent scrutiny is feasible even in relation to national security.
  96. It might be objected that any independent checking of the application to a particular case of the certificate which we are considering could lead to such an intense scrutiny that it would itself be detrimental to national security. We do not find such an objection convincing, particularly in the light of the authoritative guidance recently given by the House of Lords on the role appropriate to an independent body assessing claims to national security: Secretary of State for the Home Department v. Rehman [2001] 3 WLR 877
  97. In the words of Lord Hoffman:
  98. "This brings me to the limitations in the appellate process. First, the commission is not the primary decision-maker. Not only is the decision entrusted to the Home Secretary but he also has the advantage of a wide range of advice from people with day-to-day involvement in security matters which the commission, despite its specialist membership, cannot match. Secondly, as I have just been saying, the question at issue in this case does not involve a Yes or No answer as to whether it is more likely than not that someone has done something but an evaluation of risk. In such questions an appellate body traditionally allows a considerable margin to the primary decision-maker. Even if the appellate body prefers a different view, it should not ordinarily interfere with a case in which it considers that the view of the Home Secretary is one which could reasonably be entertained. Such restraint may not be necessary in relation to every issue which the commission has to decide …. But I think it is required in relation to the question of whether a deportation is in the interests of national security …. ….
    The need for restraint flows from a commonsense recognition of the nature of the issue and the differences in the decision-making process and responsibilities of the Home Secretary and the commission" (at 896). See also Lord Slynn at 886; Lord Steyn at 889, and the application of these principles in A v. Secretary of State for the Home Department (2003) 2 WLR 564, especially per Lord Woolf CJ at para. 40 and Brooke L.J. at paras. 66-81.
  99. In the light of the European jurisprudence to which we have referred, and the Parliamentary response to Chahal, we have serious doubts whether Parliament could have intended that the Service itself would exclusively, without any form of independent scrutiny, determine the application to particular cases of the NCND policy in the kind of circumstances that we have described at paras 30 and 31 above. That doubt is strengthened when we bear in mind the powerful European dimension to the Act which we explained in Baker (see, in particular, paragraphs 50-64): the Act gives effect to the European Community Data Protection Directive, made by the European Parliament and the Council on 24 October 1995, and that Directive in turn gives substance and amplifies inter alia the rights recognised in Art 8 (respect for private life) of the 1950 Convention, now of course given further effect to in UK law by the Human Rights Act 1998.
  100. (b) The Investigatory Powers Tribunal
  101. During the course of his submissions Mr. Tam referred to the powers of the Investigatory Powers Tribunal (established under section 65 of the Regulation of Investigatory Powers Act 2000, "RIPA"). The Investigatory Powers Tribunal deals with a wide range of complaints that may be made about the exercise of powers under RIPA. Tribunals of this kind were previously established under the Interception of Communications Act 1985, the Security Service Act 1989 and the Intelligence Services Act 1994. These different tribunals are now combined into a single tribunal, with Lord Justice Mummery as its current president. The tribunal is the appropriate forum for dealing with complaints concerned with "conduct" by the intelligence services which relate to the complainant, his or her property or his or her communications.
  102. In the light of our concerns in respect of the exclusive decision-making power conferred on the Service by the provisos in the certificate, we asked Mr. Tam whether the respondent accepted that the Investigatory Powers Tribunal had jurisdiction to consider any complaint which an individual might wish to make about the giving to him by the Service of an NCND response to a data subject access request made by him. At the hearing Mr. Tam was unable either to confirm or deny whether the respondent did so accept. However, in a subsequent note he made clear the position of the respondent, as follows:-
  103. "The Investigatory Powers Tribunal does have jurisdiction to consider any such complaint. Depending on the terms of the complaint to the Investigatory Powers Tribunal, such jurisdiction will arise under one or other, or both, of the following provisions:-
    (a) section 65(2)(b) and 65(4) of the 2000 Act, in that the giving of an NCND response by the Security Service is conduct in relation to that person, and the Tribunal has jurisdiction to consider a complaint by that person if he is aggrieved by such conduct; and
    (b) section 65(2)(a) of the 2000 Act, in that the giving of an NCND response by the Security Service is an act of a public authority which would be unlawful under section 6(1) of the Human Rights Act 1998 if it is incompatible with a Convention right, and the Tribunal is the only appropriate forum in which a person who claims to be a victim of any unlawful act may bring proceedings against the Security Service to make such a claim."
  104. Jurisdiction cannot, of course, be conferred on the Investigatory Powers Tribunal by agreement or by concession made by the Security Services, let alone the respondent to this appeal. We must, therefore, reach a view as to whether Mr. Tam's interpretation of section 65 on behalf of the respondent is sustainable.
