INTHEPOTENTIALMATTEROF

ACLAIMBY:

BOLESLAWTADEUSZSZOCIK
PotentialClaimant

and

THESECURITYSERVICE
PotentialDefendant

OPINION

INTRODUCTIONandSUMMARYofOPINION

1.

2.

3.

4.

We have been instructed to advise Mr Szocik in respect of a potential claim

arising under the Data Protection Act 1998. In essence, Mr Szocik seeks to
challenge the Security Services reliance on the s28 certificate, the effect of
whichistoexempttheServicefromcomplyingwithhissubjectaccessrequest
onthegroundsofnationalsecurity.
WehaveconsideredtheDataProtectionAct1998insomedetail,andweareof
the opinion that there is a respectable argument that it does not provide any
effective mechanism for challenging the Security Services decision. We have
also had regard to other avenues of challenge, such as an application for
judicialreviewandproceedingsundertheRegulationofInvestigatoryPowers
Act 2000. In our view, neither of these mechanisms provides an effective
remedy.
Inshort,weconsiderthatMrSzocikhasarespectableargumentthatthefailure
to provide such a mechanism in the Data Protection Act 1998 violates his
human rights under articles 6 (1), 8 and 13 of the European Convention of
HumanRights.Hedoesnothaveafull,fairoreffectiveremedy.
Such a complaint can be brought either by virtue of a freestanding human
rightsclaimtotheHighCourtunders7(1)(a)oftheHumanRightsAct1998,
and/or by way of a petition to the European Court of Human Rights in
Strasbourg.However,inrespectofbothoptions,thetimelimithasexpiredand

weverymuchdoubtthateitherCourtwillextendthetimelimit.Assuch,we
considerthatthemostappropriateactionisforafreshsubjectaccessrequestto
bemadetotheSecurityServiceand,oncearesponseisreceived,atthatstage,
theappropriatecourtapplicationcanbeissued.

5.

Finally, in view of the gravity of any such challenge, and the alternative
approaches,weconsiderthatitwouldbebeneficialifaconferenceweretobe
arrangedforallpartiestodiscussthemostappropriatewayforward.

Factualbackground
6.
Itisapparentfromthematerialprovidedthatthereisalengthyhistorytothis
case. We are grateful to Mr Szocik for providing a written explanation of the
background to this matter and the series of events giving rise to this current
complaint.Weemphasisethatalthoughnospecificreferencehasbeenmadeto
thecontentsofthatnotewithinthisadvice,wehavehadseriousregardtoit.In
particular we have noted Mr Szociks contention that he has been under
continuousaggressivesurveillancebytheSecurityServicefromJune1990.

7.
For the sake of brevity, and bearing in mind that both Mr Szocik and those
instructingusaremorethanfamiliarwiththismatter,wehavesetoutonlythe
mostsalientfactsinthischronology.

8.
On 28 February 1997, Mr Szocik made a complaint to the Security Service
Tribunal(SST).1TheSSTacknowledgedthecomplainton13March1997.2

9.
Byaletterdated2June1997,theSSTrepliedinthefollowingterms:
I write in connection with your complaint dated 28 February which I
acknowledgedon13March1997.
TheSecurityServiceTribunalhavenowinvestigatedyourcomplaintand
have asked me to inform you that no determination in your favour has
beenmadeonyourcomplaint.

10.

11.

On 10 December 2001 Mr Szocik wrote to the Data Controller at the Security

Service,makingaformalsubjectaccessrequestundersection7(1)oftheData
ProtectionAct1998(theDPA).Therequestprovidedallthenecessarydetail
inordertoconstituteaproperrequestundersection7.
We are told that the Security Service subsequently sent Mr Szoick a specific
formtocomplete.3Inanyevent,MrSzocikcompletedtheformon26January

Wedonothaveacopyofthecomplaint.Itwouldbeusefultohaveacopy.
Wedonothaveacopyoftheletterortheacknowledgment
3Wedonothaveacopyoftheletter.Itwouldbeusefultohaveacopy.
1
2

2002whichhedidinoraroundlateJanuary2002.4Itisnotcleartouswhythe
Security Service required this: as we have already said, the 10 October 2001
requestfulfilledalltherequirementsoftheDPA.

12.

13.

14.

On20thMarch2002theSecurityServicereplied,stating:
1.Thankyouforyourapplicationformdated26January2002requesting
copies of records held about you by the Security Service. I also
acknowledgereceiptofsubsequentcorrespondenceof4and14March,to
whichIrespondinthisletter.
2. Under the Data Protection Act 1998, the Security Service has notified
the Information Commissioner that it processes personal data for three
purposes. These are: staff administration, building security CCTV and
commercial agreements. The Security Service has checked its records,
and, subject to any further information that you might supply, holds no
dataaboutyouinanyofthesecategories.
3. Any other personal data held by the Security Service is exempt from
the notification and subject access provisions of the Data Protection Act
1998 to the extent that such exemption is required for the purposes of
safeguardingnationalsecurity,asprovidedforinSection28(1)oftheAct.
IthasbeendeterminedthattheSecurityServiceholdsnopersonaldatato
which you are entitled to have access, except that which is enclosed at
Appendix1withthisletter.Thisresponseshouldnotbetakentoimply
thattheSecurityServicedoesordoesnotholdanyfurtherdataaboutyou.
4. Toassistyouinunderstandingthenatureoftheexemptionclaimed,I
haveenclosedwiththisletteracopyofthesection28certificate.

The letter went on to describe a right of appeal under section 28. It did not
mention the separate right of challenge under section 7(9), still less the inter
relationshipbetweenitandsection28.
In short, in response to Mr Szociks request, the Security Service supplied a
copyofsomecorrespondencepassingbetweenitandMrSzocik,andbetween
themandtheSST.Most,ifnotallofthatmaterialMrSzocikalreadyhadand
the Security Service would have known that Mr Szocik already had it. The
copy correspondence was appended to the letter as appendix 1. Save for
thesedata,theSecurityServicespositionwasthatitwouldneitherconfirmnor
deny whether it processed other personal data relating to Mr Szocik (the
NCNDresponse.)
Wehavebeenprovidedwiththesection28certificate,referenceDPA/s28/TSS/2
and dated 10 December 2001, that was enclosed with the letter of 20th March
2002. The date of the certificate is the same as Mr Szociks original DPA
request.

Wedonothaveacopyofthatform.Again,weshouldbesuppliedwithacopy.

15.

Bywayofaletterdated7May2002MrSzocikappealedagainstthisdecisionto
theInformationTribunal[IT].Theletterstated:

FollowingaSubjectAccessRequesttoMI5undertheDataProtectionAct
1998,IwishtomakeanappealtotheInformationTribunal,inthegrounds
thatthedatasoughtdoesnotfallwithinthescopeoftheCertificatesigned
bytheHomeSecretaryon10December2001.

16.

The appeal did not specify the section under which it was being made.
However, the IT has no jurisdiction to hear an appeal under s. 7(9). That
jurisdictionisvestedintheCountyCourtsandintheHighCourt:s.15(1).The
lastsentenceofthelettersuggeststhatitwasintendedtobeanappealunders.
28(6), and not an appeal under s. 28(4). It would seem (see IT letter dated 10
May2002)thattheITtreatedthisasanappealunders.28(4).5

On9May2002,MrSzocikalsowrotetotheInformationCommissioner(IC):

Thankyouforyourletterof18April.6Iencloseacompletedrequestfor
assessmentundersection42oftheDataProtectionAct1998regardingmy
subjectaccessapplicationtotheSecurityService

Section42isafreestandingprocedurebywhichtheICcaninvestigatewhether
adatacontrollerisprocessingincompliancewiththeDPA.

17.

18.

19.

Byaletterdated16May2002,MrSzocikmadeaseparatesubjectaccessrequest
to the data controller of the Investigatory Powers Tribunal. As we are not
askedtoadviseontheresponsetothisrequest,itisnotconsideredfurtherin
thisOpinion.
On 21 June 2002, the Secretary of State for the Home Department filed a
RespondentsNoticesettingoutinsomedetailwhyitwouldbeopposingthe
appealtotheIT.ThebasicthrustoftheRespondentsNoticewastoexplainthe
basis for the Certificate. In other words, the Respondents Notice treated Mr
Szociksappealasoneunders.28(4).
On19July2002,theICrespondedtoMrSzociksrequestofthe9May2002for
asection42assessment.Effectively,theICstatedthatitdidnotintendtotake
anyfurtheractioninthecase.OtherthanadelayinrespondingtotheSAR,the
ICdidnotidentifyanyothercauseforcomplaint.

