Communications with Information Commissioner in 2001-02

This file refers to the Subject Access Request I sent to MI5 on 10 December 2001, and should be read in conjunction with the webpage at this location. I spoke to Peter Clarke of the Office of the Information Commissioner immediately prior to sending the SAR. He told me that if my application was refused then I could make a request for assessment to OIC. I sent the following letter to Peter Clarke on 4 January 2002;

Dear Mr Clarke,

Following our telephone conversation of 10 December 2001, I sent a subject access request (attached) to the Security Service on the same day. They responded in a letter dated 19 December 2001 (photocopy attached). I have not yet responded to their letter, because it raises some questions which I would ask for your advice.

Paragraph 4 of their letter says that under their certificate Z5137696 only three categories of personal data processing are notified, namely personnel records, CCTV, and suppliers/contractors. The first sentence of paragraph 5 of their letter says "Personal data acquired by the Service in pursuit of its statutory functions has not been notified." Looking at their entry on your register, they are entirely correct in their statement.

However, there is a question raised; is it legally permitted for a UK organisation to decline notification of its main data uses, without a valid exemption certificate? I notice the Secret Intelligence Service MI6, certificate Z5346873, notify only one purpose, Staff Administration, but they decline notification of their main data with the statement "This data controller also processes personal data which is exempt from notification". The Norman Baker decision establishes that currently no such exemption exists for MI5.

The rest of paragraph 5 of the letter states MI5 will claim an exemption under Section 28 of the DPA, as they did shortly following Mr Baker's subject access request. My understanding of the paragraph is that, for my specific case, they will request the Home Secretary to issue a new certificate to block access to any personal data they may have. I would then have to take the same route as Mr Baker, by appeal to the Information Tribunal. I am unsure if my interpretation of paragraph 5 is correct. If other persons' SARs have been allowed, then there would appear to be particularity; if other persons have received similar statements and been refused without basis in law, then it would appear to be a matter for the attention of the Information Commissioner's office.

Yours sincerely,

The reason personal data has not been notified is because Blunkett's certificate exempts them from the notification provisions of the Data Protection Act. They acquired this certificate on 10 December 2001, which coincidentally is exactly the same date as I made the SAR. I spoke again to Clarke on 14 January 2002; he mentioned Blunkett's assurance that data would be released unless National Security were genuinely involved. Again I spoke to Clarke on 25 January 2002; he said he'd written to me enclosing a request for assessment form; IC's powers are to ensure data controller complies with DPA; it is up to DC to raise exemptions; IC's job is to regulate non-compliance with DPA, if offence may have been committed; he sent me the following letter that day.

On 4 March 2002 I spoke again to Peter Clarke; I told him that on 28/Feb/2002 MI5 wrote to say the cheque should be made payable to "Royal Bank of Scotland", which amounted to timewasting, since a reasonable data controller would not take 2.5 months to figure out the payee was wrong. Clarke replied that they shouldn't delay for another 40 days just because the payee was incorrect. I wrote again to Mr Clarke on 25 March 2002;

Dear Mr Clarke,

Further to our correspondence some weeks ago. The Security Service has made a disclosure to my subject access request. Their response (copy attached) is very brief, and consists only of notes from material, with no original material whatsoever. I will be making a request for assessment to you, and I may wish to appeal to the Information Tribunal, on the basis that the data that is sought does not fall within the definition of "national security." However, before I make a request for assessment to you, I wish to ask some questions regarding these processes. Some of the questions are underlined, but I would ask you to answer as much as possible, to allow me to understand the applicable legislation and procedures, and possible courses of action.

(1) The assessment process. I understand this is governed by s42/s43 of the Data Protection Act 1998. Under s43(1) you may serve on the Security Service an "information notice" requiring them to reveal to you all relevant data. s48 gives the Security Service the right of appeal to the Data Protection Tribunal against your information notice.

s43(8) gives the Security Service the right to withhold information if it would reveal that they have committed an offence under any law other than DPA98. I am somewhat concerned by this clause, since my belief is that MI5 have committed many offences under other laws, so 43(8) would appear to offer them an exemption for the wrong reasons. Is my understanding of s43(8) correct? They may or may not have a warrant to carry out their activities; if they do have a warrant then their activities will be in compliance with the law; if they have a warrant then will s43(8) apply?