  105. Looking at section 65(5)(a), it would appear at first sight that the unqualified expression "conduct" is wide enough to include conduct of the Security Services in handling requests for personal data under the Act, particularly as section 65(5)(b) – (c) continue by describing more specifically types of conduct that are subject to earlier provisions of RIPA. However, applying general principles of statutory interpretation "conduct" has to be interpreted in the light of the purposes of RIPA. These purposes are accurately set out in the long title as:
  106. "To make provision for and about the interception of communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed …"
  107. This description would suggest that "conduct" for the purpose of RIPA has a narrower scope and relates to the matters specifically regulated by RIPA. The "surveillance" falling within Part II of RIPA and hence caught by section 65(5)(b) would appear not to include all forms of surveillance; and it may be that the expression "conduct" in section 65(5)(a) is simply intended to ensure that all forms of surveillance may be made the subject of complaint and of adjudication by the Investigatory Powers Tribunal. On this view, "conduct" in this respect must relate to activities of "surveillance".
  108. However, even if this narrower construction of "conduct" were correct, and quite apart from the other activities included in the long title, "surveillance" – a matter falling within the scope of RIPA, as the long title shows – is itself fairly widely described in section 48(2) as including:
  109. "(a) monitoring, observing or listening to persons, their movements, their conversations or their other activities or communications;
    (b) recording anything monitored, observed or listened to in the course of surveillance;" (our emphasis)
  110. A person seeking personal information from the Security Services could well do so either to discover in the first instance whether he had been the subject of "surveillance", as broadly understood; or, if he believed that he had been the subject of such surveillance, to discover what had been recorded about him. An NCND answer to a request would, therefore, appear, even if somewhat indirectly, to touch on conduct relating to surveillance; and, even on a narrow construction of "conduct", the giving of an NCND response would appear to fall within section 65(5)(a). Furthermore, a person confronted with a NCND response may well be in a position to frame proceedings against the Security Services that the action is not compatible with, for example, Article 8 of the Convention. Such proceedings would then fall within section 65(2)(a).
  111. Therefore we conclude that the Investigatory Powers Tribunal does have the jurisdiction which Mr. Tam accepted. Furthermore, we believe that the Investigatory Powers Tribunal is the body best placed to determine any specific complaint that the Service has applied the provisos to the certificate in a manner that is manifestly unjustified. That Tribunal is presided over by a distinguished senior judge and has the appropriate expertise to investigate a complaint of this nature. In terms of the European jurisprudence to which we have referred, the Tribunal is independent and has the authority to call for evidence and explanation even in matters affecting national security, within the guidelines now laid down by the House of Lords in Rehman. However, we reiterate that, in the absence of the jurisdiction now conceded by the respondent, we would have had reservations as to whether the procedure contemplated by the provisos to the certificate accorded with the important principle which we have discerned from the European jurisprudence and which we believe is applicable to the present statutory context.
  112. (b) Re: Ewing
  113. For the sake of completion we should add that Mr. Tam drew our attention to Re: Terence Patrick Ewing (judgment of 20 December 2002, unreported) in which Davis J., in the context of an application to the High Court by a "vexatious litigant" for leave to appeal to this Tribunal, concluded that there were no arguable grounds for holding that the certificate of 10 December 2001 was unlawful (see, in particular, paragraphs 60-65). The applicant in that case did not advance the point that has concerned us in this appeal, and Davis J., was not therefore called upon to deal with it. We believe, therefore, that we should deal fully with the point, as we have done, rather than treating ourselves as bound by the conclusion that he reached in the absence of submissions on the relevant issue.
  114. For these reasons, we dismiss the appeal.
  115. Annex B
    Certificate and 'Reasons Document' issued by the Secretary of State
    for the Home Department on 10 December 2001
    ANNEX A
    Certificate reference:- DPA/s28/TSS/2
    SECTION 28 DATA PROTECTION ACT 1998
    ______________________________________________
    CERTIFICATE OF THE SECRETARY OF STATE
    ______________________________________________
    1. Whereas:
    (i) by section 28(1) of the Data Protection Act 1998 ("the Act ") it is provided that personal data are exempt from any of the provisions of :-
    (a) the data protection principles;
    (b) Parts II, III and V; and
    (c) section 55
    of the Act if the exemption from that provision is required for the purpose of safeguarding national security;
    (ii) by subsection 28(2) it is provided that a certificate signed by a Minister of the Crown certifying that the exemption from all or any of the provisions mentioned in subsection 28(1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact;
    (iii) by subsection 28(3), it is provided that a certificate under subsection 28(2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.