Wedonothaveacopyof10May2003letter,butitisreferredtointheITletterof18June2003.
Wedonothaveacopyofthisletter.Wewouldlikeacopy.

5
6

20.

21.

22.

23.

Byletterdated13March2003,theTreasurySolicitor,representingtheSecretary
of State for the Home Department, wrote to the Information Tribunal,
expressingitsviewthatMrSzociksappealtotheTribunalcouldonlyproceed
asasection28(4)appealandnotasection28(6)appeal.Thiswasbecausethere
werenoexistingproceedingsasrequiredbysection28(6).Weinterposehere,
thatitwasaperfectlycorrectpointfortheTreasurySolicitortotake.
AsaresultofthepointraisedbytheTreasurySolicitor,apreliminaryhearing
wasconvenedonthe12June2003toconsiderthispoint.Byadecisiondated
20 November 2003 (but signed by the President on 25 February 2004) it was
orderedthat,byconsent,thesection28(4)and28(6)DPAappealbedismissed
butthat,shouldMrSzocikreappealundersection28(6)DPA,theRespondents
(theHomeOffice)wouldnottakeapointthattheappealhadpreviouslybeen
dismissed. Again interposing here, since on any analysis there had been no
appealunders.28(6),strictlyspeakingtherewasanappealunders.28(6)tobe
dismissed.
TheorderoftheTribunaldated20November2003states:

Uponitbeingrecordedthatintheeventthat
(1) Mr.SzocikappliestotheCourtundersection7(9)oftheAct,andthe
RespondentsoranyofthemareDefendantsinsuchproceedings,and
(2) hethereafterappealstotheTribunalundersection28(6)oftheActin
relation to the Certificate issued by the Secretary of State for the Home
Departmentdated10December2001,
theRespondentsassuchDefendantswillnotseektoresist
(a)
anysuchsection28(6)appeal,or
(b)
anyapplicationunderRule13(3)oftheRulesforleavetobring
such section 28(6) appeal, on the ground that this present section 28(6)
appealwasbroughtandwasdismissedbyconsent.

Mr Szocik now wishes to issue proceedings against the Security Service in

respectoftheirresponsetohisSARon20March2000.Itisonthisissuealone
thatweareaskedtoadvise.

TheComplaint
24. The data protection legislation is a complex regime. Whilst any analysis
pursuanttothatlegislationwillofnecessitybehighlytechnical,itisimportant
nottolosesightofthesubstanceoftheactualcomplaint.Hencebeforeturning
tothedetailedlegalanalysisoftheregime,itishelpfultoclarifyattheoutset
theessenceofMrSzoickscomplaint.

25.

26.

27.

28.

29.

30.

Section7(1)oftheDPAconfersfourseparaterightsuponanindividualagainst
adatacontrollerwherethatindividualisthedatasubjectofpersonaldatathat
arebeingprocessedbythatdatacontroller.
The first right may be termed as the existence right. It is conferred by s.
7(1)(a),whichstatesthatanindividualisentitled:
(a)tobeinformedbyanydatacontrollerwhetherpersonaldataofwhich
thatindividualisthedatasubjectarebeingprocessedbyoronbehalfof
thatdatacontroller

If the data controller is processing such personal data, the data subject has a
further entitlement to have that information described and communicated to
himinanintelligibleform7.Itisthislastrightwhich,formostdatasubjects,is
themostimportant.Weshalltermthistheaccessright.
Onthefactsofthiscase,theresponsetotheSARansweredboththeexistence
rightandtheaccessright:
(i)
TheSecurityServiceconfirmedthattheyheldaletterdated24th
April 1997 but were not willing to disclose this data i.e. whilst
theycompliedwiths.7(1)(a),therightpursuanttos.7(1)(c)was
denied;
(ii)
Other then that one letter, the Security Service would neither
confirm nor deny whether any other personal data is held by
them. In other words, the Security Service effectively claimed
exemption from the existence dutyin s. 7(1)(a), on the grounds
ofnationalsecuritysupportedbyas.28(2)certificate.Itisthis
latterresponsewhichMrSzoickseekstochallenge.
BeforeturningtothesubstantivemeritsofachallengetotheSecurityServices
response,itisimportanttoidentifythevariousroutesbywhichsuchadecision
canbechallenged.Thereareinfact6possibleavenuesofchallenge:
(i)
S.7(9)DPA
(ii)
s.28(4)DPA
(iii)
s.28(6)DPA
(iv)
s.42DPA
(v)
aclaimundertheRegulationofInvestigatoryPowersAct2000;
and
(vi)
anapplicationforjudicialreview.
Forreasonswhicharesetoutbelow,wehavereachedtheconclusionthatnone
oftheaboveavenuesprovideasuitablemeansofbringingthecomplaint.

Section7(1)(b)(c).

(i)Section7(9)DPA
31. Section7(9)providesarightofappealinthefollowingterms:

32.

33.

34.

35.

If a court is satisfied on the application of any person who has made a

request under the foregoing provisions of this section that the data
controller in question has failed to comply with the request in
contravention of those provisions, the court may order him to comply
withtherequest.

As noted above, the County Courts and the High Court have jurisdiction to
hearsuchanappeal.

Inevitably,theSecurityServiceonbeingpresentedwithanapplicationunders
7. (9) will simply rely on the national security certificate as exempting them
fromcomplyingwiths.7(1)(a).
Section28(2)provides:
Subjecttosubsection(4),acertificatesignedbyaMinisteroftheCrown
certifying that exemption from all or any of the provisions mentioned in
subsection (1) is or at any time was required for the purpose there
mentioned[i.e.safeguardingnationalsecurity]inrespectofanypersonal
datawillbeconclusiveevidenceofthatfact.

In short, under a s. 7(9) appeal, the national security certificate will be

conclusiveevidencethatexemptionfromthesubjectaccessrightsisrequired
forthepurposeofsafeguardingnationalsecurity.Theconclusivenessofthe
certificateinfactextendsfurther.Section28(6)provides:
(1)WhereinanyproceedingsunderorbyvirtueofthisActitisclaimed
byadatacontrollerthatacertificateundersubsection(2)whichidentifies
personaldatawhichitappliesbymeansofageneraldescriptionappliesto
anypersonaldata,anyotherpartytotheproceedingsmayappealtothe
Tribunalonthegroundthatthecertificatedoesnotapplytothepersonal
data in question and, subject to any determination under subsection (7),
thecertificateshallbeconclusivelypresumedsotoapply.
(2)Onanyappealundersubsection(6),theTribunalmaydeterminethat
thecertificatedoesnotsoapply.

Thus, in the absence of a separate appeal under s. 28(6), the mere claim by a
data controller that a certificate applies to the personal data sought will be
conclusiveofthatfactinthes.7(9)appeal.
The Security Service made just such a claim here. The certificate will thus
effectively provide a complete statutory defence to any application under s.
7(9).Onthefactsofthiscase,as.7(9)applicationisdoomedtofail.TheCourt,
indismissingMrSzociksclaim,willnotinanywaylookatthesubstanceofhis
claim, whether on a merits basis or by considering the lawfulness of the
SecurityServicesinvocationofthecertificate.

36.

Section 7(9) does not therefore provide an effective remedy for Mr Szocik to
challengethemannerinwhichthedatacontrollerusesasection28certificate.8

(ii)Section28(4)
37. Sofarasrelevant,s.28,entitledNationalSecurity,reads:
(1) Personaldataareexemptfromanyoftheprovisionsof

(a)
thedataprotectionprinciples,

(b)
PartsII,IIIandV,and

(c)
sections54Aand55
iftheexemptionfromthatprovisionisrequiredforthepurposeof
safeguardingnationalsecurity.
(2) Subject to subsection (4), a certificate signed by a Minister of the
Crown certifying that exemption from all or any of the provisions
mentioned in subsection (1) is or at any time was required for the
purpose there mentioned in respect of any personal data shall be
conclusiveevidenceofthatfact.
(3) Acertificateundersubsection(2)mayidentifythepersonaldatato
which it applies by means of a general description and may be
expressedtohaveprospectiveeffect.

38.

Hence s. 28(3) permits a certificate to be both general and prospective. The

certificateinthiscaseisbothgeneralandprospective.

39.

Section28(4)continues:
(4) Any person directly affected by the issuing of a certificate under
subsection(2)mayappealtotheTribunalagainstthecertificate.
(5) If on an appeal under subsection (4), the Tribunal finds that,
applying the principles applied by the court on an application for
judicial review, the Minister did not have reasonable grounds for
issuingthecertificate,theTribunalmayallowtheappealandquash
thecertificate.

