Data Protection Act 2018: Intelligence Services Processing
Part 4: Intelligence Services Processing
Part 4 of the Data Protection Act 2018 establishes a specific data protection regime for the UK intelligence services and certain designated competent authorities. It mirrors the structure of UK GDPR but with modifications appropriate for national security contexts.
Key principle: Balances individual rights with national security requirements through modified data protection principles, limited rights, and specific exemptions.
Chapter 1: Scope and Definitions (§§82-84)
Section 82: Processing to Which Part 4 Applies
82.A1 — Scope (Added 2025)
Part 4 applies to:
| Entity Type | Application |
|---|---|
| Intelligence services | All personal data processing |
| Qualifying competent authorities | Processing subject to designation notice in force |
Recent expansion (2025 amendments):
- Part 4 now extends beyond intelligence services
- Qualifying competent authorities can be designated via notice
- Designation procedures in sections 82A-82E
82.1 — Processing Types Covered
Only applies to:
- Automated processing (wholly or partly)
- Manual processing of data forming part of (or intended for) a filing system
Same threshold as UK GDPR Article 2.
82.2 — “Intelligence Service” Definition
Three organizations:
| Service | Abbreviation | Function |
|---|---|---|
| Security Service | MI5 | Domestic intelligence & security |
| Secret Intelligence Service | MI6/SIS | Foreign intelligence |
| Government Communications Headquarters | GCHQ | Signals intelligence & cyber |
82.2A — Additional Definitions (Added 2025)
- “Competent authority” = Same meaning as Part 3 (law enforcement)
- “Qualifying competent authority” = Specified by Secretary of State in regulations
82.4 — Regulatory Powers
Regulations under this section require affirmative resolution procedure (Parliamentary approval).
Practical impact:
AI agents processing personal data for intelligence services or designated authorities must comply with Part 4, not UK GDPR.
Chapter 2: Principles (§§85-91A)
Section 85: Overview of Six Principles
Part 4 establishes six data protection principles:
| Principle | Section | Requirement |
|---|---|---|
| First | §86 | Lawful, fair, and transparent |
| Second | §87 | Specified, explicit, legitimate purposes |
| Third | §88 | Adequate, relevant, not excessive |
| Fourth | §89 | Accurate and up to date |
| Fifth | §90 | Kept no longer than necessary |
| Sixth | §91 | Processed securely |
Plus §91A (added 2025) on additional sensitive processing rules.
Section 86: First Principle — Lawful, Fair & Transparent
86.1 — Core Requirement
Processing must be:
- Lawful (satisfies Schedule 9 condition)
- Fair (considering how data was obtained)
- Transparent
86.2 — Lawfulness Test
For ALL processing:
- At least one condition from Schedule 9 must be satisfied
For SENSITIVE processing:
- ALSO at least one condition from Schedule 10
86.5-7 — Fairness Assessment
Fairness considerations:
- How was data obtained?
- Was it from someone authorized/required by law to supply it?
§86.6 safe harbor:
Data meets fairness standards if obtained from person authorized or required by law to supply it.
86.7 — “Sensitive Processing” Definition
Includes data revealing:
| Category | Examples |
|---|---|
| Racial/ethnic origin | Heritage, nationality |
| Political opinions | Party membership, voting |
| Religious/philosophical beliefs | Faith, secular philosophy |
| Trade union membership | Union affiliation |
| Genetic data | DNA, genetic testing |
| Biometric data | Fingerprints, facial recognition (for ID) |
| Health | Medical records, diagnoses |
| Sex life/sexual orientation | Sexual history, preferences, orientation |
| Criminal offenses/proceedings | Convictions, allegations, proceedings |
Critical difference from UK GDPR:
Part 4 calls this “sensitive processing” instead of “special categories.” Conditions in Schedule 10, not Schedule 1.