How does the Information Commissioner carry out an assessment, if the grounds on which it is made are that the data controller has incorrectly used the national security exemption; does the data controller have to tell your office whether data is being withheld because of the national security exemption, do they have to give you the exempted data, or are they not obliged to reveal the existence and contents of that data? If the latter is the case then the assessment process has no meaning since your powers in enforcing the Act would be severely limited.

(2) Statistics. Does the Information Commissioner publish statistics on the performance of her office with regards to the number of requests for assessment received each year, how many are carried out and how many refused, and how many prosecutions and convictions under DPA98 occur each year? A few years ago I communicated with the secretary of the then Security Service Tribunal, who advised me of the statistics for that Tribunal, including the startling figure of zero for successful complaints. Following that correspondence I decided against another complaint to his office. In the last two years I have made two requests for assessment, both of which your office has refused.

(3) The data MI5 have returned so far. They have not returned any printouts of data or original letters, as most data controllers would have done, merely notes from data. Are they able to limit returned data in this way, or can we expect original material, perhaps censored, to be disclosed?

(4) The definition of "national security". We spoke on the phone about this some weeks ago, and I think you told me the term could mean whatever MI5 or the Home Secretary wished. I have (twice) asked MI5 to define the term, and they have refused to answer. Their letter of 20 March 2002 says they "respond in this letter" to my questions on this subject, but in fact they do not respond at all to the question.

There has to be a precise answer to the definition; it is wrong for the definition to be applied nebulously on a case-by-case basis. The Security Service Act 1989, s1(2) says;

The function of the Service shall be the protection of national security and, in particular, its protection against threats from espionage, terrorism and sabotage, from the activities of agents of foreign powers and from actions intended to overthrow or undermine parliamentary democracy by political, industrial or violent means.

s1(3) talks about safeguarding economic well-being, but does not bring it under the umbrella of national security.

The Security Service Act 1996 s1(1) amends the 1989 Act by allowing MI5 "to act in support of ... police forces ... in the prevention and detection of serious crime." The new added section is 1(4) in the 1989 Act, so "serious crime" is not part of national security either. In any case, MI5's interest in me started in 1990, so this paragraph should be inapplicable. An additional observation is that a data controller may withhold data if it is for the prevention or detection of crime, serious or otherwise; would this exemption apply to the security service?

Can you offer a written definition of "national security", or is this something for which I should write to some other party? I cannot ask MI5 a third time, perhaps the Home Secretary's office would be placed to define the term.

(5) Supporting data to the assessment. I had a correspondence for years (1996-1998) with a person (Mr Stone) who was known on an internet group as having contacts with police type authorities, and who claimed to be in contact with an MI5 liaison. Two weeks after MI5 received my complaint and details from the Security Service Tribunal, Mr Stone published my personal details, name and address, which I had hitherto not disclosed to anyone on the net, on an internet discussion group. He claimed the data was from the BBC, which they denied orally and in writing. In January 2002 I asked the Information Commissioner to investigate this presumed breach of the Data Protection Act, and she refused.

Should I sent you the emails between myself and Mr Stone, in support of the assessment? I think it would be valuable for you to have this information.

(6) Information Tribunal. I understand it is possible to appeal to this tribunal, on the basis that the data MI5 are withholding has nothing to do with national security. MI5 do not say this in their letter to me, but another person has sent me the letter MI5 sent in response to his SAR which says so.

Can you give me some basic understanding of the procedure involved in such an appeal; such as whether MI5 would have to disclose to the tribunal what data they have on me, for the tribunal members to make their minds up; whether I should seek to instruct a solicitor for this procedure (presumably yes); how a tribunal is constructed, whether it is a hearing with all present, or whether it is done in absentia on written documentation only; the approximate time before the case is heard (how many months), and whether costs for the hearing are borne by the losing party, as usually happens in a court hearing. I have no knowledge as to the operation of the Information Tribunal, so if you could provide some understanding I would be most grateful.