40.

Thisisthefirstappealrightunders.28.Itissolelyconcernedwiththedecision
of the Minister to issue the certificate: in other words, it is solely concerned
with the assertion that exemption from s. 7 etc is required for the purpose of
safeguarding national security. The Minister only has to demonstrate that he
had reasonable grounds for issuing the certificate. The appeal is effectively a
judicial review. All the Court can do is consider whether the reasons put
forward by the Minister for issuing the certificate are reasonable. An appeal
will only succeed if it can be shown that the decision of the Minister is so
unreasonable that no reasonable Minister in his position would have issued a
certificate. Particularly in matters of national security, the Courts have

WeappreciatethatMrSzoickhasindicatedhisconcernthattheSecurityServicemayattempttorely
on the serious crime exemption, in addition to the national security exemption. This does not affect
what we see as being the key issue in this case, namely that there is no effective means by which Mr
SzoickcancomplainabouttheSecurityServicesconduct,
8

traditionallyaffordedtheExecutiveawidemarginofdiscretion.9Inshort,the
thresholdtosucceedonas.28(4)appealishigh,andonewouldexpectthat,in
reality,fewappealswillsucceed.

41.

42.

We can see no realistic basis upon which an appeal under s. 28(4) would
succeedhere.Quiteapartfromauthority(seebelow),theTribunalwouldhave
nodifficultyinconcludingthattheSecurityServicesrequiredexemptionfrom
s.7forthepurposeofsafeguardingnationalsecurity.
However,s.28(4)isonlyconcernedwiththeissueofthecertificate,asopposed
to the manner in which a data controller uses the certificate.10 Section 28(4)
does not enable an individual to directly challenge the data controllers
decisionastotheusemadeofacertificate.Thiswastheconclusionreachedby
theTribunalinBakervSecretaryofStatefortheHomeDepartment:11
36. The decision to use it [the certificate] was its own and was
entirelyseparatefromtheissueoftheCertificatebytheRespondent
for use in this and other cases where the Service wishes to give a
noncommittalanswer.
37. Thisleadstothequestionwhetherwehavethepowertojudicially
reviewtheSecurityServicesdecisiontorelyuponthecertificatein
thiscase.Weareclearthatwedonot.

43.

Hence, s. 28(4) does not provide an adequate remedy to challenge the data
controllersuseofthecertificate.

(iii)Section28(6)
44. Section28(6)provides:
(6) Where in any proceedings under or by virtue of this Act it is
claimed by a data controller that a certificate under subsection (2)
which identifies personal data which it applies by means of a
generaldescriptionappliestoanypersonaldata,anyotherpartyto
theproceedingsmayappealtotheTribunalonthegroundthatthe
certificate does not apply to the personal data in question and,
subject to any determination under subsection (7), the certificate
shallbeconclusivelypresumedsotoapply.
(7) On any appeal under subsection (6), the Tribunal may determine
thatthecertificatedoesnotsoapply.

In Baker v Secretary of State for the Home Department [2001] UKHRR 1275 , this point was explicitly
referred to by the Tribunal, which stated that where the context is national security judges and
tribunalsshouldsupervisewiththelightesttouchappropriate.(Paragraph76.)
10 As an aside, we mention that the order dated the 20 November 2003 states quite clearly that the
Appellantconfirmedthathedoesnotseektoproceedwithanappealunders.28(4)Henceproblems
ofabuseofprocessmayariseifs.28(4)proceedingswerebroughtagain.
11[2001]UKHRR1275
9

45.

46.

47.

An appeal under s. 28(6) is against the data controller. The appeal is not
againstthecertificateassuchoragainstanythingstatedinthecertificate.Itis
an appeal against the data controllers claim that the certificate applies to the
personaldatainquestion.Inotherwords,itisachallengetoadatacontrollers
relianceonacertificate.AlthoughitistheMinisterwhoissuesthecertificate,it
istheclaimofthedatacontroller(here,theSecurityServices)thatisthesubject
of the s. 28(6) appeal. The task for the Tribunal in this case is to consider
whether the generally worded certificate applies to the personal data in
question.
In making this determination, the Tribunal will have to consider both the
certificateandthepersonaldatainquestion,andsaywhethertheformercovers
the latter. That task can only be carried out where the data controller has
identified the personal data in question. The Tribunal may choose not to
sharewithanappellantthepersonaldatainquestionwhencarryingoutthis
task.12However,wefailtoseehowtheTribunalcanperformthistaskwhere
the data controller has claimed exemption from the existence right i.e. s.
7(1)(a). In other words, s. 28(6) is aimed at a situation where the data
controller claims exemption from s. 7(1)(c), it does not apply where the data
controller claims exemption from s. 7(1)(a). Thus, s. 28(6) only applies where
the data controller has positively confirmed that personal data exists, but is
unwilling to disclose that data to the individual. It cannot apply where the
datacontrollerhasgivenaNCNDresponse.
Thatthisisthecorrectinterpretationofs.28(6)isconfirmedbytheauthorities.
InBaker,theTribunalconsidereds.28(6)andstated:
102. WeaddforcompletenessthathehaveconsideredwhetherSection
28(6) of the Act could be regarded as an alternative remedy. This
provisiononitsfacecontemplates:

(vii) a claim by data controller that it applies to any personal

data. This must mean particular data; see the subsequent
phrasethepersonaldatainquestion;
(viii)
(ix) arulingbytheTribunalthatthecertificateeitherdoesordoes
notapplytothePDinquestion

48.

TheTribunalcontinued:

Criterion (iii) is not satisfied because it is in issue whether relevant

personaldataexist.Section7(1)(a)invitesdisclosureofwhetherpersonal
dataareheldornot;s.7(1)(b)(c)arebycontrastpremisedontheexistence
of such data held by a data controller. Criterion (v) is equally not
satisfied. The exercise contemplates the Tribunal looking at (a) the

InformationTribunal(NationalSecurityAppeals)Rules2005(SI2005/13),r.24(3)

12

10

certificate (b) the personal data in question (which ex hypothesi the

Tribunalmustidentify)andsayingthat(a)does/doesnotcover(b)).This
exercisecannotbeperformedwhenTribunaldonothave(b).

49.

ThisviewwasalsoadoptedbytheTribunalinHitchensvSSHD13:
44. Itsjurisdictionundersection28(6)isnotrelevantwhereaNCND
replyisgiventoarequestundersection7(1)(a)oftheAct,because
bydefinitionnopersonaldataareidentified

50.

Hence,whilsts.28(6)canbeusedtochallengetheSecurityServicesrefusalto
supplyMrSzocikwithacopyoftheletterdatedthe24thApril199714,itisnot
effective to challenge the Security Services reliance on the national security
certificatetoexemptitfromcomplyingwiths.7(1)(a).

51. Inshort,s.28(6)doesnotprovideaneffectiveremedyeither.

(iv)Section42DPA
52. PartVoftheDPA,entitledenforcementmakesprovisionforthepowersofthe
InformationCommissioner.Unders.42(1),anapplicantmaymakearequestto
the Information Commissioner for an assessment whether the processing of
personaldataisbeingcarriedoutincompliancewiththeAct.TheInformation
Commissionerhasanumberofpowerswhichcanbeusedtocheckwhethera
data controller has complied with the Act, for example an information notice
may be served under s43 requiring the data controller to furnish any
informationtotheInformationCommissioner.

53. Inthecontextofthenationalsecurityexemption,section28(11)states:

54.

No power conferred by any provision of Part V may be exercised in

relationtopersonaldatawhichbyvirtueofthissectionareexemptfrom
thatprovision.

