Our legal basis for processing personal data
GCHQ, along with MI5 and SIS, is one of the UK Intelligence Services. Our role is set by the Intelligence Services Act 1994 (ISA 1994). All our processing of personal data is subject to rigorous legal controls. These include: the Data Protection Act 2018 (DPA 2018); ISA 1994; Regulation of Investigatory Powers Act 2000 (RIPA 2000); and the Investigatory Powers Act 2016 (IPA 2016). Under this legislation, we process personal data both for our operational work, appropriately authorised where necessary, and in support of our corporate functions.
We rely on the DPA 2018, Part 4: Intelligence Services Processing to determine how we process personal data. This includes GCHQ’s ability to apply the National Security Exemption as specified in section 110 of the DPA 2018, for the purpose of safeguarding national security. These exemptions are further supported by the National Security Certificate, issued under section 111 of the DPA 2018 by the Foreign Secretary, which provides conclusive evidence that certain exemptions are required.
All GCHQ’s processing of personal data must meet a legitimate condition, specified for us in Schedules 9 and 10 of the DPA 2018. There are no exceptions to this.
Why do we process personal data?
We process personal data in our operational work as one of the three UK Intelligence Services. We also process, in support of corporate functions (eg HR, Finance, Procurement), personal data provided to us by individuals with whom we interact directly, for example:
- They have contacted GCHQ with an enquiry or a complaint
- They have applied for a job
- They are representing their organisation
- They visit our premises
- We are purchasing goods or services from them.
- We are entering into a contract with them e.g. for them to supply their services, or take up a job offer
- They have given us their consent to process their personal data
We also collect personal data when individuals visit our website, www.gchq-careers.co.uk. This includes:
- The IP address from which they access our website and details of which version of web browser and operating system they used
- The date and time of their visit
- Information about the device from which they have accessed our website, including the operating system and browser used
- The referring website, i.e. the website which led an individual to our website.
We have CCTV coverage of our sites and monitor activity in the vicinity for security reasons.
How long do we keep personal data?
We keep personal data only for as long as is necessary for the purpose for which it is processed. This depends on the circumstances and the legal basis on which it is collected. The length of time we can keep operational data is strictly regulated through RIPA 2000 and the IP Act 2016, as well as our approved handling arrangements.
Sharing personal data
In our work as an intelligence service, we may share personal data, including transferring data outside the UK, where it is necessary and proportionate for us to do so in the fulfilment of our duties.
As data controllers we use third parties to provide services for us: they are known as data processors. They can process personal data for us only as we have instructed them to do. They must hold it in accordance with DPA 2018 requirements, retaining it securely and for the period we instruct. We ensure we only use data processors who comply with the data protection legislation. In some cases, where we share responsibility for processing with other Intelligence Services, we are “joint data controllers”. In these cases, there are agreed arrangements in place that detail our respective responsibilities, including dealing with requests from data subjects.
We never share an individual’s information with any third parties for the purpose of direct marketing.
The individual’s data protection rights
Under the Data Protection Act, individuals have certain rights over their personal data. These rights are described in DPA 2018 Part 4. Some of these rights will be subject to exemptions under the DPA 2018 Part 4, which means an individual might not receive all the information or other results they might request from us.
An individual has:
- The right of access (also known as a Subject Access Request). An individual has the right to ask us to see copies of their personal information. We can make a £10 charge for each request.
- Automated decision making. An individual has the right to object to any decisions which have affected them significantly, if they consider these decisions have been made without any meaningful human input.
- The right to object to processing. An individual has the right to ask us to restrict the processing of their personal data in certain circumstances.
- The right to rectification and erasure. An individual has the right to ask us to rectify or delete information about them which they think is inaccurate.
In order to exercise the rights listed above (but subject to the exemption for safeguarding national security) please contact us at the address below. If an individual feels we haven’t handled their personal data appropriately or wishes to lodge a complaint, they can contact us directly or contact the Information Commissioner’s Office at the addresses provided below.
If you wish to contact us about any aspect of data protection, please write to:
Mail Drop 13
The Information Commissioner’s Office (ICO) is the independent UK regulator of compliance with the data protection legislation. Their address is:
The Office of the Information Commissioner
Telephone: 0303 123 1113
Online contact form