    2. And considering the potentially serious adverse repercussions for the national security of the United Kingdom if the exemptions hereafter identified were not available. And for the reasons set out in document referenced DPA/S28/TSS/2-REASONS, in summary that:
    2.1 The work of the security and intelligence agencies of the Crown requires secrecy.
    2.2 The general principle of neither confirming nor denying whether the Security Service processes data about an individual, or whether others are processing personal data for, on behalf of with a view to assist or in relation to the functions of the Security Service, is an essential part of that secrecy.
    2.3 In dealing with subject access requests under the Data Protection Act 1998, the Security Service will examine each individual request to determine:
    i) whether adherence to that general principle is required for the purpose of safeguarding national security; and
    ii) in the event that such adherence is not required, whether and to what extent the noncommunication of any data or any description of data is required for the purpose of safeguarding national security.
    2.4 The very nature of the work of the Security Service requires exemption on national security grounds from those parts of the Act that would prevent it, for example, passing data outside the European Economic Area and that would allow access to the Security Service's premises by third parties.
    3. Now, therefore, I, the Right Honourable David Blunkett MP, being a Minister of the Crown who is a member of the Cabinet, in exercise of the powers conferred by the said section 28(2) do issue this certificate and certify as follows:-
    3.1 that any personal data that are processed by the Security Service as described in Column 1 of Part A in the table below are and shall continue to be required to be exempt from those provisions of the Act that are set out in Column 2 of Part A;
    3.2 that any personal data that are processed by any other person or body (in circumstances where that data processing comprises or includes the retention or disclosure of data by that other person or body for or to the Security Service) in the course of data processing operations carried out for, on behalf of or at the request of the Security Service or in relation to the functions of the Security Service of the Security Service Act 1989 as described in Column 1 of Part B in the table below are and shall continue to be exempt from those provisions of the Act that are set out in Column 2 of Part B;
    3.3 that any personal data that are processed by any other person or body (other than a government department, agency or non-departmental public body) in the course of data processing operations following the data's disclosure to that person or body by the Security Service in accordance with section 2(2)(a) of the Security Service Act 1989 as described in Column 1 of Part B in the table below are and shall continue to be exempt from those provisions of the Act that are set out in Column 2 of Part B;
    3.4 . that any personal data that are processed by the Security Service for the purposes set out in Column 1 of Part C in the table below are and shall continue to be required to be exempt from those provisions of the Act that are set out in Column 2 of Part C below; and
    3.5 . that any personal data that are processed by the Security Service as described in Column 1 of Part D of the table below are and shall continue to be required to be exempt from those provisions of the Act that are set out in Column 2 of Part D below
    all for the purpose of safeguarding national security, provided that:
    (i) no data shall be exempt from the provisions of section 7(1)(a) of the Data Protection Act 1998 if the Security Service, after considering any request by a data subject for access to relevant personal data, determines that adherence to the principle of neither confirming nor denying whether the Security Service holds data about an individual is not required for the purpose of safeguarding national security;
    (ii) no data shall be exempt from the provisions of section 7(1)(b), (c) or (d) of the Data Protection Act 1998 if the Security Service, after considering any request by a data subject for access to relevant personal data, determines that non-communication of such data or any description of such data is not required for the purpose of safeguarding national security.
    4. This certificate gives notice that I require the Security Service, by virtue of my authority arising from s1(1) of the Security Service Act 1989, to report to me on the operation of the exemptions described in this certificate
    PART A
    Column 1 Column 2
       
    Personal Data Processing In Performance Of The Functions Of The Security Service Described In Section 1 Of The Security Service Act 1989 As Amended By The Security Service Act 1996, Including Recruitment Of Staff Of The Security Service And Assisting With The Recruitment Of Staff Of The Secret Intelligence Service And GCHQ And Vetting Of The Security Service's Candidates, Staff, Contractors, Agents And Others In Accordance With The Government's Vetting Policy (i) Sections 7(1), 7(8), 10, 12 of Part II;
    (ii) Section 16(1)(c), 16(1)(d), 16(1)(e), 16(1)(f), 17, 21,22, and 24 of Part III;
    (iii) Part V;
    (iv) the first data protection principle;
    (v) the second data protection principle;
    (vi) the sixth data protection principle to the extentnecessary to be consistent with the exemptionscontained in this certificate; and
    (vi) the eighth data protection principle.