Sections 87-91: Remaining Principles (Summary)
Section 87: Second Principle — Purpose Limitation
Requirements:
- Purposes must be specified, explicit, and legitimate at collection
- Further processing only if compatible with original purpose
- Secretary of State may specify compatible purposes by regulation
Differs from UK GDPR:
- Intelligence services have broader “compatible purpose” interpretation
- National security purposes given deference
Section 88: Third Principle — Data Minimization
Processing must ensure personal data is:
- Adequate for the purpose
- Relevant to the purpose
- Not excessive in relation to the purpose
Same standard as UK GDPR, but applied in intelligence context.
Section 89: Fourth Principle — Accuracy
Requirements:
- Personal data must be accurate
- Where necessary, kept up to date
- Reasonable steps must be taken to ensure inaccurate data is erased or rectified without delay
Opinions distinction:
- Data accurately recording someone’s opinion remains “accurate” even if opinion is wrong
- E.g., “Source X believes Y is a threat” is accurate if X genuinely holds that belief
Section 90: Fifth Principle — Storage Limitation
Personal data must be:
- Kept no longer than necessary for processing purposes
- May be kept longer for archiving, research, or statistical purposes with safeguards
Intelligence context:
- National security archives may justify extended retention
- Must still conduct periodic reviews
- Irrelevant data should be deleted
Section 91: Sixth Principle — Security
Requirements:
- Processing must be secure using appropriate technical and organizational measures
- Protect against unauthorized/unlawful processing
- Protect against accidental loss, destruction, or damage
Factors to consider:
- State of the art technology
- Implementation costs
- Nature, scope, context, and purposes of processing
- Risks to data subjects
Section 91A: Additional Sensitive Processing Rules (Added 2025)
New provisions for sensitive processing:
- Additional safeguards beyond Schedule 10 conditions
- Secretary of State may specify by regulation
- Applies to biometric data, genetic data, and other high-risk processing
Chapter 3: Rights of Data Subjects (§§92-100)
KEY DIFFERENCE FROM UK GDPR:
Intelligence services rights are significantly LIMITED to protect national security. Most rights can be restricted via Section 110 exemptions.
Section 92: Rights Overview
Part 4 provides these rights:
| Right | Sections | Scope |
|---|---|---|
| Information provision | §93 | Limited transparency |
| Subject access | §§94-95 | Restricted access right |
| Automated decisions | §§96-97 | Protections against pure automation |
| Decision transparency | §98 | Explanation of logic |
| Objection | §99 | Right to object to processing |
| Rectification | §100(1)-(5) | Fix inaccurate data |
| Erasure | §100(6)-(9) | Delete unlawful/unnecessary data |
| Restriction | §100(10)-(11) | Limit processing |
Section 93: Information to Be Provided to Data Subjects
Transparency requirements:
Controllers must provide data subjects with information about:
- Identity and contact details of controller
- Purposes of processing
- Recipients or categories of recipients
- Where applicable, international transfers
HOWEVER:
- §110 national security exemptions often apply
- Information disclosure may be refused to protect operations
Sections 94-95: Subject Access Rights
Section 94: Right to confirmation and access
Data subjects can request:
- Confirmation whether data is being processed
- Access to personal data
- Supplementary information (purposes, categories, recipients, retention)
Section 95: Requests and compliance
Timeline:
- Must comply without undue delay
- Within 1 month of receipt
- Can extend by 2 months if complex/numerous requests
Fees:
- Generally free
- Can charge “reasonable fee” if manifestly unfounded/excessive
- Can refuse to act on manifestly unfounded/excessive requests
CRITICAL LIMITATION:
§110 exemptions allow intelligence services to refuse subject access requests entirely for national security reasons.
Sections 96-98: Automated Decision-Making
Section 96: Solely automated decisions with legal effects
Protected against:
- Decisions based solely on automated processing (including profiling)
- That produce legal effects or similarly significant effects
Does NOT apply if:
- Authorized by law setting suitable safeguards, OR
- Necessary for statutory/governmental functions
Section 97: Provision of information
When automated decisions are made:
- Data subject entitled to human review of decision
- Must be informed of logic involved
- Must be informed of significance and consequences
Section 98: Explanation of decision based on processing
Right to explanation:
- Data subject can request “intelligible explanation”
- Of logic and significance of processing leading to decision
However:
- Intelligence services can refuse under §110 exemptions
- Explanation may compromise sources/methods
Section 99: Right to Object
Data subject can object to processing:
- Based on specific processing grounds
- For compelling legitimate reasons relating to their situation
Controller must cease processing UNLESS:
- Demonstrates compelling legitimate grounds overriding data subject’s interests
- Processing is for legal claims
Intelligence context:
National security purposes almost always override objections under §110 exemptions.