Would your advice be to pursue an assessment first, or to initiate an appeal at the same time as the assessment? Additionally I understand that Mr Baker went to judicial review regarding the previous exemption certificate, and the Tribunal agreed with the court's decision. My understanding of the judicial review process is that it aims to tackle methods of achieving decisions in general, as opposed to being an appeal process for a particular decision - so Mr Baker's judicial review was on the basis of the previous certificate being too general; but I have no issue with the current certificate, and only with the paucity of MI5's returned data. Would I be right in thinking that any possible judicial review would be up to me and a solicitor I might instruct, and the Information Commissioner would not be involved in such a review?

Thank you very much for your written response to this letter. I anticipate making a request for assessment shortly after receiving your reply.

Yours sincerely,

Clarke replied on 18 April 2002. In (1) he makes clear MI5's right to non self incrimination. In (3) he makes clear original data, even censored, does not have to be returned. In (4) he makes clear that "national security" is decided on a case by case basis. Regarding the Information Tribunal, he directs me to them for information.

I next wrote to Clarke on 9 May 2002, enclosing a request for assessment document.

Dear Mr Clarke,

Thank you for your letter of 18 April. I enclose a completed request for assessment under section 42 of the Data Protection Act 1998 regarding my subject access application to the Security Service.

I request that you make an assessment in both components mentioned in the attached form. Regarding the improper interest of the Security Service in my affairs, that is something that it is only possible to deal with now following the Information Tribunal's decision late last year. Regarding the improper disclosure of my personal details on the internet, that is something which has only come to light recently with the little data that MI5 have returned, specifically the date on which they received my details from the Security Service Tribunal which preceded by five days the publication of those details on the net.

Please serve an information notice as specified in s43(1) on the Security Service. My understanding is that MI5 are then required to supply you with all data they have on me, the only exclusion being if they are of the opinion that they would "expose [them] for proceedings for [an] offence" for any data. My understanding of your response of 18 April is that MI5's national security exemption certificate signed 10/December/2001, assuming they consider it applicable in my case, will not excuse them from supplying your office with relevant data.

Also enclosed is a letter from Tribunal secretary Nick Brooks in which he quotes a report that only one warrant had been found in 108 applications from 1989 until end 1997. It is my belief that MI5 do not have a warrant for their activities against me which are consequently illegal. Regrettably s43(8) therefore exempts them from disclosing in response to your information notice on grounds of self-incrimination. I would however ask you to serve them with said notice, since if they fail to return data, that will illustrate their perception of their activities in an appropriate light.

Yours sincerely,

The request for assessment was phrased as follows. I enclosed a series of emails with the person calling himself Stone.

On 28 February 1997 I made a complaint to the Security Service Tribunal, regarding actions against me by The Security Service from June 1990 onwards. These entailed substantial loss of privacy, harassment and emotional consequences, including loss of employment. MI5 received my complaint on 13 March 1997. I had been communicating with Mr Stone from Jersey, who claimed to have an MI5 contact. On 18 March 1997 he posted my personal details on the internet, which had hitherto been private; which I had not told him. I believe he obtained my personal details from The Security Service.

My request for assessment has two components; firstly, the improper actions undertaken by The Security Service against me from June 1990 onwards; and secondly, the improper disclosure of my personal data on the internet by Mr Stone. He claimed he had my details from the BBC; but they denied this; please see attached prinout of posts/emails.

I am making an appeal to the Information Tribunal also.

Clarke finally replied on 19 July 2002.

Clarke essentially refused my request for assessment under s42/s43 of DPA. He says he needs some substantive documentary evidence of a data controller's non-compliance with the legislation, and I did not provide him with any. He directs me to the Information Tribunal for an appeal. I spoke to Clarke on the phone immediately prior to this sending this letter. He said they would not issue a s43 request, that that would be very rare. If OIC were to ask whether they were holding any data not covered by the s28 Certificate, they would answer no. Data covered by s28 would give an NCND response. He again directed me to the Information Tribunal for an appeal.

Central to any release of data whether by the Information Tribunal or any other party was the definition of "National Security", which I requested in a letter to the Home Secretary dated 6 August 2002. MI5 refused to define the term in their letters to me, and the Home Secretary passed my request to the Organised Crime, Drugs and International Group within the Home Office, which acknowledged my letter on 28 August 2002 but made no reply, despite a reminder on 19 December 2002. It seems the lack of National Security aspects to my case is so embarrassing that the Home Office simply do not want to talk about it.

Return to Main Page The author may be reached by feedback