    Part B
    Column 1 Column 2
       
    Personal data processing for, on behalf of or at the request of the Security Service or in relation to the functions of the Security Service described in section 1 of the Security Service Act 1989 as amended by the Security Service Act 1996 or following the data's disclosure to that person or body by the Security Service in accordance with section 2(2)(a) of the Security Service Act 1989, including recruitment of staff of the Security Service and assisting with the recruitment of staff of the Secret Intelligence Service and GCHQ and vetting of the Security Service's candidates, staff, contractors, agents and others in accordance with the government's vetting policy (i) Sections 7(1), 7(8), 10, 12 of Part II;
    (ii) Section 16(1)(c), 16(1)(d), 16(1)(e), 16(1)(f), 17, 21, 22, and 24 of Part III to the extent that those
    provisions require any reference to the Security Service or data processing operations carried out by or in support of the Security Service or in consequence of a lawful disclosure by the Security Service ;
    (iii) Part V;
    (iv) section 55;
    (v) the first data protection principle;
    (vi) the second data protection principle; and
    (vii) the sixth data protection principle to the extent necessary to be consistent with the exemptions contained in this certificate.
    Part C
    Column 1 Column 2
       
    1. Personal data processed by the Security Service for the purposes of administration of human resources (including data relating to former members of staff but excluding the contents of the filing system containing confidential data as described in Part D of this table) and staff pay, tax and national insurance contributions
    2. Personal data processed by the Security Service for the purposes of maintaining CCTV coverage of Thames House, 12 Millbank, London in relation to the security and integrity of the buildi
    3. Personal data processed by the Security Service for the purpose of commercial agreements (whether concluded or otherwise) or other arrangements with 3rd parties, in relation to which the Security Service supplies goods or services or under which the Security Service receives goods or services, whether the goods or services are supplied or received under those agreements, arrangements or otherwise (and to the extent that the data do not comprise data to which Parts A or B of this certificate apply
    1. Sections 16 (1) (f), 47 and 50 and Schedule 9.





    2. Sections 47 and 50 and Schedule 9.



    3. Sections 16 (1) (f), 47 and 50 and Schedule 9
    Column 1 Column 2
       
    Personal data processed by the Security Service for the purpose of maintaining and consulting a filing system containing confidential data about current and former members of its staff, the purpose of which is to provide personnel officers and managers with information considered necessary to make informed decisions as to the suitability of individuals for any task, appointment, posting or any other matter, with particular regard to the security implications of those decisions (i) Sections 7(1), 7(8), 10, 12 of Part II;
    (ii) Section 16(c), 16(e), 16(f), 17, 21, 22, and 24 of Part III;
    (iii) Part V; and
    (iv) The eighth data protection principle
    [as signed]……………………………………………..
    The Right Hon. David Blunkett, MP ……………………………………
    Dated I confirm that the Home Secretary approved this certificate and it was signed with his personal stamp.
    Name …………………….
    Signed …………………….
    Dated …………………….
    Annex C
    Document Reference DPA/S28/TSS/2-REASONS
    REASONS FOR THE HOME SECRETARY SIGNING THE DATA PROTECTION ACT 1998 s28 (NATIONAL SECURITY) EXEMPTION CERTIFICATE COVERING PERSONAL DATA PROCESSED BY THE SECURITY SERVICE – REFERENCE DPA/S28/TSS/2
    1. Introduction
    1.1 . The section 28 certificate, document reference DPA/S28/TSS/2, was signed by the Home Secretary following a request made to him by the Security Service. This document explains the reasons he did so. It is made public to allay concerns that anyone may have about the use by the Security Service of the data protection national security exemption that exists under section 28 of the Data Protection Act 1998.
    1.2 . Before signing the certificate the Home Secretary considered the following factors:
    i. The Data Protection Act 1998 (DPA), its national security exemptions, and role of the National Security Panel of the Information Tribunal (the "Tribunal").
    ii. The functions of the Security Service and its primary role in the protection of national security.
    iii. Why secrecy is essential to the work of the Security Service and the damage or potential damage that can be done to national security when secrecy is compromised.
    iv. The need and use of the neither-confirm-nor-deny policy.
    v. The Tribunal determination in the appeal by Norman Baker MP against a s28 certificate signed by the previous Home Secretary covering personal data that the Security Service may have processed.
    vi. The safeguards and statutory controls that exist on the activities of the Security Service.
    vii. The non-DPA remedies open to anyone who feels aggrieved by anything which he or she believes the Service has done in relation to them or their property.
    viii. The test that should be used to balance the need to safeguard national security and purposes of the DPA.
    ix. The form and scope of the certificate.
    x. The checks, procedures and reporting obligations placed on the Security Service as conditions of their use of the certificate.
    xi. Other points on the Security Service's need for use of exemptions under the Data Protection Act 1998.
    These factors are explained below.
    1.3 . While this document gives as full as possible account of the reasons why the Home Secretary signed the certificate, it must be remembered that there are other considerations not set out here. These considerations arise from the Home Secretary's personal detailed knowledge of the secret work of the Security Service. Obviously, these considerations cannot be made public.
    1.4 . This document focuses on the use of the national security exemption from the entitlement of an individual, under section 7 of the DPA, to be told by a data controller whether or not that data controller holds personal data on that individual and, if held, provide information on the data being held. Almost inevitably, a subject access request will be the first step for anyone concerned by the possibility of the Security Service processing personal data on them. The Security Service is seen to be a data controller.
    2. The Data Protection Act 1998, its national security exemptions, and role of the Tribunal
    2.1 .The Data Protection Act 1998 (DPA) came into force on 1 March 2000. The DPA made new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.
    2.2 . Section 7 of the DPA, created a general entitlement for an individual to ask and be told by anyone who decides on purposes of processing personal data whether personal data on them is being processed, which includes being held, and if it is, be told certain information about that data. The entitlement to ask and be told in this way is known as "subject access". The main rationale for subject access is so an individual can satisfy himself or herself as to what, if any, personal data is being processed about them, that any processing is done for a proper purpose, that the data is accurate, and to whom the data may be disclosed. If dissatisfied with the outcome of their request, the individual can then take corrective action.
    2.3 . The DPA recognises that there are certain circumstances when it would be inappropriate to comply with certain of the DPA's provisions, and so provides several exemptions. One, at DPA section 28, exempts personal data from a number of provisions, including those of subject access, if the exemption is required for the purpose of safeguarding national security.
    2.4 . DPA section 28 also provides that a Cabinet Minister may sign a certificate as conclusive evidence of the need for the use of the national security exemption. The certificate may identify the personal data to which it applies by means of a general description and may cover personal data processed after the date the certificate came into effect. Such a certificate will channel appeals against that certificate or its coverage to the National Security Panel of the Information Tribunal (the Tribunal) for consideration and determination.
    2.5 . The Tribunal considers appeals against a section 28 certificate by applying the principles used by the court on a judicial review. If the Tribunal determines the Minister did not have reasonable grounds for issuing the certificate or the actions in issuing the certificate were not proportionate for the purpose, the Tribunal may quash the certificate.
    3. The functions of the Security Service and its primary role in the protection of national security.
    3.1 . The functions of the Security Service are set down in law – the Security Service Acts 1989 and 1996. It has three functions: protect national security, safeguard the economic wellbeing of the United Kingdom against threats posed outside of the British Islands, and - following the 1996 Act – support law enforcement agencies in the prevention and detection of serious crime. The 1996 Act defines such crime. The 1989 Act places the Security Service under the authority of the Secretary of State.
    3.2 . A booklet – MI5, The Security Service – explains in some detail the work of the Security Service. As the Service's Director General summarised in his introduction to the booklet, the Security Service's tasks are both to investigate and to counter covertly organised threats to the UK such as terrorism and espionage. The booklet explains that the Government decided that the Service should use its know-how, gained from their national security work, in support of law enforcement agencies in combating serious crime. This led to the 1996 Act. The booklet is available from the HMSO. Similar information is also available on the Security Service's Internet web site. The address is: http://www.securityservice.gov.uk.
    3.3 . The work of the Security Service is vital in safeguarding the national security of the United Kingdom. Intelligence successes relating to national security can, and have:
    • Saved the lives of British nationals and other persons;
    • Prevented the spread of weapons of mass destruction;
    • Thwarted those who would overthrow or undermine the United Kingdom's parliamentary democracy through terrorism and other means; and
    • Countered the actions of foreign powers intent in damaging the interests of the country.
    3.4 . Members of the Security Service have no powers to question or arrest anyone, or demand entry into premises or demand to search anyone or anything. They are not like police or customs officers.
    4. Why secrecy is essential to the work of the Security Service and damage and potential damage that can be done to national security when secrecy is compromised.
    4.1 . Secrecy is essential to the work of the Security Service. Many individuals who cooperate with the Service –such as agents - only do so under guarantee of complete confidentiality and anonymity. If their identity became known not only would it jeopardise the work in hand and their future co-operation but also it would put them at personal risk. Such a risk is not fanciful, as a large part of the Security Service's work comprises the investigation of terrorists. Clearly, the same risks apply to members of the Security Service itself.
    4.2 . Secrecy is also essential because the Security Service undertakes investigations covertly. The Service's effectiveness lies in its ability to obtain and exploit secret intelligence, which those under investigation may go to some lengths to keep hidden. As well as the use of agents mentioned above, sources of secret intelligence include:
    a. the interception of communications,
    b. eavesdropping, and
    c. surveillance.