Section 100: Rectification, Erasure, and Restriction
100.1-5: Rectification
Data subject can require:
- Rectification of inaccurate personal data
- Completion of incomplete personal data
Controller must comply without undue delay.
100.6-9: Erasure
Data subject can require erasure if:
- Data no longer necessary for purposes
- Processing is unlawful
- Erasure required for legal obligation
- Data relates to intelligence services information sharing (specific grounds)
Controller must erase without undue delay.
100.10-11: Restriction of Processing
Data subject can require restriction if:
- Accuracy is contested (while verifying)
- Processing is unlawful but subject opposes erasure
- Controller no longer needs data but subject needs it for legal claims
- Subject has objected to processing (pending verification of override grounds)
Restriction means:
- Data can only be processed with consent OR
- For legal claims OR
- Protecting rights of another OR
- Important public interest
CRITICAL NOTE:
All these rights are subject to §110 national security exemptions. Intelligence services can refuse any request if disclosure would prejudice national security.
Chapter 4: Controller & Processor Obligations (§§101-108)
Section 101: Obligations Overview
Controllers and processors must:
- Implement appropriate technical and organizational measures
- Demonstrate compliance with principles
- Cooperate with Commissioner
- Maintain records
- Notify breaches
Section 102: Compliance Measures by Controller
Controllers must implement measures to:
- Ensure compliance with Part 4 principles
- Demonstrate compliance (accountability)
- Review and update measures as necessary
Factors to consider:
- Nature, scope, context, purposes of processing
- Risks to data subjects
- Technical feasibility and cost
Section 103: Data Protection Impact Assessment
DPIA required when:
- Processing likely to result in high risk to rights and freedoms
- Particularly using new technologies
- Considering nature, scope, context, purposes
DPIA must assess:
- Description of processing operations and purposes
- Assessment of necessity and proportionality
- Assessment of risks to data subjects
- Measures to address risks
Consultation:
- Must consult Commissioner if DPIA indicates high risk that can’t be mitigated
Section 104: Joint Controllers
When two+ controllers jointly determine purposes/means:
Each must:
- Determine respective responsibilities by arrangement
- Make arrangement essence available to data subjects
- Ensure one controller designated for compliance
Data subject rights:
- Can exercise rights against each controller
Sections 105-106: Processors
Section 105: Use of processors
Controllers must only use processors that:
- Provide sufficient guarantees of technical/organizational measures
- Ensure compliance with Part 4
Must be governed by contract specifying:
- Subject matter, duration, nature, purpose
- Processor obligations
- Security requirements
Section 106: Processor obligations
Processors must:
- Only process on documented controller instructions
- Ensure persons authorized to process have committed to confidentiality
- Implement security measures
- Assist controller in responding to data subject rights
- Assist in DPIAs
- Delete or return data after services end
- Make available information to demonstrate compliance
Sub-processors:
- Require prior written authorization from controller
- Subject to same data protection obligations
Section 107: Security of Processing
Controllers and processors must implement:
Technical measures:
- Pseudonymization
- Encryption
- System/service resilience
- Restore availability after incidents
- Testing effectiveness
Organizational measures:
- Access controls
- Staff training
- Incident response procedures
- Regular reviews
Risk-based approach:
- Consider state of the art
- Implementation costs
- Nature/scope/context/purposes
- Likelihood and severity of risks
Section 108: Notification of Personal Data Breach
Breach notification to Commissioner:
When required:
- Breach likely to result in risk to rights and freedoms
- Must notify without undue delay
- Where feasible, within 72 hours of awareness
What to include:
- Nature of breach (categories/numbers affected)
- Contact point for more information
- Likely consequences
- Measures taken or proposed
Breach notification to data subjects:
When required:
- Breach likely to result in high risk to rights and freedoms
Communication must:
- Be in clear and plain language
- Describe nature of breach
- Provide contact point
- Describe likely consequences
- Describe measures taken/proposed
Exception:
- Not required if controller implemented protection rendering data unintelligible (e.g., encryption)
- Or if notification would involve disproportionate effort
Intelligence services reality:
Breaches are often classified. Notification may be limited to Commissioner only, not data subjects, under national security grounds.