In effect, where a national security certificate is in place, the Information

Commissioner cannot exercise his powers under Part V. The Information

[2003]UKITNSA5(4August2003)
For the sake of completeness, if Mr Szoick does wish to bring an appeal under s28 (6) in order to
challengetherefusaltodisclosetheletterofthe25thApril1997,theremaybeapotentialproblemwith
timelimits.TheInformationTribunal(NationalSecurityAppeals)Rules2005SI2005/13makeprovisionfor
theproceduretobefollowedwhenbringinganappealundersection28oftheDPA.Rule6(1)provides
thatanoticeofappealmust beservedontheTribunalwithin28daysofthedateonwhichtheclaim
constituting the disputed certification was made. Rule 6 (3) provides that a notice of appeal may be
permittedafterthisdateiftheTribunalisoftheopinionthatbyreasonofspecialcircumstances,itis
justandrighttodoso.Giventhatthepartiesagreedtowithdrawtheoriginalproceedingsbyconsent
inordertoenableMrSzoicktobringanappealunders28(6),clearlysomedelaywasinevitable.Itis
doubtfulhoweverthatthepartiesatthetimeenvisagedadelayofsome3years.Inanyevent,forthe
reasonssetoutintheremainderoftheadvice,wedonotconsiderthatsuchanapplicationisnecessary,
asthereisafarbettermethodofchallengingtheSecurityServicesconduct.
13
14

11

Commissioners only recourse in such a situation is to bring an appeal under

section 28 (4). This was confirmed in R (SSHD) v (1) Information Tribunal (2)
InformationCommissioner.15TheHighCourtstated:

41. If the [data controller] continues to take the view that it [i.e.
disclosure to the Commissioner] would or might, compromise
national security then it would be appropriate for him to issue a
further section 28 certificate. The Commissioner is, in my view,
entitled then to appeal that certificate because the fact that the
certificate is conclusive evidence of the fact that exemption is
required for the purpose of safeguarding national security means
that he has been directly affected by the issuing of the certificate
therebygivinghimtherightofappealundersection28(4).Hehas
been affected by being restricted in the exercise of his powers
undersection51(1).

43.

55.

56.

57.

Thequestionofwhetherornotethematerialisexemptornothas
yettobedecided.Themechanismfordecidingitisprovidedforin
section 28 (4) and the Procedural Rules.the issue of the
appropriatenessofthecertificatecannonethelessbedecided.Inmy
view, this provides appropriate protection for securitysensitive
information whilst ensuring that the Commissioner can carry out
hisfunctionseffectively.

At first blush, this appears to suggest that a complaint to the Commissioner

unders.42mightbeanadequateremedy.However,uponfurtherscrutinyof
thedecision,wearenotpersuadedbythis.
First, in the case cited the data controller did not state from the outset that it
was relying on a s. 28 certificate; it was only once the Information
Commissioner continued to seek the information that the data controller then
producedthecertificate.ForthisreasontheITquashedthecertificatebecause
ittooktheviewthatthecertificatewasissuedonthebasisthattheInformation
Commissioner had no statutory role within the context of s. 28 exemptions, a
view which the Tribunal described as a fundamental misdirection of the law.
ThisdecisionwasupheldbytheHighCourt.Thisisaverydifferentissueto
thatbeforeus.
Secondly, the effect of s. 28 (11) is that the Information Commissioner cannot
under s. 43 press the data controller for disclosure of the personal data in
question.Section28(11)provides:

[2006]EWHC2958(Admin)

15

12

No power conferred by any provision of Part V may be exercised in

relation to personal data which by virtue of this section are exempt
fromthatprovision.

Once a certificate has been issued and once it is claimed by a data controller
that that certificate applies to the data in question, the certificate is
conclusively presumed so to apply: s. 28(6). The powers conferred by Part V
can no longer be exercised in respect of those data. The Information
Commissioner cannot seek disclosure of the material to determine whether in
factitisexemptunderthes.28certificate;indeed,ifthatwerethecase,thenthe
InformationCommissionerwouldeffectivelybesupplantingtheroleoftheIT.
All the Information Commissioner can do in that situation is bring an appeal
unders.28(4).Thisanalysisissupportedbythecasecitedabove.

58.

59.

60.

61.

As such, to the extent there may be any relief, it lies in the fact that the
Information Commissioner can seek an appeal under s. 28(4). However, the
datasubjectcandothisanyway.PartVdoesnotaddanythingnew.
TheeffectivenessoftheInformationCommissionersrighttoappeal(andtoa
data subjects right to request an assessment under s. 42) turns on the
effectiveness of a s. 28(4) appeal, which for the reasons outlined above, we
consider to be limited. It only permits a review of the Ministers decision to
issuetheCertificate.Itdoesnotinvolveadirectreviewofthedatacontrollers
useofthatcertificate.
Thirdly,theCourtstatedthatthequestionofwhetherornotdisclosuretothe
datasubjectwouldcompromisenationalsecuritywouldbethepurposeofthe
appeal to the tribunal.16 However, that is to state too broadly the ambit of a
section28(4)appeal;thepurposeofasection28(4)appealistoreviewwhether
the Minister had reasonable grounds for issuing the certificate it is not the
function of the Tribunal to determine whether disclosure will compromise
national security. Still less is it to determine whether acknowledging the
existenceofanysuchinformationwillcompromisenationalsecurity.
Finally, there may be circumstances where the Information Commissioner
refuses to bring an appeal under s. 28(4); there is nothing within the DPA to
enableadatasubjecttocompeltheInformationCommissionertobringsuchan
appeal.Nordoesthedatasubjecthaveanyroletoplayinanysuchappeal.It
cannotbecorrectthataneffectiveremedyisonethatliesatthediscretionofa
thirdpartybothinthebringingofanysuchappealandthewayinwhichitis
conducted.

Paragraph39.

16

13

62.

63.

In any event, Mr Szoick made such a request to the Commissioner on 9 May

2002, who replied on 19 July 2002, indicating that he did not wish to take
mattersanyfurther.
In short, it is clear that factually, the request under section 42 (1) did not
provide Mr Szocik with an effective remedy. In addition, we consider that
there is also a robust argument that notwithstanding the Information
Commissioners reply, in principle, section 42 does not afford an effective
remedytoanindividualseekingtochallengeadatacontrollersdecisiontorely
onthecertificate.

(v)TheRegulationofInvestigatoryPowersAct2000(RIPA)
64. ThepreambletoRIPAstates:

65.

66.

67.

An Act to make provision for and about the interception of

communications, the acquisition and disclosure of data relating to
communications,thecarryingoutofsurveillance,theuseofcoverthuman
intelligencesourcesandtheacquisitionofthemeansbywhichelectronic
dataprotectedbyencryptionorpasswordsmaybedecryptedoraccessed;
to provide for Commissioners and a tribunal with functions and
jurisdiction in relation to those matters, to entries on and interferences
withpropertyorwithwirelesstelegraphyandtothecarryingoutoftheir
functions by the Security Service, the Secret Intelligence Service and the
Government Communications Headquarters; and for connected
purposes.

PursuanttothisAct,theInvestigatoryPowersTribunal(IPT)hasbeensetup
to hear complaints by individuals in relation to the manner in which the said
governmentagencieshavecarriedouttheirfunctions.
InbothBakerandGoslingvSSHD17,theITexpresslystatedthatacomplaintto
the IPT provided an alternative remedy to an individual aggrieved by a data
controllers decision under the DPA. It is important therefore to look at this
aspectinmoredetailtodeterminewhetherRIPAdoesinfactprovideanappeal
mechanismtosomeoneinMrSzociksposition.
In Baker the Home Secretary provided witness evidence to the effect that the
IPT was likely to be a more effective forum than the Data Protection
Tribunal for the consideration of complaints that the Security Servicehas
actedimproperlyinrespectofpersonaldataprocessedbyit18

[2003]UKITNSA4(1August2003)
Paragraph99ofthedecision.

17
18

14

68.

69.

InHiltonvSecretaryofStateforForeignandCommonwealthAffairs19theTribunal
held that the jurisdiction of the IPT was defined widely enough to include a
complaint that the data controller (in that case GCHQ) was not justified in
claimingthatNCNDresponsewasnecessarytosafeguardnationalsecurityin
the particular case although it is of note that the Tribunal caveated its
assertionbysayingalthoughwearedoubtfulwhetherParliamentintended
thatitshouldroutinelydecidemattersofthissort;
ThematterwasconsideredagaininGoslingvSSHD20.Giventheimportanceof
theCourtsreasoningitisnecessarytosetitoutinfull:

48.
In the light of the European jurisprudence to which we have
referred, and the Parliamentary response to Chahal, we have serious
doubts whether Parliament could have intended that the Service itself
wouldexclusively,withoutanyformofindependentscrutiny,determine
the application to particular cases of the NCND policy in the kind of
circumstances that we have described at paras 30 and 31 above. That
doubt is strengthened when we bear in mind the powerful European
dimensiontotheActwhichweexplainedinBaker

49.
The tribunal [the IPT] is the appropriate forum for dealing
with complaints concerned with conduct by the intelligence services
which relate to the complainant, his or her property or his or her
communications.

