Privacy Notice

MI5's Privacy Notice

This Privacy Notice sets out how the Security Service (MI5) processes personal data and the rights individuals have under the data protection legislation within which we operate. 

MI5 is subject to the Data Protection Act 2018 (DPA 2018) Part 4 (Intelligence Services Regime) rather than the UK General Data Protection Regulation (GDPR) - which applies to general data processing by other controllers, except those who are subject to Part 3 DPA (law enforcement processing). Therefore, the information we provide in this notice and the rights available to you will, in certain aspects, differ from the information and rights available to you in respect of organisations that are subject to the UK GDPR. 

Legal basis for processing personal data 

MI5, along with SIS and GCHQ, is one of the UK Intelligence Services. The way in which we operate and process personal data is governed by a series of legislative measures (our statutory framework): namely the Security Service Act 1989 (SSA 1989), Intelligence Services Act 1994 (ISA 1994), Regulation of Investigatory Powers Act 2000 (RIPA 2000), Investigatory Powers Act 2016 (IPA 2016), Human Rights Act 1998 (HRA 1998) and the DPA 2018. 

As an intelligence service, we handle highly classified material for national security purposes. This means we cannot be fully transparent about the information we hold or the way in which we process it. These constraints are recognised by Part 4 of the DPA 2018, which exempts us from certain parts of the Act where this is required to safeguard national security. 

What personal data do we process and why? 

Apart from our operational data, we process data to run our organisation. This might be in the course of our purchasing, personnel/human resources and recruitment activities, developing policies or services, or the normal administration of a public body or government department.

Personal data for such purposes may be received by us in a number of ways. For example, through individuals who: 

  • apply for or take up a job with us; 
  • contact MI5 directly, including through correspondence; 
  • may be representing other organisations; 
  • visit our premises; 
  • enter into contracts e.g. for goods or services; 

We also collect personal data when individuals visit our website This includes: 

  • the IP address from which our website was accessed and details of which web browser and operating system were used 
  • the date and time of the visit 
  • clickstream data, which is information on how our website is used, using cookies and page tagging techniques 
  • the web address of the website from which you navigated to 
  • details of any outgoing link on that was used to navigate away from our website.

This data helps us improve our website by monitoring how it was used. 

We have CCTV coverage of our sites and may monitor activity in the vicinity for security reasons. 

How long do we keep personal data? 

We keep personal data only for as long as is necessary for the purpose for which it is being processed and in accordance with requirements imposed by SSA 1989, ISA 1994, RIPA 2000, IPA 2016, DPA 2018 and the Public Records Act 1958. 

Sharing personal data 

As an intelligence service, we may share personal data with others, including transferring it outside the UK, but only where this is necessary and proportionate and pursuant to the discharge of our statutory functions. 

As data controllers, we use third parties who provide various services to us to process personal data on our behalf. Such data processors are only permitted to process personal data in accordance with our instructions. They are required to process it securely and retain it only for the period we specify. It is our responsibility to only use data processors who will handle data on our behalf in accordance with the requirements of Part 4 of the DPA 2018. 

We sometimes share responsibility for processing data with the other Intelligence Services. In such cases, as "joint data controllers" we will ensure that there are written arrangements in place that detail our respective responsibilities, including designating the Intelligence Service which is to be a point of contact. 

We will never share personal information with third parties for direct marketing purposes. 

Your data protection rights 

Under data protection law, individuals have certain rights over their personal data. These rights are outlined in DPA 2018. Some of these rights will be subject to the exemptions which can be applied where required to safeguard national security. This means that some of the rights outlined below will not apply where it is necessary to safeguard National Security. 

The right of access (also known as a subject access request). Individuals have the right to ask for copies of their personal data. We make a £10 charge for each request. 

Automated decision making. Individuals have the right to object to any decisions which have affected them significantly, if they consider these decisions to have been made without any meaningful human input. 

The right to object to processing. Individuals have the right to ask us to restrict the processing of their personal data in certain circumstances. 

The right to rectification and erasure. Individuals have the right to ask us to rectify or delete personal information that they think is inaccurate. 

If an individual feels we haven't handled their data appropriately or wishes to lodge a complaint, we can be contacted directly or the Information Commissioner's Office can be contacted at the addresses provided below. 

Contact details 

To contact MI5 about any aspect of our data protection policy, please write to: 

Data Protection Officer  
The Enquiries Desk  
PO Box 3255  
London SW1P 1AE 

To contact the Information Commissioner's office, please write to: 

The Office of the Information Commissioner  
Wycliffe House  
Water Lane  
Cheshire SK9 5AF  
Telephone: 0303 123 1113 

Online contact forms: