Guide to Data Protection Act for Data Controllers

Exemptions

National Security

What is exempted?

This exemption applies to the processing of personal data for national security purposes. 

What provisions in the DPA does the exemption relate to?

Under this exemption, personal data is exempt from:

  • all the data protection principles;
  • Part 2 (the rights of individuals);
  • Part 3 (personal data breach notification); and
  • Part 6 (enforcement by the Ombudsman). 

When does the exemption apply?

The exemption from all or any of the provisions applies to the extent required to safeguard national security. 

How does the exemption work?

The Governor has the discretion to issue a certificate relating to any personal data, exempting it from all or any of the provisions above.

The Governor may consult with the National Security Council on the issuing of the certificate.

The Governor’s certificate identifies the personal data it relates to.

When a data controller claims that a certificate by the Governor applies to personal data being considered by the Ombudsman, any party (the Governor, the data controller or the data subject) may contend that the certificate does not apply to the personal data in question.

The Ombudsman may make a determination whether the certificate applies or does not apply to the personal data in question. 

Relevant provisions

Data Protection Act (2021 Revision)

Section 18: Exemption relating to national security                                                                               

Previous Next