9 May 2001. Thanks to Anonymous.

[5 pages.]

SECTION 28 DATA PROTECTION ACT 1998

_____________________________________________

CERTIFICATE OF THE SECRETARY OF STATE
_____________________________________________

Whereas:

(i) by section 28(1) of the Data Protection Act 1998 ("the Act ") it is provided that personal data are exempt from any of the provisions of :-
(a) the data protection principles;

(b) Parts II, III and V; and

(c) section 55

of the Act if the exemption from that provision is required for the purpose of safeguarding national security;

(ii) by subsection 28(2) it is provided that a certificate signed by a Minister of the Crown certifying that the exemption from all or any of the provisions mentioned in subsection 28(1) is or at any time was required for the purpose there mentioned In respect of any personal data shall be conclusive evidence of that fact;

(iii) by subsection 29(3) it is provided that a certificate under subsection 28(2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.

Now, therefore, I, the Right Honourable Jack Straw MP, one of Her Majesty's Principal Secretaries of State, in exercise of the powers conferred by the said section 28(2) do issue this certificate and certify as follows:-

1. that any personal data that is processed by the Security Service as described in Column 1 of Part A in the table below are and shall continue to be required to be exempt from those provisions of the Act that are set out in Column 2 of Part A;

2. that any personal data that is processed by any other person or body in the course of data processing operations carried out for, on behalf of or at the request of the Security Service or in relation to the functions of the Security Service as described in Column 1 of Part B in the table below are and shall continue to be exempt from those provisions of the Act that are set out in Column 2 of Part B;

3. that any personal data that is processed by the Security Service for the purposes set out in Column 1 of Part C in the table below are and shall continue to be required to be exempt from those provisions of the Act that are set out in Column 2 of Part C below; and

4. that any personal data that is processed by the Security Service as described in Column 1 of Part D of the table below are and shall continue to be required to be exempt from those provisions of the Act that are set out in Column 2 of Part D below

all for the purpose of safeguarding national security.

PART A

Column 1

Column 2
1. Data processing in performance of the functions described in Section 1 of the Security Service Act 1989 as amended by the Security Service Act 0f 1996 including, but not limited to:
(i) obtaining personal data from human sources being agents or contacts at the Security Service;

(ii) obtaining personal data from other United Kingdom government departments, agencies or public authorities;

(iii) obtaining personal data from security and intelligence agencies, law enforcement agencies and other liaison contacts of other governments;

(iv) obtaining personal data from technical sources including from the interception of communications;

(v) obtaining personal data from commercial organisations and any other entities;

(vi) recording, holding, organising, adapting, altering, retrieving, consulting, aligning, combining, blocking. erasing, destroying and otherwise using such data;

(vii) transmitting such data to, from and between Security Service stations overseas;

(viii) disclosing or disseminating such data to other United Kingdom government departments, agencies or public authorities;

(ix) disclosing such date to agents or contacts of the Security Service;

(x) disclosing such data to security and intelligence agencies, law enforcement agencies and other liaison contacts other governments;

(xi) disclosing such data to commercial organisations and any other entities

2. Recruitment of staff of the Security Service and assisting with the recruitment at staff of the Secret Intelligence Service and GCHQ, including but not limited to:

(i) obtaining personal data on potential candidates, their associates and relations from all relevant sources;

(ii) recording, holding, organising, adopting, altering, retrieving, consulting, aligning, combining, blocking, erasing, destroying and otherwise using such data;

(iii) disclosing such data to the recruitment officers of the Secret Intelligence Service and GCHQ;

3. Vetting of candidates, staff contractors, agents and other contacts of the Security Service in accordance with the government vetting policy, including but not limited to:

(i) obtaining personal data from other government departments or agencies, banks and financial institutions and personal referees;

(ii) recording, holding, organising, adapting, altering. retrieving, consulting, aligning, combining, blocking, erasing, destroying and otherwise using such data;

(iii) disclosing such data to other government departments or agencies, banks and financial institutions and personal referees

(i) Part II;

(ii) Part III;

(iii) Part V;

(iv) section 55;

(v) the first data protection principle;

(vi) the second data protection principle;

(vii) the sixth data protection principle to the extent necessary to be consistent with the exemptions contained in this certificate; and

(viii) the eighth data protection principle.

