Cabinet Office Homepage
Last updated: 24 November 2008
Issue
Personal data are, inter alia, exempt from the subject access provisions of the Act if that exemption is required for the purpose of safeguarding national security. This exemption may be invoked by an official replying to the data subject to that effect. A certificate signed by a Cabinet Minister under section 28 of the DPA is evidence that the exemption has been properly invoked. A certificate does not have to be produced until, and if a data subject requests conclusive evidence of the exemption. If such a certificate has been issued, the data subject may appeal against it to the specially constituted Information Tribunal. An individual may appeal against a s28 certificate on the grounds that the Minister did not have reasonable grounds for signing the certificate, or that the certificate does not apply to the personal data in question. If a certificate has not been issued, the Information Commissioner has a number of enforcement powers, such as "information notices" and “enforcement notices” which she may deploy.
2. Section 28 certificates that have been signed for the three Intelligence Agencies protect material processed by the Agencies themselves, those who process on behalf of the agencies and those who process material that has been passed to them by the agencies (other than government departments). If the same material is passed on to another department the material is not protected unless the department concerned has a section 28 certificate.
Standards
3. Departments should consider the need for prospective certificates, particularly in relation to national security vetting. In the absence of prospective certificates, departments would need to move quickly should the requirement for a section 28 certificate arise.
Recommended best practice
4. The legal advice from the Treasury Solicitor’s Department given to the departments likely to hold security-sensitive material is that the requirement for a certificate under section 28 of the DPA is a matter for each department to determine.
5. The need for section 28 certificates can be split into three elements, i.e. national security vetting, national security material in general and a possible specific requirement when responding to a data subject.
6. At a meeting of Departmental Security Officers on 18 December 2001 it was accepted that most, if not all, departments would need, and should have, a prospective section 28 certificate that covered material in relation to national security vetting. The method of making public the “reasons” document (i.e. the document setting out why a certificate is needed) has also to be decided. The most likely method is by placing a signed copy of the document in the Library of the House of Commons.
7. The need for a prospective section 28 certificate covering national security material in general is only likely to apply to a limited number of departments, eg Home Office, Foreign and Commonwealth Office, Ministry of Defence and Cabinet Office.
8. In addition to national security vetting and national security in general there may be a need or benefit in having “bespoke” section 28 certificates relating to a particular data access request. This will have to be handled on a case by case basis. Where a particular case involved more than one department consideration should be given to obtaining an overall section 28 certificate covering all departments involved.
9. Section 28 certificates have to be signed by a member of the Cabinet, the Attorney General or the Advocate General.
Data Protection Handbook [PDF, 710KB]
[Top]