Chapter 5: International Transfers (§109)
Section 109: Transfers Outside UK
Restrictions on transfers:
Personal data must NOT be transferred outside UK unless:
- Adequate protection exists in destination country, OR
- Appropriate safeguards are in place, OR
- Derogation applies (specific situation justification)
Adequate protection:
- Secretary of State may make regulations specifying countries with adequate protection
- Assessment considers legal framework, data subject rights, enforcement
Appropriate safeguards:
- Legally binding instruments between authorities
- Binding corporate rules
- Standard data protection clauses
- Codes of conduct
- Certification mechanisms
Derogations:
- Necessary for important reasons of public interest
- Necessary for legal claims
- Necessary to protect vital interests where consent not possible
- Transfer from public register
Intelligence context:
International intelligence sharing (e.g., Five Eyes) typically relies on international agreements or public interest derogations.
Chapter 6: Exemptions (§§110-113)
Section 110: National Security Exemptions
THE CRITICAL SECTION FOR INTELLIGENCE SERVICES
110.1 — Blanket Exemption Power
Personal data is EXEMPT from provisions if exemption required for:
“The purpose of safeguarding national security”
What can be exempted:
- Any Part 4 provision EXCEPT the principles themselves (but rights tied to principles CAN be exempt)
- Effectively: all rights, transparency duties, and procedural requirements
Practical effect:
Intelligence services can refuse subject access, not provide information notices, and restrict all data subject rights by invoking national security.
110.2 — Certificate Procedure
Minister of the Crown may certify:
- That exemption from specified provisions is (or was) required for national security purposes
Certificate is conclusive evidence of that fact.
Certificate types:
- General (affecting multiple individuals/organizations)
- Specific (particular processing operation)
Appeals:
- Data subject can appeal certificate to Upper Tribunal
- Burden on data subject to show certificate should not have been issued
- Tribunal can uphold, quash, or vary certificate
110.3-5 — Certificate Procedure Details
Service of certificate:
- Minister must notify affected parties where reasonably practicable
Duration:
- Certificate remains in force until withdrawn or quashed
National security certificate = trump card:
Once issued, certificate conclusively exempts processing from specified provisions. Extremely difficult to challenge successfully.
Section 111: Functions Conferred by Enactment or Rule of Law
Additional exemption:
Data is exempt from certain provisions if:
- Processing is necessary for statutory or governmental functions
- Exemption required for effective function discharge
Covers:
- Functions conferred by enactment (statutes)
- Functions conferred by rule of law (common law powers)
What can be exempted:
- Rights to information (§93)
- Subject access (§§94-95)
- Rectification, erasure, restriction (§100)
Example use:
Intelligence services’ statutory functions (e.g., Security Service Act 1989) can justify exemptions without needing national security certificate.
Section 112: Legal Professional Privilege
Exemption:
Personal data is exempt from:
- Subject access (§§94-95)
- Information provision (§93)
- Communication of breaches to data subjects (§108)
When:
- Data consists of information subject to legal professional privilege
What is legal professional privilege:
- Communications between lawyer and client for legal advice
- Communications in contemplation of litigation
- Protects confidentiality
Scope:
- Protects lawyer-client communications even in intelligence context
- Subject access cannot compel disclosure of privileged material
Section 113: Power to Make Further Exemptions
Secretary of State may make regulations providing additional exemptions for:
| Purpose | Rationale |
|---|---|
| Crime prevention/detection | Law enforcement effectiveness |
| Apprehension/prosecution | Criminal justice |
| Assessment/collection of taxes | Revenue protection |
| Immigration control | Border security |
| Preventing/detecting unlawful acts | Broader enforcement |
| Protecting public against dishonesty, malpractice, incompetence | Consumer/public protection |
| Regulatory functions | Regulatory effectiveness |
| Other statutory functions | Public administration |
Regulations subject to affirmative resolution procedure.
