Privacy Policy

MI5's Privacy Policy

This Privacy Notice sets out how the Security Service (MI5) processes personal data and the rights individuals have under the data protection legislation within which we operate.

MI5 is subject to the Data Protection Act 2018 (DPA 2018) Part 4 (Intelligence Services Regime) rather than the EU General Data Protection Regulation (GDPR). Therefore, the information we provide in this notice and the rights available to you will, in certain aspects, differ from the information and rights available to you in respect of organisations that are subject to the GDPR.

Legal basis for processing personal data

MI5, along with SIS and GCHQ, is one of the UK Intelligence Services. The way in which we operate and process personal data is governed by a series of legislative measures (our statutory framework): namely the Security Service Act 1989 (SSA 1989), Intelligence Services Act 1994 (ISA 1994), Regulation of Investigatory Powers Act 2000 (RIPA 2000), Investigatory Powers Act 2016 (IPA 2016), Human Rights Act 1998 (HRA 1998) and the DPA 2018.

As an Intelligence service, we handle highly classified material for National Security purposes. This means we cannot be fully transparent about the information we hold or the way in which we process it. These constraints are recognised by Part 4 of the DPA 2018, which exempts us from certain parts of the Act where this is required to safeguard national security.

What personal data do we process and why?

Apart from our operational data, we process data to run our organisation. This might be in the course of our purchasing, personnel/human resources and recruitment activities, developing policies or services, or the normal administration of a government department.

Personal data may be received by us in a number of instances. For example:

Individuals may apply for or take up a job with us;
Individuals may contact MI5 directly;
Individuals may be representing their organisation;
Individuals may visit our premises;
We may enter into a contract e.g. for goods or services rendered;
Individuals may have given us consent to process their data.

We also collect personal data when individuals visit our website www.mi5.gov.uk. This includes:

The IP address from which our website was accessed and details of which web browser and operating system were used
The date and time of the visit
Clickstream data, which is information on how our website is used, using cookies and page tagging techniques
The web address of the website from which you navigated to MI5.gov.uk
Details of any outgoing link on MI5.gov.uk that was used to navigate away from our website.

This data helps us improve our website by monitoring how it was used.

We have CCTV coverage of our sites and may monitor activity in the vicinity for security reasons.

How long do we keep personal data?

We keep personal data only for as long as is necessary for the purpose for which it is being processed and in accordance with the strict requirements imposed by SSA 1989, ISA 1994, RIPA 2000, IPA 2016 and the Public Records Act 1958.

Sharing personal data

As an intelligence service, we may share personal data with others, including transferring it outside the UK, but only where this is necessary and proportionate and within the remit of our statutory functions.

As data controllers, we use third parties who provide various services to us to process personal data on our behalf. Such data processors are only permitted to process personal data in accordance with our instructions. They are required to hold it securely and retain it only for the period we specify. It is our responsibility to only use data processors who will handle data on our behalf in accordance with the requirements of Part 4 of the DPA 2018.

We sometimes share responsibility for processing data with the other Intelligence Services. In such cases, as "joint data controllers" we will ensure that there are written arrangements in place that detail our respective responsibilities, including designating the Intelligence Service which is to be a point of contact.

We will never share personal information with third parties for direct marketing purposes.

Your data protection rights

Under data protection law, individuals have certain rights over their personal data. These rights are outlined in DPA 2018. Some of these rights will be subject to the exemptions which can be applied where required to safeguard national security. This means that some of the rights outlined below will not apply where it is necessary to safeguard National Security.

The right of access (also known as a subject access request). Individuals have the right to ask for copies of their personal data. We make a £10 charge for each request.

Automated decision making. Individuals have the right to object to any decisions which have affected them significantly, if they consider these decisions to have been made without any meaningful human input.

The right to object to processing. Individuals have the right to ask us to restrict the processing of their personal data in certain circumstances.

The right to rectification and erasure. Individuals have the right to ask us to rectify or delete personal information that they think is inaccurate.

If an individual feels we haven't handled their data appropriately or wishes to lodge a complaint, we can be contacted directly or the Information Commissioner's Office can be contacted at the addresses provided below.