    Clearly, such techniques lose much if not all of their effectiveness if it is known when and how they are used.
    4.3 . So, if an individual were to become aware that they were subject to a Security Service investigation, they could not only take steps to thwart it but also attempt to discover, and perhaps reveal, the methods of investigation used, or the identities of the Security Service officers, or agents involved in such methods of investigation. Compromise of methods or personnel affects both the individual investigation and potentially all other such investigations as the risk of deploying such methods and personnel is increased. Similarly, increased knowledge of methods of investigation deployed by the Security Service, and other agencies, would greatly assist those such as terrorists, spies, and serious criminals in planning their activities, so as to the reduce the likelihood of detection or interference.
    4.4 . Ultimately, the undermining of the effectiveness of the Security Service could result in the loss of, or a reduction in, the deterrence of those who may be tempted to damage national security. In addition, it could also result in the loss of, or a reduction in, the reputation of the Security Service itself. This could lead to a reduction in the co-operation that the Security Service actively receives from individuals and organisations both at home and abroad and also to an impairment of the ability of the Security Service itself to recruit staff. Anything that weakens the effectiveness of the Security Service weakens the UK's ability to safeguard national security.
    5. The need for and use of the "neither confirm nor deny" policy.
    5.1 . It has been the policy of successive governments neither to confirm nor to deny suggestions put to them on the work of the intelligence and security agencies including the Security Service. Put simply, the policy is a way to preserve the secrecy described above by giving a vague and non-committal answer.
    5.2 . The need for such a policy and Parliament's acceptance of this is reflected in legislation. Such legislation includes the Security Service Act 1989, which places a duty on the Director General to ensure that no information is disclosed by the Service except so far as necessary for the proper discharge of its functions. It also includes the Official Secrets Acts 1911 to 1989. The 1989 Act makes it unlawful for a member of the Security Service to make any unauthorised disclosure of information held by virtue of their work, or make any such disclosure purporting to be on such information or one intended to be take as such. It also includes the predecessor to the current Data Protection Act, namely the Data Protection Act 1984. The Code of Practice on Access to Government Information, Second Edition 1997, gives "information whose disclosure would harm national security" as a category of information that is exempt from the provisions of the Code.
    5.3 . The Government applies the policy to Security Service investigations and to suggestions of whether a particular individual or group is or has been under investigation. To ask whether the Security Service holds personal data on an individual often amounts to asking whether there is or has been an investigation.
    5.4 . By logical extension, the policy must apply even if no investigation has taken place. If the Security Service said when it did not hold information on a particular person, inevitably over time those on whom it did hold information would be able incrementally to deduce that fact. Not least because they would not receive the same assurance given to others.
    5.5 . If individuals intent on damaging national security could confirm that they were not subjects of interest to the Security Service, then they could undertake their activities with increased confidence and vigour. Another complexity would be the handling of cases where the Service had confirmed no interest in an individual or group but subsequently it took an interest. Would the Security Service be obliged to tell the earlier enquirer that the circumstances had changed? In any event, the response to repeat requests would reveal the change in circumstances. In either case, damage is done not only in the way described in section 4, but also the timing of the change would be helpful to those under investigation. For example, a terrorist may work out what he or she had done at that time to give themselves away. If so, they, and others they told, could avoid such actions in the future - ultimately, this would help them in carrying out their acts of terror.
    5.6 . Conversely, confirmation to individuals that they are subjects of interest may create or fuel suspicions that associates of theirs are assisting the Security Service. The consequences of this could be harm to those who are in fact providing assistance, harm to those wrongly suspected of such assistance; and eventually in either case harm to the work of the Security Service in that the potential of personal harm to such persons would act as a strong deterrent to anyone assisting the Security Service, both in the investigation in question and in any other.
    5.7 . There are circumstances when the neither confirm nor deny policy is not used. Usually when it has been officially confirmed that the Security Service had undertaken an investigation, for example when a terrorist had been prosecuted, or when the interests of national security require a disclosure.
    6. The safeguards and statutory controls that exist on the activities of the Security Service.
    6.1 . By their very nature, the Security Service's covert investigations are intrusive into the privacy of individuals. For this reason, there a number of constraints, oversight arrangements and safeguards placed on the Security Service. These include:
    6.1 .1. Legal constraints placed on the Security Service and its work, or its Director General, by Parliament through:
    i. the Security Service Acts 1989 and 1996,
    ii. the Intelligence Services Act 1994, and
    iii. the Regulation of Investigatory Powers Act 2000. This law governs the interception of communications, the carrying out of surveillance and the use of "covert human intelligence sources", eg undercover officers or agents.