PART B

Column 1

Column 2
1. Data processing in performance of the functions described in Section 1 of the Security Service Act 1989 as amended by the Security Service Act 1996 including, but not limited to;
(i) obtaining personal data from human sources being agents or contacts of the Security Service;

(ii) obtaining personal data from other United Kingdom government departments, agencies or public authorities;

(iii) obtaining personal data from security and intelligence agencies, law enforcement agencies and other liaison contacts or other governments;

(iv) obtaining personal data from technical sources including from the interception of communications;

(v) obtaining personal data from commercial organisations and any other entities;

(vi) recording, holding, organising, adapting, altering, retrieving, consulting, aligning, combining, blocking, erasing, destroying and otherwise using such data;

(vii) transmitting such data to, from and between Security Service stations overseas;

(viii) disclosing or disseminating such data to other United Kingdom government departments, agencies or public authorities;

(ix) disclosing such data to agents or contacts of the Security Service;

(x) disclosing such data to security and intelligence agencies, law enforcement agencies and other liaison contacts of other governments;

(xi) disclosing such data to commercial organisations and any other entities

2. Recruitment of staff of the Security Service and assisting with the recruitment of staff of the Secret Intelligence Service and GCHQ, including but not limited to:

(i) obtaining personal data on potential candidates, their associates and relations from all relevant sources;

(ii) recording. holding. organising, adapting, altering, retrieving, consulting, aligning, combining, blocking, erasing, destroying and otherwise using such data;

(iii) disclosing such data to the recruitment officers of the Secret Intelligence Service and GCHQ;

3. Vetting of candidates, staff, contractors, agents and other contacts of the Security Service in accordance with the government's vetting policy, including but not limited to:

(i) obtaining personal data from other government departments or agencies, banks and financial institutions and personal referees;

(ii) recording. holding, organising, adapting, altering, retrieving, consulting, aligning, combining, blocking, erasing, destroying and otherwise using such data;

(iii) disclosing such data to other government departments or agencies, banks and financial institutions and personal referees

(i) Part II;

(ii) Part III to the extent that those provisions require any reference to the Security Service or data processing operations carried out by or in support of the Security Service;

(iii) Part V;

(iv) section 55.

(v)  the first data protection principle;

(vi) the second data protection principle; and

(vii) the sixth data protection principle to the extent necessary to be consistent with the exemptions contained in this certificate.

PART C

Column 1

Column 2
1 . Data processed by the Security Service for the purposes of administration of human resources (including former members of staff but except for the filing system containing confidential data as described in Part D of this table) and staff pay, tax and national insurance contributions including but not limited to:
(i) obtaining such data from data subjects, their managers and personnel officers and other members of Security Service staff;

(ii) disclosing such data to Security Service managers and personnel officers and other members of Security Service staff;

(iii) recording. holding, organising, adapting, altering, retrieving, consulting, aligning, combining, blocking, erasing, destroying and otherwise using such data;

2. Data processed by the Security Service for the purposes of maintaining security CCTV coverage of Thames House, 12 Millbank, London in relation to the security and integrity of the building, including but not limited to:

(i) obtaining such data;

(ii) disclosing such data to Security Service security officers and other members of Security Service staff and police;

(iii) recording. holding, organising, adapting, altering, retrieving, consulting, aligning, combining, blocking, erasing, destroying and otherwise using such data;

3. Data processed by the Security Service for the purpose of commercial agreements (whether concluded or otherwise) or other arrangements with 3rd parties, in relation to which the Security Service supplies goods or services or under which the Security Service receives goods or services, whether or not the goods or services are supplied or received under those agreements or otherwise (and to the extent that the data do not comprise data to which Parts A or B of this certificate apply)

1. Sections 16 (1) (f), 47 and 50 and Schedule 9.

2. Sections 47 and 50 and Schedule 9.

3. Sections 16 (1) (f), 47 and 50 and Schedule 9.

PART D

Column 1

Column 2
Data processed by the Security Service for the purpose of maintaining and consulting a filing system containing confidential data about members of its staff whose purpose is to provide personnel officers and managers with information considered necessary to make informed decisions as to the suitability of individuals for any task, appointment, posting or any other matter. with particular regard to the security implications of those decisions, including but not limited to:
(i) obtaining such data from data subjects, their line managers and personnel officers and other members of Security Service staff;

(ii) disclosing such data to Security Service managers and personnel officers;

(iii)recording. holding, organising, adapting, altering, retrieving, consulting, aligning, combining, blocking, erasing, destroying and otherwise using such data.

(i) Part II;

(ii) Part III;

(iii) Part V; and

(iv) The eighth data protection principle


[Signature]
..................................................................
The Right Hon. Jack Straw, MP

22nd July 2000
..................................................................
Date

HTML by Cryptome.