Practical impact:
Exemptions can be expanded beyond core national security to cover adjacent law enforcement and regulatory activities.
Practical Application for AI Agents
When Does Part 4 Apply to AI Systems?
Part 4 applies if your AI agent:
- Processes data FOR an intelligence service (MI5, MI6, GCHQ)
- Processes data FOR a designated qualifying competent authority (under designation notice)
- Processes data in cooperation WITH intelligence services where processing is subject to Part 4
Part 4 does NOT apply if:
- Processing is purely commercial (use UK GDPR)
- Processing is for law enforcement but not designated under Part 4 (use Part 3)
- Processing is for public authority but not intelligence/designated (use UK GDPR)
Scenario 1: AI Threat Analysis for GCHQ
Facts:
- AI agent analyzes communications data to identify cyber threats
- Operated by/for GCHQ
- Processes biometric data (voice patterns), political opinions (extracted from messages), location data
Analysis:
-
Which regime applies?
- ✅ Part 4 (intelligence service processing)
-
What principles apply?
- All six principles (§§85-91)
- Schedule 9 condition required (lawfulness)
- Schedule 10 condition required (sensitive processing - biometrics, political opinions)
-
What rights do data subjects have?
- Technically: subject access (§94), rectification (§100), etc.
- Practically: NONE — §110 national security exemption applies
- Minister can issue certificate exempting all rights
-
Can AI make automated decisions?
- §§96-98 apply (automated decision protections)
- BUT can invoke statutory function exemption (§111)
- National security certificate can exempt (§110)
Compliance approach:
- Ensure Schedule 9 + Schedule 10 conditions satisfied
- Implement security measures (§107) - HIGH standard for intelligence
- Conduct DPIA for high-risk processing (§103)
- Document compliance with principles (§102)
- Prepare for §110 certificate if subject access requests received
- DO NOT assume data subject rights will never be exercised (certificate needed to refuse)
Scenario 2: Commercial AI Vendor Contracting with MI6
Facts:
- Private company provides AI analysis services to MI6
- Processes intelligence data under contract
- Company also has commercial customers
Analysis:
-
Is vendor a processor or controller?
- Likely processor (processing on MI6’s instructions)
- Must comply with §106 processor obligations
-
Which regime for which processing?
- MI6 work: Part 4 (controller is intelligence service)
- Commercial work: UK GDPR (controller is commercial entity)
- ⚠️ MUST SEGREGATE data and processing
-
What obligations?
- §106: processor security, confidentiality, assistance duties
- §105: written contract required specifying obligations
- §107: implement appropriate security (VERY HIGH for intelligence data)
-
Can use sub-processors?
- Only with MI6’s prior written authorization
- Sub-processor must have same Part 4 obligations
Compliance checklist:
- Separate infrastructure for intelligence vs commercial work
- Written contract meeting §105 requirements
- Staff vetting and confidentiality undertakings
- Enhanced security measures (§107)
- No sub-processors without MI6 authorization
- Data deletion procedures when contract ends
- Incident response plan for breaches (§108)
Scenario 3: Data Subject Requests Access to MI5 Records
Facts:
- Individual believes MI5 has file on them
- Submits subject access request under §94
- Requests confirmation of processing and copy of data
Analysis:
Options for MI5:
| Response | Legal Basis | Effect |
|---|---|---|
| 1. Refuse via §110 exemption | National security | ”Neither confirm nor deny” response |
| 2. Issue certificate | Minister certifies exemption required | Conclusive evidence, appeal to Upper Tribunal possible |
| 3. Provide limited disclosure | Partial compliance | Redact national security elements |
| 4. Full compliance | Unusual, but possible if no security risk | Provide all personal data |
Most likely response:
“Neither confirm nor deny” + §110 national security exemption, possibly supported by ministerial certificate.