    6.1 .2. Oversight by the Home Secretary. This in turn includes :
    i. regular meetings with the Director General;
    ii. visits to Thames House to talk with staff there;
    iii. advice from officials who are in daily contact with the Security Service;
    iv. personal authorisation of warranted activity under the Regulation of Investigatory Powers Act 2000, and Intelligence Services Act 1994;
    v. scrutiny of the Director-General's statutory Annual Report;
    vi. scrutiny of the Security Service Annual Performance and Priority Report;
    vii. calling for other reports where necessary;
    viii. giving evidence to the Intelligence and Security Committee, considering their reports, and participating in Commons' debates on their reports;
    ix. scrutiny of the reports of the independent Interception and Intelligence Services Commissioners who see everything relevant to their function.
    6.1 .3. Oversight by the Intelligence and Security Committee. This is an independent committee of members of both Houses of Parliament established under the Intelligence Services Act 1994. Its terms of reference are the same as most parliamentary departmental select committees. The Committee has its own Investigator who can look into and expand on the detail of evidence given to the Committee.
    6.1 .4. Oversight by the independent Intelligence Services Commissioner. This role was created by the Regulation of Investigatory Powers Act 2000 and combines the previous roles of the Security Service Act Commissioner and the Intelligence Services Act Commissioner. The Commissioner must hold or have held a high judicial office. As stated above, the Commissioner sees all information relevant to his or her functions.
    6.1 .5. Oversight by the independent Interception Commissioner. The Regulation of Investigatory Powers Act 2000 created this role although there had been a previous Commissioner under the Interception of Communications Act 1985. The Commissioner must hold or have held a high judicial office. He or she too sees all information relevant to his or her functions.
    6.1 .6. The Security Service's performance, plans and priorities are subject to external scrutiny by a senior Whitehall Committee known as JIC (the Joint Intelligence Committee). The resultant report is subject to approval by senior Ministers.
    6.1 .7. Oversight, in financial matters, by the National Audit Office.
    6.1 .8. Significantly in the context of data protection, the Security Service Act 1989 places duties on the Security Service's Director General concerning the obtaining and disclosure of information. The Director General must "ensure that arrangements are in place for securing that no information is obtained by the Service except so far as necessary for the proper discharge of its functions or disclosed by it except so far as necessary for that purpose or for the purpose of preventing or detecting serious crime".
    6.1 .9. The Regulation of Investigatory Powers Act 2000 also set up the Investigatory Powers Tribunal. This is described below.
    7. Non-Data-Protection-Act Remedies
    7.1 . Anyone who feels aggrieved by anything which he or she believes the Security Service has done in relation to them or their property may complain to the independent Investigatory Powers Tribunal. The Tribunal will also hear claims relating to the Security Service under the Human Rights Act. Created under the Regulation of Investigatory Powers Act 2000, the Tribunal replaces the earlier Security Service Tribunal. Members of the Tribunal must qualify as lawyers. A duty to co-operate with the Tribunal is placed on everyone holding office under the Crown – this includes all members of the Security Service. There is no bar to what Tribunal members can see when looking into a complaint. If the Tribunal upholds the complaint, it can award compensation or make any other order that it sees fit. The address of the Tribunal is: PO Box 33220, LONDON SW1H 9ZQ.
    8. The test that should be used to balance the need to safeguard national security and purposes of the Data Protection Act 1998.
    8.1 . The DPA section 28 states "personal data are exempt … if the exemption … is required for the purpose for safeguarding national security". However, the term national security is not defined. Both domestic and European courts have accepted that the Government has significant discretion in what constitutes national security. In addition, when considering safeguarding national security the courts have accepted [1] that it is proper to take a precautionary approach. That is, it is not necessary only to consider circumstances where actual harm has or will occur to national security, but also to consider preventing harm occurring and avoiding the risk of harm occurring.
    8.2 . Even so, the Home Secretary has balanced the need to safeguard national security against the purposes and entitlements conferred by the DPA. The risk to national security through the compromise of the work of the Security Service has been covered above. This was balanced against the factors below:
    i. the consequences of an individual not knowing whether the Security Service processes personal data on them arising from a covert investigation;
    ii. if processed, an individual not knowing the purpose why it is processed;
    iii. if processed, an individual not knowing whether the data is accurate;
    iv. if processed, to whom the data may be disclosed; v. the consequences of, for practical purposes, denying an individual of the opportunity to challenge the purpose for processing, the accuracy of data and opportunity to challenge to whom the data may be disclosed;
    vi. the consequences to national security of the individual not correcting inaccurate personal data on him or her; and vii. the consequences of the Information Commissioner or the courts not having a role in examining the use of the national security exemption in regard to DPA provisions.
