Our legal basis for processing personal data
GCHQ, along with MI5 and SIS, is one of the UK Intelligence Services. Our role is set by the Intelligence Services Act 1994 (ISA 1994). All our processing of personal data is subject to rigorous legal controls. These include: the Data Protection Act 2018 (DPA 2018); ISA 1994; Regulation of Investigatory Powers Act 2000 (RIPA 2000); and the Investigatory Powers Act 2016 (IPA 2016). Under this legislation, we process personal data both for our operational work, appropriately authorised where necessary, and in support of our corporate functions.
We rely on the DPA 2018, Part 4: Intelligence Services Processing to determine how we process personal data. This includes GCHQ’s ability to apply the National Security Exemption as specified in section 110 of the DPA 2018, for the purpose of safeguarding national security. These exemptions are further supported by the National Security Certificate, issued under section 111 of the DPA 2018 by the Foreign Secretary, which provides conclusive evidence that certain exemptions are required.
All GCHQ’s processing of personal data must meet a legitimate condition, specified for us in Schedules 9 and 10 of the DPA 2018. There are no exceptions to this.
Why do we process personal data?
We process personal data in our operational work as one of the three UK Intelligence Services. We also process, in support of corporate functions (eg HR, Finance, Procurement), personal data provided to us by individuals with whom we interact directly, for example:
We also collect personal data when individuals visit our website, www.gchq-careers.co.uk. This includes:
We have CCTV coverage of our sites and monitor activity in the vicinity for security reasons.
How long do we keep personal data?
We keep personal data only for as long as is necessary for the purpose for which it is processed. This depends on the circumstances and the legal basis on which it is collected. The length of time we can keep operational data is strictly regulated through RIPA 2000 and the IP Act 2016, as well as our approved handling arrangements.
Sharing personal data
In our work as an intelligence service, we may share personal data, including transferring data outside the UK, where it is necessary and proportionate for us to do so in the fulfilment of our duties.
As data controllers we use third parties to provide services for us: they are known as data processors. They can process personal data for us only as we have instructed them to do. They must hold it in accordance with DPA 2018 requirements, retaining it securely and for the period we instruct. We ensure we only use data processors who comply with the data protection legislation. In some cases, where we share responsibility for processing with other Intelligence Services, we are “joint data controllers”. In these cases, there are agreed arrangements in place that detail our respective responsibilities, including dealing with requests from data subjects.
We never share an individual’s information with any third parties for the purpose of direct marketing.
The individual’s data protection rights
Under the Data Protection Act, individuals have certain rights over their personal data. These rights are described in DPA 2018 Part 4. Some of these rights will be subject to exemptions under the DPA 2018 Part 4, which means an individual might not receive all the information or other results they might request from us.
An individual has:
In order to exercise the rights listed above (but subject to the exemption for safeguarding national security) please contact us at the address below. If an individual feels we haven’t handled their personal data appropriately or wishes to lodge a complaint, they can contact us directly or contact the Information Commissioner’s Office at the addresses provided below.
If you wish to contact us about any aspect of data protection, please write to:
Mail Drop 13
The Information Commissioner’s Office (ICO) is the independent UK regulator of compliance with the data protection legislation. Their address is:
The Office of the Information Commissioner
Telephone: 0303 123 1113
Online contact form