50.
thepositionoftherespondent,[is]asfollows:
TheInvestigatoryPowersTribunaldoeshavejurisdictiontoconsiderany
such complaint. Depending on the terms of the complaint to the
Investigatory Powers Tribunal, such jurisdiction will arise under one or
other,orboth,ofthefollowingprovisions:
(a) section 65 (2) (b) and 65 (4) of the 2000 Act, in that the
givingofaNCNDresponsebytheSecurityServiceisconduct in
relation to that person, and the Tribunal has jurisdiction to
consider a complaint by that person if he is aggrieved by such
conduct;and
(b) section 65 (2) (a) of the 2000 Act, in that the giving of an
NCND response by the Security Service is an act of a public
authority which would be unlawful under section 6 (1) of the
HumanRightsAct1998ifitisincompatiblewithaConvention right,
andtheTribunalistheonlyappropriateforuminwhicha person who
claimstobeavictimofanyunlawfulactmay bring
proceedings
againsttheSecurityServicetomakesucha
claim.

55.
An NCND answer to a request would, therefore, appear,
evenifsomewhatindirectly,totouchonconductrelatingtosurveillance;
andevenonannarrowconstructionofconduct,thegivingofanNCND

[2005]UKITNSA1
[2003]UKITNSA4(1August2003)

19
20

15

response would appear to fall within section 65 (5) (a). Furthermore, a

person confronted with a NCND response may well be in a position to
frame proceedings against the Security Services that the action is not
compatible with, for example, Article 8 of the Convention. Such
proceedingswouldthenfallwithinsection65(2)(a).

70.

56.
ThereforeweconcludethattheInvestigatoryPowersTribunal
does have the jurisdiction which Mr Tam accepted. Furthermore, we
believethattheInvestigatoryPowersTribunalisthebodybestplacedto
determineanyspecificcomplaintthattheServicehasappliedtheprovisos
tothecertificateinamannerthatismanifestlyunjustifiedHoweverwe
reiterate that in the absence of the jurisdiction now conceded by the
respondent, we would have reservations as to whether the procedure
contemplated by the provisos to the certificate accorded with the
important principle which we have discerned from the European
jurisprudenceandwhichwebelieveisapplicabletothepresentstatutory
context.

ThisreasoningwasrepeatedinHitchensvSSHD21theTribunalstated:

71.

72.

45. .For the reasons given in our Decision in Mr Goslings

appeal,weholdthat
(1)thejurisdictionoftheIPTisdefinedwidelyenoughtoincludea
complaint that the Security Services were not justified in claiming
thataNCNDresponsewasnecessarytosafeguardnationalsecurity
intheparticularcase(thoughwearedoubtfulwhetherParliament
intendedthatitshouldroutinelydecidemattersofthissort)22;and
(2) delegating to the Security Services the power of deciding these
issuesofnationalsecurityislawfulandconsistentwithdecisionsof
EnglishandEuropeanCourts.

50. The Data Protection Act, in our view, does not provide any
means of challenging the Security Services decision, either before
this Tribunal or before the Courts. It appears to us that the
appropriate statutory method of challenging the Security Services
decision in an individual case is by making a complaint to the
InvestigatoryPowersTribunal.

Put very simply, the thrust of the Information Tribunals decision is that it is
theexistenceoftheIPTwhichensuresthereisnoviolationoftheConvention
rights.WithouttheIPTtherefore,therewouldbenoeffectiveremedy.
We consider the proposition that the IPT has jurisdiction to consider whether
exemptionfroms.7(1)(a)(i.e.theexistenceduty)isrequiredforthepurposeof

[2003]UKITNSA5(4August2003)
Thislattersentenceinparticularisinconsistent:iftheIPTisthecorrectTribunalforsuchacomplaint,
itmustinevitablybepermittedtoconsidersuchmattersroutinelyforthesimplereasonthatitis
allegedlytheonlyeffectiveappealroute.
21
22

16

safeguardingnationalsecuritytobefundamentallymisconceivedforanumber
ofreasons.

73.

74.

75.

76.

Firstly,itisastrangesuggestionthatacomplaintabouttheinadequaciesofan
appeal procedure under one specific Act of Parliament can be remedied by
virtue of an appeal procedure under an entirely different Act, without any
explicit reference to this within the legislative provisions. There is nothing
within RIPA which crossreferences to the DPA, or viceversa. Both the IPT
andtheITarecreaturesofstatute.Theycanonlydeterminethosemattersfor
which jurisdiction hasbeen conferred on them by statute. The DPA does not
conferanyjurisdictionontheIPT,andRIPAdoesnotconferanyjurisdictionon
theIPTinrelationtothedeterminationofrightsundertheDPA.Itisnotopen
for parties to agree between themselves an enlarged jurisdiction for any
statutorytribunal.
Secondly,thepurposebehindRIPAiswhollydifferentfromthesubjectmatter
of the DPA. RIPA is concerned with surveillance and interception of
communicationanddatabytheintelligenceagencies.TheprovisionsofRIPA
thatprovideforanappealtotheIPTareessentiallyconcernedwithcomplaints
thattheactivityinquestionisunlawful.Thisisentirelydifferenttoacomplaint
that a data controller has failed to comply with a s. 7 request by refusing to
inform him whether any data of which the appellant is the data subject are
beingprocessedbythatdatacontroller.
Thirdly, when section65 is considered closely, the argument thata complaint
aboutdataprotectioniscoveredbythisprovisionisarguablywrong.
Section65(2)states:
(2)ThejurisdictionoftheTribunalshallbe
(a) tobetheonlyappropriatetribunalforthepurposesofsection7of
the Human Rights Act 1998 in relation to any proceedings which
fallundersubsection(1)(a)ofthatsection(proceedingsforactions
incompatible with Convention rights) which fall within subsection
(3)ofthissection;

(b) toconsideranddetermineanycomplaintsmadetothemwhich,in
accordance with subsection (4) or (4A)23 are complaints for which
theTribunalistheappropriateforum

(c) toconsideranddetermineanyreferencetothembyanypersonthat
he has suffered detriment as a consequence of any prohibition or
restriction, by virtue of section 17, on his relying in, or for the
purposesof,anycivilproceedingsonanymatter;and

S4Aisnotrelevantforourpurposes,asitrelatestotheNationalIdentityRegister.

23

17


(d)

77.

Insummary,s.64(2)(a)bothconfersajurisdictionontheIPTandprovidesthat
jurisdictionisexclusivelythatoftheIPT.Section7(1)oftheHumanRightsAct
provides:

A person who claims that a public authority has acted (or proposes to

78.

79.

80.

81.

to hear and determine any other such proceedings falling within

subsection (3) as may be allocated to them in accordance with
provisionmadebytheSecretaryofStatebyorder.

act)in
awaywhichismadeunlawfulbysection6(1)may
(a) bring proceedings against the authority under this Act in the
appropriate
courtortribunal,or
(b) rely on the Convention right or rights concerned in any legal
proceedings,
butonlyifheis(orwouldbe)avictimoftheunlawfulact.

Section7(1)(a)providesforincompatibilityproceedingstobebroughtagainsta
publicauthority.Theeffectofs.65(2)(a)isthatwhereapersonclaimsthatone
of the intelligence services has acted (or proposed to act) in a way which is
made unlawful by s. 6(1) of the Human Rights Act, that person may bring
proceedingsintheIPTagainstthatintelligenceserviceinrespectofthathuman
rightsclaim.Section65(2)(a)doesnotconferageneraljurisdictionontheIPT
toreviewdecisions,actsoromissionsoftheintelligenceservices.Rather,itis
concerned that the determination of a particular issue already rendered
justiciable by s. 7(1)(a) of the Human Rights Act, be allocated, and allocated
exclusively,totheIPTwherethoseproceedingsarebroughtagainstthebodies
orpersonsidentifiedins.65(3).
In our view, while this may mean that any human rights incompatibility
proceedingsmustbebroughtintheIPT,itdoesnotconferajurisdictiononthe
IPTtoadjudicateonMrSzociksDPAclaim.
We then turn to consider the remaining paragraphs of s. 65(2). We can deal
shortlywithparagraphs(c)and(d).Section17ofRIPAisinapplicable,sothat
paragraph(c)isnotengaged.TherehasbeennoordermadebytheSecretary
ofStateforthepurposesofs.65(2)(d),sothatthatparagraphdoesnotapply.
Weturnthen,tos.65(2)(b).Inorderforthistoapply:
(1) the conduct about which complaint is being made to the IPT must be
conductfallingwithinsubsection65(5);
(2)thecomplaintisbroughtbyapersonaggrievedbythatconduct;and
(3) the complainant must believe both of the matters set out in subsection
65(4)
Alternatively,s.65(2)(b)willapplywheres.65(4A)isengaged.

