Part 4.2 – Intelligence Services Processing
Sometimes I wander into a dark corner of legislation and I come out of it huddling up with my knees against my chest while I rock back and forth. This was one of those times.
Chapter 4 – Controller and Processor
Section 101 – Overview
A table of contents because without it we wouldn’t be able to know where we were or what was going on. It’s like being in a shopping centre with one of those maps with the ‘you are here’ arrow on it. Then running into one of these bad boys every ten feet.
Section 102 – General obligations of the controller
Hmmm, it appears the Information Commissioner has some kind of power over the Security Services? She can make them demonstrate that they are compliant? That first meeting would be fun to sit in on.
Section 103 – Data protection by design
A reiteration of this principle, keeping in mind that GCHQ is the organisation that secretly wiretapped the internet trunk lines that came into the UK effectively tapping the entire world’s communications. I’m just saying that past demonstrations don’t bode well for these guys thinking about people’s security in any meaningful way.
Section 104 – Joint controllers
Intelligence services can tag team your personal info, in all the same ways that any other controller can tag team personal info. I’m going to try and only use the word ‘redundant’ this one time. Every other mention will be through more masterful prose.
Section 105 – Processors
I think this might be déjà vu. Processors can process data on the behalf of controllers.
Section 106 – Processing under the authority of the controller or processor
It’s amazing I’ve never actually read this passage before, oh wait I have…repeatedly.
Section 107 – Security of processing
Keep it secure folks. All this talk of processors for intelligence services has got me wondering how many 3rd party data processors work for/with intelligence services to analyse data? A little google-fu and it turns out that around 100 external it contractors have privileged rights to operational systems within GCHQ.
Section 108 – Communication of a personal data breach
Tell the information commissioner if you lose your data.
Chapter 5 – Transfers of Personal Data Outside the United Kingdom
Section 109 – Transfers of personal data outside the United Kingdom
Surely they would never send our data outside the country, would they? Oh, yeah, the Five Eyes programme to share data with four other countries to support international intelligence gathering.
Chapter 6 – Exemptions
Section 110 – National security
Essentially a blanket, what we are doing is ok statement. I was curious about the term ‘National Security’ though and looked it up. I couldn’t find a very good definition. I did find a few legal blogs arguing for a better definition that didn’t allow for so much uncertainty. But the best definition I could find came from a mention that MI5 have defined national security as the security and well-being of the UK as a whole. That feels broad. That feels like a little kid stretching his arms out as wide as they go saying I love you this much mommy.
Section 111 – National security: certificate
The formal mechanism allowing Martial Law to be conducted. At least it takes someone outside of the Intelligence Services, Ministers of the Crown which narrows it down to 23 people.
Section 112 – Other exemptions
List of excuses for not doing anything laid out in this part.
Section 113 – Power to make further exemptions
If they don’t like the rules they can get the Secretary of State to write new rules. I believe this is less than the number of Ministers of the Crown, we are now looking at 18 individuals.
I’m glad this part is over now. I can remove the tin foil hat and go about my normal business.