If appealed:
- Upper Tribunal reviews certificate
- Burden on data subject to show certificate improper
- Tribunal typically defers to Minister on national security matters
- Very rare for certificate to be quashed
Scenario 4: Intelligence Services Data Breach
Facts:
- Cyber attack compromises MI6 database
- Thousands of agents’ identities exposed
- High risk to rights and freedoms (physical safety)
Obligations under §108:
-
Notify Commissioner:
- ✅ Required — breach likely results in risk
- Within 72 hours
- Provide details of nature, numbers, consequences, mitigations
-
Notify data subjects:
- ✅ Technically required — high risk to rights/freedoms
- ⚠️ HOWEVER: notification may compromise ongoing operations, reveal intelligence methods
- Likely to invoke §110 national security exemption or §111 statutory functions exemption
Practical approach:
- Notify Commissioner (classified notification)
- DO NOT notify data subjects publicly
- Take urgent mitigating measures (relocate agents, change identities)
- Document national security grounds for non-notification
- Consider ministerial certificate if challenged
Real-world reality:
Intelligence services breaches are almost never publicly disclosed to data subjects due to national security. Commissioner notified in classified manner.
Compliance Summary
For AI Agents Processing Intelligence Data
✅ DO:
- Understand whether Part 4 or UK GDPR applies to your processing
- Implement highest security standards (§107)
- Conduct DPIAs for high-risk processing (§103)
- Maintain detailed compliance documentation (§102)
- Segregate intelligence and commercial processing strictly
- Train staff on Part 4 requirements and confidentiality
- Have clear contract if you’re a processor (§§105-106)
- Prepare breach response procedures (§108)
❌ DON’T:
- Assume data subject rights don’t exist (they technically do, even if exempted)
- Mix intelligence and commercial data/processing
- Fail to implement Schedule 9 + Schedule 10 conditions for sensitive data
- Ignore principles just because rights can be exempted
- Rely on §110 exemptions without proper documentation
- Disregard security obligations (these are not exemptable)
Key Differences from UK GDPR
| Aspect | UK GDPR | Part 4 Intelligence Services |
|---|---|---|
| Who it applies to | Most controllers/processors | Intelligence services + designated authorities |
| Principles | 6 principles (Art 5) | 6 principles (§§85-91) — similar content |
| Lawfulness conditions | Art 6 + Schedule 1 | Schedule 9 + Schedule 10 |
| Rights | Strong (Arts 12-22) | Weak (§§92-100) — exemptable via §110 |
| Enforcement | ICO has strong powers | Limited by national security |
| Exemptions | Limited (Schedule 2) | Broad (§§110-113, especially national security) |
| Transparency | High requirement | Low (often “neither confirm nor deny”) |
| International transfers | Art 45-46 safeguards | §109 similar framework, but national security trumps |
Red Flags
❌ Mixing regimes:
- Processing intelligence data under UK GDPR rules
- Processing commercial data under Part 4 rules
- Failing to segregate
❌ Over-relying on exemptions:
- Using §110 without proper national security justification
- Blanket refusal of all rights without case-by-case assessment
- Ignoring principles because rights can be exempted
❌ Inadequate security:
- Intelligence data requires HIGHEST security standards
- Breaches have severe national security consequences
- §107 compliance is NOT exemptable
❌ Processor contract gaps:
- Vendor contracts not meeting §105 requirements
- Sub-processors not authorized
- No deletion procedures
❌ DPIA failures:
- No DPIA for high-risk intelligence AI systems
- Inadequate risk assessment
- No Commissioner consultation when required
Citations & Commencement
Citation: Data Protection Act 2018, Part 4, Sections 82-113 Source: https://www.legislation.gov.uk/ukpga/2018/12/part/4 Commencement: Most provisions in force from May 25, 2018 Recent amendments: Data (Use and Access) Act 2025 (added §§82A-82E, 91A; interview notices) Last reviewed: March 5, 2026
Key schedules:
- Schedule 9: Part 4 processing conditions (lawfulness)
- Schedule 10: Sensitive processing conditions
- Schedule 17: Journalism review procedures (relates to §178)