18

82.

Section65(5)states:
(5) Subject to subsection (6), conduct falls within this subsection if
(wheneveritoccurred)itis
(a)conductbyoronbehalfofanyoftheintelligenceservices;
(b)
(c)conducttowhichChapterIIofPartIapplies;24
(ca)
(d)[other]conducttothisPartIIapplies25

83.

84.

85.

86.

TheissuethereforeiswhethertheconductoftheSecurityServiceinrefusingto
confirmordenywhetheritholdspersonaldataonMrSzoickisconductofa
kind which falls either within s. 65(3)(d) and/or s. 65(5)(a). Conduct is not
given a single autonomous definition within RIPA, and its meaning derives
from the context in which it arises. For instance Part II of the Act, entitled
SurveillanceandCovertHumanIntelligenceSources,setsoutins.26(1)that
PartIIappliestothefollowingconduct:
(i)
directedsurveillance;
(ii)
intrusivesurveillance;
(iii)
theconductanduseofcoverthumanintelligencesources.
Conduct must therefore take its meaning from the purpose and intention
behindRIPA.Inlightofthis,conductins.65(5)cannotrefertotherefusalofa
datacontrollertocomplywiths.7(1)(a)thatrefusalcannotbecharacterisedas
surveillance,ortheinterceptionofdataforexample.Inshort,RIPAisbasically
concerned with how that data is acquired e.g. is it by intercepting post, or
interceptingemailsetc.RIPAisnotconcernedwiththewhollyseparateissue
of the right of access to ones personal data. We therefore disagree with the
judgmentoftheInformationTribunalinthisrespect.26
However, even if we are wrong on this, we do not consider that the separate
requirementofs.65(4)(b)ismadeouthere.
Section65(4)provides:
(4) The Tribunal is the appropriate forum for any complaint if it is a
complaint by a person who is aggrieved by any conduct falling
withinsubsection(5)whichhebelieves

ChapterIIisentitledacquisitionanddisclosureofcommunicationsdata.Section21(1)(a)provides
thattheChapterappliestoanyconductinrelationtoapostalserviceortelecommunicationsystem
for obtaining communications data, other than conduct consisting in the interception of
communicationsinthecourseoftheirtransmissionbymeansofsuchaserviceorsystem;Inshort,
ChapterIIisnotconcernedwiththeprocessingofpersonaldata.
25 Part II is entitled surveillance and convert human intelligence sources. Again, it is not concerned
withtheprocessingofpersonaldata.
26ItisofnotethattheAppellantinGoslingwasnotlegallyrepresented,andhencethismayexplainwhy
thematterswehavealludedtowerenotputforcefullybeforetheTribunal.
24

19

(a) to have taken place in relation to him, to any of his

property,toanycommunicationssentbyortohim,or
intended for him, or to his use of any postal service,
telecommunications service or telecommunication
system;and
(b) tohavetakenplaceinchallengeablecircumstances

87.

88.

We do not consider that s. 65(4)(b) is satisfied. The notion of challengeable

circumstances essentially means that the conduct in question wasauthorised
byoneoftheinstrumentsnamedins.65(8),oriftherewasnosuchinstrument,
itwouldnothavebeenappropriatefortheconducttotakeplacewithoutthat
instrument (or at least without proper consideration having being given as to
whethersuchauthorityshouldbesought.)Theinstrumentsnamedins.65(8)
wouldnotapplytoadecisionoftheSecurityServiceastohowtorespondtoa
subject access request. Hence, even if the conduct is relevant conduct for the
purposesofRIPA,ithasnottakenplaceinchallengeablecircumstances
We therefore conclude that the argument that there is an alternative remedy
undertheRIPAismisconceived.

89. WeareoftheviewthatthereisnoeffectiveremedyundertheRIPA.

(VI)JudicialReview

90. Thefinalpossibleremedyavailabletoanapplicantseekingtochallengeadata
controllers refusal to comply with s7 (1) (a) by relying on a national security
certificateisthatofjudicialreview.Itmaybesaidthatanindividualoughtto
apply for judicial review on public law grounds to challenge the allegedly
unlawfuluseofaproperlyissuedcertificate.

91. Theissuethereforeiswhetherthisisinfactasufficientremedy.Thepowerof
the Administrative Court on an application for judicial review is limited: a
decision will be only be set aside ifit demonstrated to be unlawful. This is a
highthresholdtosatisfy.

92. One must also consider that in national security cases the courts are
traditionally very deferential to the Executive.27 Throughout the twentieth
century the domestic courts consistently held that national security is the
primary responsibility of the executive, that the executive has the particular
experienceandexpertisenecessarytomakeassessmentsanddecisionsrelating

In Hitchens, the Tribunal stated: It is true that the courts in the United Kingdom have traditionally
accorded a high degree of deference to the executive on matters affecting national security
(Paragraph33.)

27

20

to national security, together with democratic responsibility for doing so, and
thatthecourtsarenotinapositiontoquestiontheexecutiveinthisregardonce
it has been shown, on credible evidence, that national security considerations
are in play.28 The degree to which these authorities suggested that national
securitywasnonjusticiableorthatevidenceofnationalsecurityconcernscould
bedemandedandreviewedtoestablishtheirbonafidesandcredibilityvarieda
little from case to case, but the basic message remained the same: the courts
wouldnotinterfereintheExecutivesassessmentofnationalsecuritymatters.
ThejudicialorgansoftheECHR29andtheEuropeanCommunity30havetakena
broadly similar approach, but, whilst they have expressly recognised and
emphasised the wide margin of appreciation enjoyed by the executive in this
area,theyhavealsostressedtheneedforeffectivejudicialcontrolbymeansof
judicial review on proportionalitybased grounds. In the light of this
jurisprudence, the domestic courts have recently restated and recast their
approachsomewhat,whilstretainingthesamebasicrespectanddeferencefor
theconclusionsoftheexecutivewhenitcomestonationalsecuritymatters.31
TheZamora[1916]2AC77,HLat107AThosewhoareresponsiblefornationalsecuritymustbethe
sole judge of what the national security requires. It would obviously be undesirable that such
mattersshouldbemadethesubjectofevidenceinacourtoflaworotherwisediscussedinpublic@
(per Lord Parker); Chandler v. DPP [1964] AC 763, HL at 798 (per Viscount Radcliffe) and 811 (per
LordDevlin)(inrelationtothedefenceoftherealm);Rv.SecretaryofStatefortheHomeDepartment,
exp.Hosenball[1977]1WLR766,CAat778and783(perLordDenningMR)and783784(perLane
LJ); Council of Civil Service Unions v. Minister for the Civil Service [1985] AC 374, HL at 402403 (per
LordFraser),404and406407(perLordScarman),410and412(perLordDiplock),420421(perLord
Roskill)and423(perLordBrightman);Rv.SecretaryofStatefortheHomeDepartment,exp.Ruddock
[1987]1WLR1482,at14901492(perTaylorJ);NHSv.SecretaryofStatefortheHomeDepartment[1988]
ImmAR 389, CA at 395 (per Dillon LJ); R v. Director of GCHQ, ex p. Hodges [1988] COD 123; R v.
SecretaryofStateforForeignandCommonwealthAffairs,exp.Everett[1989]QB811,CA;Rv.Secretaryof
StatefortheHomeDepartment,exp.BATheTimes@29January1991;Rv.SecretaryofStatefortheHome
Department,exp.Cheblak[1991]1WLR890,CAat902and906907(perLordDonaldsonMR),912(per
BeldamLJ)and916(perNolanLJ);Rv.SecretaryofStatefortheHomeDepartment,exp.Chahal[1995]1
WLR526,CAat531and535(perStaughtonLJ);Rv.SecretaryofStatefortheHomeDepartment,exp.
McQuillan[1995]4AllER400at424(perSedleyJ);Jahromiv.SecretaryofStatefortheHomeDepartment
[1996]ImmAR20,CAat26(perRochLJ).

28

Ireland v. United Kingdom [1978] 2 EHRR 25, ECtHR, para 206; Chahal v. United Kingdom (1997) 23
EHRR413,ECtHRatparas131and138;TinnellyandSonsLtdv.UnitedKingdom(1999)27EHRR249,
ECtHR at para. 78; R v. Ministry of Defence, ex p. Smith [1996] QB 517, CA and Smith and Grady v.
UnitedKingdom(1999)29EHRR493,ECtHR.

