Hidden in plain sight: what Law Enforcement needs to know about the updated national security exemption
- Privacy Protect Group Ltd.
- Jul 23
- 4 min read
The new s78A, introduced by s88 of the Data (Use and Access) Act (DUAA) 2025 (1), significantly expands the national security exemption under Part 3 of the Data Protection Act (DPA) 2018 (2), which governs law enforcement processing.
Here’s a breakdown of what’s changed and what it means for competent authorities.
Core principle
Section 78A now explicitly states that numerous provisions of the DPA 2018 do not apply to personal data processed for law enforcement purposes if exemption is required to safeguard national security.
The exemption can now apply to:
Chapter 2: Data protection principles (except lawfulness and sensitive processing safeguards)
Chapter 3: Data subject rights (e.g. access, rectification, erasure)
Chapter 4: Breach notification duties (Sections 67 & 68)
Chapter 5: International transfers (with some exceptions)
Part 5 & 6: Commissioner’s inspection powers, offences, and enforcement
Part 7: Representation of data subjects
Even under national security exemption, the following still apply:
s35(1): Lawful processing
s35(2)-(5): Restrictions on sensitive processing
s42 and Schedule 8: Safeguards for sensitive data
Certificates of exemption
The amendment also updates s79 of DPA 2018, which governs ministerial certificates:
A Minister of the Crown may issue a certificate stating that exemption from any of the listed provisions is required for national security.
This certificate is now conclusive evidence of the need for exemption.
Certificates may describe personal data generically, not just specifically.
The tribunal may still review whether the certificate applies to the data in question.
Practical implications
Here’s the types of situations the exemption could apply to.
Data breach notification suppression
Scenario: A cyber threat actor targets a counter-terrorism database. The breach is contained, but notifying affected individuals could alert hostile actors to the system’s architecture or vulnerabilities.
Exemption applied:
Disapplication of Chapter 4, Sections 67 & 68 (personal data breach notification duties)
Justified under Section 78A to prevent further exploitation and protect national security infrastructure.
International data transfers in intelligence sharing
Scenario: A UK law enforcement agency shares biometric data with a foreign intelligence partner under a covert counter-espionage agreement. The receiving country lacks an adequacy decision.
Exemption applied:
Disapplication of Chapter 5 (international transfer restrictions)
Enabled by a ministerial certificate under Section 79, covering generic categories of data (e.g. “biometric data exchanged under Protocol X”).
Automated decision-making in border control
Scenario: Border Force uses automated systems to flag individuals for secondary screening based on behavioural analytics and travel history. Human review is delayed due to operational constraints.
Exemption applied:
Disapplication of automated decision-making safeguards under Section 80
Permitted if reconsideration with meaningful human involvement occurs as soon as reasonably practicable, and exemption is required to avoid obstruction of national security operations.
Joint processing with intelligence services
Scenario: A regional police force jointly processes communications metadata with GCHQ to identify patterns linked to foreign interference in elections.
Exemption applied:
Disapplication of Part 5 & 6 (ICO inspection powers and enforcement)
Justified under Section 78A to protect sensitive joint processing arrangements and national security protocols.
Retention of biometric data from INTERPOL
Scenario: INTERPOL shares pseudonymised biometric data with UK authorities for tracking suspected extremists. Retention exceeds standard limits due to ongoing threat assessments.
Exemption applied:
Disapplication of Part 7 (representation and data subject rights)
Supported by a documented risk assessment and ministerial certificate confirming necessity for national security.
Accountability remains
Despite broader discretion, competent authorities remain bound by s34(3) expectations to:
Document when and why an exemption is applied
Conduct a risk assessment before disapplication
Retain records for potential review by the Investigatory Powers Tribunal or ICO
“If you can’t show it, you shouldn’t be doing it.” That’s the golden thread of data governance, even under national security protocols.
How your organisation can stay ready
Navigating this complex landscape requires more than reactive compliance. It calls for:
Tailored templates for exemption decisions
Staff training on lawful sensitive processing and certificate boundaries
Audit-ready documentation to satisfy scrutiny without impeding operations
This is where our consultancy steps in.
We can support competent authorities in translating legislation into liveable protocols - from frontline response tools to strategic policy design. Whether you're revising your internal SAR playbook or preparing for ICO engagement, we offer practical, human-centric guidance grounded in experience and compliance.
The DUAA 2025 reinforces a core truth: data protection in law enforcement isn't just a legal obligation, it's an operational asset. With every response and exemption logged, you’re not ticking boxes, you’re reinforcing trust, protecting intelligence, and upholding accountability.
If your team needs a second pair of eyes or a strategic partner in this space, we’re ready to engage. Let us help you protect what matters.
References
(1) HM Government, (2025). Data (Use and Access) Act 2025. Available at: https://www.legislation.gov.uk/ukpga/2025/18/introduction/enacted (Accessed: 23 July 2025).
(2) HM Government, (2018). Data Protection Act 2018. Available at: https://www.legislation.gov.uk/ukpga/2018/12/contents (Accessed: 23 July 2025).