    8.3 . In weighing the above factors, the Home Secretary took account of legal constraints and controls placed on the Security Service, the lack of Security Service executive powers and that their investigations in all but rare cases are kept secret.
    9. The form and scope of the certificate.
    9.1 . The certificate has taken account of the determination of the National Security Panel of the Information in the appeal by Norman Baker MP against the previous certificate signed on behalf of the Security Service.
    9.2 . As expressly permitted by the DPA, the certificate identifies personal data by general description and it covers personal data processed after the date the certificate came into effect. A general description certificate reflects the primary function of the Security Service, set out in law, to protect national security. Otherwise, an individual certificate would be required for every appeal against the Security Service's use of the national security exemption. It should be noted that in the vast majority of cases the Service will need to use the exemption to preserve the neither confirm nor deny policy or to limit the extent of disclosure. The administrative burden of ad hoc certificates, taken together with the fact that only Cabinet Ministers may sign such certificates, were also factors taken into consideration for the form and scope of the certificate.
    9.3 . The terms of the certificate were drafted to reflect the functions of the Security Service and the terms of the Data Protection Act 1998. A proportionate approach was adopted; careful consideration was given to the range of exemptions truly required in respect of each of the different categories of personal data, so that only the necessary exemptions were certified in respect of each category.
    9.4 . In particular, in line with the comments of the Tribunal, the neither confirm nor deny principle is preserved, subject to some exceptions. For example, it is not to possible to sustain the principle in respect to former employees of the Security Service. Even so, it may still be necessary, to safeguard national security, to withhold information about personal data that may have been processed.
    9.5 . The Home Secretary was aware that the personal data covered by the certificate might have been, or might be being, processed by the Security Service in the exercise of its function to support law enforcement agencies in the prevention and detection of serious crime. However, again in line with the policy of successive governments, the Home Secretary took the view that the complete separation of the national security and serious crime functions of the Security Service was impossible. The work of the Security Service in respect of any individual may often be carried out simultaneously under both of these functions.
    9.6 . The methodology, operating techniques, and resources of the Security Service are common to all three of its functions. It would be impossible to maintain a "neither confirm nor deny" approach to personal data processed under the Security Service's national security function if that approach were not adopted to personal data obtained under the serious crime function. Carefully directed or persistent enquiries made by an individual in respect of the serious crime function of the Security Service would lead to a grave risk of revealing whether the Security Service processed data in respect of that individual under its national security function. Therefore, the Home Secretary considered that exemption of all such personal data was required for the purpose of safeguarding national security. The same reasoning of course applies to the Security Service's other function of safeguarding the economic well-being of the country.
    9.7 . The certificate gives notice of the checks, procedures and reporting obligations placed on the Security Service as condition of their use of the certificate. These obligations are linked for the first time to the certificate in light of the Tribunal's determination mentioned in paragraph 9.1 above. The obligations ensure that while its terms are widely drawn that the Security Service will only use the national security exemption when necessary.
    10. The checks, procedures and reporting obligations placed on the Security Service as condition of their use of the certificate.
    10.1 . The checks, procedures and reporting obligations on the Security Service are set out in the certificate, document reference DPA/S28/TSS/2. The Home Secretary also considered the Security Service arrangements for dealing with DPA subject access requests as set out in their internal protocol document.
    10.2 . In summary, the obligations require the Security Service to examine each subject access application and, for the purposes of safeguarding national security,:
    i. decide the whether the use of the neither confirm nor deny approach is necessary,
    ii. otherwise decide to what extent the national security exemption is still necessary; and
    iii. to report back to the Home Secretary on the working of these arrangements.
    11. Other points on the Security Service's need for use of exemptions under the Data Protection Act 1998.
    11.1 . When signing the certificate, the Home Secretary noted that other DPA exemptions might well also apply to the personal data covered by the certificate.
    11.2 . In addition, the signing of this certificate did not exclude the possible necessity of signing other national security certificates relating to personal data processed by the Security Service.
    12. Conclusion
    12.1 . Having considered the factors above and given his knowledge of the secret work of the Security Service, the Home Secretary decided it was right for him to sign the certificate as requested by the Security Service.

Note 1    The House of Lord’s Judgement of 11 October in the appeal of Shafiq Ur Rehman against deportation, Secretary of State for the Home Department (11 October 2001 [2001] UKHL47).    [Back]


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/cases/UKIT/2003/NSA5.html