29

Case222/84Johnstonv.ChiefConstableoftheRoyalUlsterConstabulary[1987]QB129,ECJ;Case175/94
R v. Secretary of State for the Home Department, ex p. Gallagher [1995] ECR I4253, ECJ; Case 273/97
Sirdarv.SecretaryofStateforDefence,[1999]ECRI7403,ECJ.

30

Seee.g.AandothersvSecretaryofStatefortheHomeDepartment[2005]2AC68,HLatparas[39]and
[42](perLordBingham);paras[176]and[177](perLordRodger);paras[79][81](perLordNicholls).
LordBinghamconcludesonareviewoftheauthoritiesthatItfollowsthattheappellantsareinmy
opinion entitled to invite the courts to review, on proportionality grounds, the Derogation Order
andthecompatibilitywiththeConventionofsection23andthecourtsarenoteffectivelyprecluded
by any doctrine of deference from scrutinising the issues raised para [42]. At para [176], Lord
Rodger notes that If the provisions of section 30 of the 2001 Act are to have any real meaning,
deferencetotheviewsoftheGovernmentandParliamentonthederogationcannotbetakentoofar.

31

21

93.

94.

Furthermore, the Court does not have the power to, for example, order the
Executivetodisclosedocuments.Itsjurisdictionislimited.
The ECtHR jurisprudence on the sufficiency of judicial review adopts a far
from consistent line. The most serious potential flaw in judicial review
proceedings is the absence of a full factual inquiry.32 The scope of judicial
review of primary findings of fact is generally too narrow to cure a want of
independenceatthelowerlevel.33Thatisnottosaythatafullmeritsreviewis
required in all cases, but it is of note that where judicial review has been
deemed to be sufficient (e.g. in planning matters) weight has been placed on
the original procedure, which has frequently involved a full merits appeal
beforethejudicialreviewstageisreached.34Thelogicofthisissound,inthat
where the decision under challenge is arrived at after hearing witnesses and
Due deference does not mean abasement before those views, even in matters relating to national
security.LordNichollsreferredtothesubstantiallatitudetobeaccordedtothelegislaturerather
thantothedeferenceduetothelegislatureatpara[80].SecretaryofStatefortheHomeDepartmentv.
Rehman[2001]UKHL47,[2003]1AC153,HLatparas[16]and[26](perLordSlynn)andparas[49]
[50],[53][54]and[62](perLordHoffman).Seeesp.:atpara.[31],whileAissuesofnationalsecurity
donotfallbeyondthecompetenceofthecourts@itisAselfevidentlyrightthatnationalcourtsmust
givegreatweighttotheviewsoftheexecutiveonmattersofnationalsecurity@(perLordSteyn);at
para. [50] Athe question of whether something is >in the interests= of national security is not a
question of law. It is a matter of judgment and policy. Under the constitution of the United
Kingdomandmostothercountries,decisionsastowhethersomethingisorisnotintheinterestsof
nationalsecurityarenotamatterforjudicialdecision.Theyareentrustedtotheexecutive@(perLord
Hoffmann);andatpara.[62]AItisnotonlythattheexecutivehasaccesstospecialinformationand
expertise in these matters. It is also that such decisions, with serious potential results for the
community, require a legitimacy which can be conferred only by entrusting them to persons
responsible to the community through the democratic process. If the people are to accept the
consequencesofsuchdecisions,theymustbemadebypersonswhomthepeoplehaveelectedand
whomtheycanremove@(perLordHoffmann).Seealso:Brownv.Stott[2001]2WLR817,PCat834
835 (per Lord Bingham); R v. DPP, ex p. Kebilene [2000] 2 AC 326, HL at 380381 (per Lord Hope);
InternationalTransportRothGmbHv.SecretaryofStatefortheHomeDepartment[2002]EWCACiv158,
[2003] QB 728, CA at paras [77] and [80][87] (per Laws LJ); R v. Secretary of State for the Home
Department,exp.Farrakhan[2002]EWCACiv606,[2002]QB1391,CA;Av.SecretaryofStateforthe
HomeDepartment[2002]EWCACiv1502,[2003]2WLR564,CAatpara.[40](perLordWoolfCJ)and
at paras [66] and [81] (per Brooke LJ); Baker v. Secretary of State for the Home Department [2001]
UKHRR1275,para.76;Goslingv.SecretaryofStatefortheHomeDepartment(unreported,decisionof
the Information Tribunal dated 1 August 2003: a copy of this decision can be found at
www.lcd.gov.uk/foi/inftrib.htm#part25),paras44and48.InrelationtothelanguageofAdeference@
seenowR(ProLifeAlliance)v.BBC[2003]UKHL23,[2003]2WLR1403,HLatparas[74][77](per
LordHoffmann)andpara.[144](perLordWalker).

SeeWvUnitedKingdom(1988)10EHRR29,concerningthedecisionbyalocalauthoritytoplacethe
applicantschildwithfosterparents.TheGovernmentarguedunsuccessfullythattheapplicantsarticle
6rightsweresatisfiedby(amongstotherthings)theavailabilityofjudicialreview.TheECtHRrejected
this holding that there will be no possibility of a determination in accordance with the
requirementsofArticle6(1)oftheparentsrightinregardtoaccessunlessheorshecanhavethelocal
authoritysdecisionreviewedbyatribunalhavingjurisdictiontoexaminethemeritsofthematter.
33R(Hussain)vAsylumSpecialAdjudicator[2001]EWHCAdmin852
34BryanvUnitedKingdom(1996)21EHRR342thefairnessoftheoriginalprocedure,namelyamerits
based appeal in the form of a public inquiry, together with its specialised nature meant that the
supervisionprovidedbytheHighCourtwassufficient.
32

22

arguments from both sides, it is more likely that a subsequent limited review
willbeasufficientremedy.

95.

96.

97.

98.

Indeterminingthesufficiencyofreviewproceedings,regardshouldbehadto
the subjectmatter of the decision under review, the manner in which the
decisionwasarrivedat,andthenatureofthedispute,includingthegroundson
which the decision is contested. The case law also suggests that where the
subjectmatterofthedecisionisadjudicatoryinthesensethatanassessment
of an individuals personal and economic rights are directly determined, the
individual must generally be able to challenge the decision before a judicial
bodywithfulljurisdictionprovidingtheguaranteesofarticle6(1).35
Inthiscase,verylittleisknownaboutthemannerinwhichtheSecurityService
reacheditsdecision.TherewascertainlynoargumentfromMrSzocikbefore
the Security Service it was effectively a decision taken unilaterally by the
Security Service; there is no avenue for independent scrutiny of all the facts,
andthedisputeatthisstage,involvesalargedisputeoffact(namelythatwedo
notacceptthatthereisneedtosafeguardnationalsecuritysoastoexemptthe
Security Service from complying with s. 7(1)(a)). Hence on that basis, the
limitedscopeofjudicialreviewisunlikelytobeaneffectiveremedy.
Furthermore,somereassurancecanbetakenfromthefactthatinthecasescited
above,althoughreferencewasmadetotheIPT,theRespondentdidnotseekto
arguethatjudicialreviewwasanalternativeeffectiveremedy.
In short, we consider there is a good argument that judicial review is not an
effectiveremedy,bearinginmindthelimitedscopeofreviewavailableandthe
limited powers of the Court. What is absent from the machinery under the
DPAisamechanismbywhichthedatacontrollersconductcanbescrutinised
byanindependenttribunal.36Thatitispossibletoconvenesuchatribunalis
clearfromtheSpecialImmigrationAppealsCommissionand,indeed,theIPT
itself. These tribunals demonstrate that issues of national security can be

AlbertandLeComptevBelgium(1983)5EHRR533.
ReferenceshouldbemadetoTinnelly&SonsLtdandMcElduffvUnitedKingdom(1998)27EHRR249:
theconclusivenatureofanationalsecuritycertificateissuedbytheSecretaryofState,whichhadthe
effect of preventing the court from determining the applicants claim that they were the victims of
religious discrimination in the award of a public service contract in Northern Ireland, combined with
theabsenceofanyindependentorjudicialscrutinyofthecertificatewasfoundbythe Courttohave
had a disproportionate impact on the applicants right of access to court. It was not consistent with
article6forthedomesticcourttobepreventedfromdeterminingthemeritsoftheapplicantscomplaint
ontheipsedixitoftheexecutive.Thisauthoritystrengthensourviewthatjudicialreviewinthiscaseis
notanadequateremedy.
35
36

23

adequatelyscrutinisedbyspecialisedindependenttribunals.37Inlightofthis,
the failure to provide such a mechanism to determine whether a public
authorityisproperlyexemptedfromitsobligationunders.7(1)(a)oftheDPA
isallthemoreconcerning

ConclusiononExistingRoutesofChallenge

99. The foregoing analysis leads to the inevitable conclusion (accepted by the
Information Tribunal in Hitchens) that the DPA does not make adequate
provision for a data subject to appeal against the data controllers decision to
relyonanationalsecuritycertificate.

ARGUMENTSUNDERTHECONVENTION

100. We turn, then, to consider where this absence of effective remedy leaves Mr
Szocik.Forthereasonssetoutbelowweconsiderthattherehasbeenabreach
oftheECHR.

(i)Article6(1)

101. Article6(1)provides:

(1) In the determination of his civil rights and obligationseveryone is

entitled to a fair and public hearing within a reasonable time by an
independentandimpartialtribunalestablishedbylaw.

102. Hencearticle6(1)confersarightonindividualstosubmitdisputesastotheir
civil rights for determination by a court. In civil proceedings, article 6 is
applicablewhere:
(i)
thereisarightorobligation;
(ii)
whichexistsundernationallaw;and
(iii)
the right is civil in nature. This aspect in particular warrants further
consideration.

103. The concept of civil rights and obligations has been given an autonomous
Convention interpretation which is not confined to traditional private law

ThisissupportedbytheTribunalinHitchens;theTribunalconsideredinsomedetailtheleadingcases
inrelationtonationalsecurityandconcluded:46.Itmightbeobjectedthatanyindependentchecking
oftheapplicationtoaparticularcaseofthecertificatewhichweareconsideringcouldleadtosuchan
intense scrutiny that it would itself be detrimental to national security. We do not find such an
objectionconvincing,particularlyinthelightoftheauthoritativeguidancerecentlygivenbytheHouse
ofLordsontheroleappropriatetoanindependentbodyassessingclaimstonationalsecurity:Secretary
ofStatefortheHomeDepartmentvRehman[2001]3WLR877.
37

24

rights,butextendstorightsandobligationsofacivilcharacter.InRingeisenv
Austria(No.1)38theCourtstated:

For article 6 (1) to be applicable to a case (contestation) it is not

necessary that both parties to the proceedings should be private
personsThewordingofArticle6(1)isfarwider;theFrenchexpression
contestations sur (des) droits et obligations de caractere civil covers all
proceedings the result of which is decisive for private rights and
obligations. The English text determination ofcivil rights and
obligations confirms this interpretation. The character of the legislation
which governs how the matter is to be determined (civil, commercial,
administrative law, etc) and that of the authority which is invested with
jurisdiction in this matter (ordinary court, administrative body, etc) are
thereforeoflittleconsequence.

104. Following its decision in Ringeisen, the Court has adopted an increasingly
liberal interpretation of the concepts of civil rights and obligations. When
decidingthereforewhetherarightisacivilrightforthepurposesofarticle6,
itisthesubstantivecharacteroftherightatissuewhichisdecisive.39

105. Where the substantive content and effect of a domestic law right are of a
predominantly personal, private or economic nature40 the right at issue will
usuallybeacivilrightforthepurposesofarticle6.

106. The first issue therefore is whether article 6 (1) is engaged i.e. is the right to
accessonesowndataacivilright.

107. Therighttoobtaininformationthatisnotpersonaltotheapplicantisunlikely
to give rise to a civil right or obligation so as to engage article 6.41 On the
otherhand,thedenialofaccesstoinformationthatcouldassistanindividualin

(1971)1EHRR455
KonigvGermany(1978)2EHRR170;StranGreekRefineriesandStratisAndreadisvGreece(1994)19
EHRR293
40EditionsPeriscopevFrance(1992)EHRR597
41InBarryvFranceApp.No.14497/89,Dec14.10.91theapplicants,whoweremembersofanassociation
forthedefenceofpoliticalprisonersinGuinea,soughtinformationfromtheMinisterforForeignAffairs
relatingtostepstakenbyhisdepartmenttoinquireaboutandsupportsuchprisoners.TheCommission
held that the denial of access to the documents under an administrative procedure could not be
considered decisive of the applicants civil rights, since the documents related to the exchange of
informationbetweenstatesandcouldnotbeconsideredaspersonaltotheapplicantsortheirspouses.
SeealsoSchallerVolpivSwitzerland(App.No.25147/94;84DR106)wheretheCommissioncametothe
sameconclusioninrespectoftheredactedportionsoftheapplicantspolicefile.TheCommissionheld
that the information which had been deleted from the file (concerning the identity of members of the
security services) could not be considered personal to the applicant. Accordingly the refusal to
disclosethatinformationtothesubjectofthefiledidnotconstituteadeterminationoftheapplicants
civilrights.
38
39

25

establishing a claim for damages has the potential to infringe article 6.42 The
recitals to the Directive 95/46/EC repeatedly speak of data processing as
relatingtoindividualrights:seerecitals(2),(3)(7),(8),(9),(10),(20),(25),(30),
(34), (37), (41), (44), (46), (49), (53), (55), (68). So, too, the Directive itself
characterisess.7asconfirmingafundamentalright:Art.1.1(7)(f),9,10(c),11(c),
12,13.1,13.2,14.Article22provides:

Without prejudice to any administrative remedy for which provision

may be made, inter alia before the supervisory authority referred to in
Article 28, prior to referral to the judicial authority, Member States shall
providefortherightofeverypersontoajudicialremedyforanybreachof
therightsguaranteedhimbythenationallawapplicabletotheprocessing
inQuestion.

108. This suggests however that a right to information that is personal to the
applicant, and which could assist an individual in taking further legal action,
willbeacivilright.Thesubstantivecontentofsucharightisbothprivateand
personal to the individual. There is therefore a compelling argument to be
madethatarighttoaccessonesowndataisacivilrightwithinthemeaningof
article6(1).

109. Assumingthistobecorrect,arefusaltoprovideaccesstothatinformationwill
amounttoaninterferencewiththatcivilright.Theissuethenwillbewhether
there are proceedings to determine a complaint relating to that interference
for the reasons set out above, we do not consider that there is an adequate
remedyinsuchacase.Inshort,wetaketheviewthatthereisagoodargument
thattherehasbeenaviolationofarticle6(1).

ARTICLE8

110. Article8provides:

1.Everyone has the right to respect for his private and family life, his

homeandhiscorrespondence.
2.Thereshallbenointerferencebyapublicauthoritywiththeexerciseof
this right except as in accordance with the law and is necessary in a
democraticsocietyintheinterestsofnationalsecurity

111. The Court has asserted that the protection of personal data is of fundamental
importance to a persons enjoyment of his right to respect for private and

McGinley and Egan v United Kingdom (1998) 27 EHRR: the Claimants sought access to documents
whichtheybelievedwereinthepossessionoftheGovernment,onthebasisthatsuchdocumentswould
assisttheminproceedingstheywishedtobringPensionsTribunal.TheECtHRconcludedthatarticle6
did apply, but that there was no violation since there was a procedure under the Pension Appeal
Tribunal Rules of Procedure under which the applicants could have requested the documents which
hadnotbeenused.
42

26

familylifeunderarticle8,43andthatarticle8oftheConventionmay,incertain
circumstances,imposeapositiveobligationonthestatetoaffordaccesstothe
personaldataheldonanindividual.44

112. In Leander v Sweden45 access to information held for national security reasons
wasconsideredaspartofasystemthatinterferedwiththeapplicantsprivate
life.46 The applicant in that case had been denied a job at the Swedish naval
museumonthebasisofinformationabouttheapplicantheldbytheNational
Police Board and released to the Supreme Commander of the Armed Forces.
Theinformationheldwasnevercommunicatedtotheapplicant.Theapplicant
complained of this to the Government but the Government accepted the
NationalPoliceBoardsproposalthattheinformationnotbereleased.

113. TheCourtnotedthatinviewoftheriskthatasystemofsecretsurveillancefor
the protection of national security poses of undermining or even destroying
democracyonthegroundofdefendingit,theCourtmustbesatisfiedthatthere
exist adequate and effective guarantees against abuse [Paragraph 60]. The
Court held that the refusal of access was necessary in a democratic society
havingregardtothesafeguardsavailableandthewidemarginofappreciation
accorded to the state in the realm of national security. Of particular
importance,wasthefactthattheuseoftheinformationwassubjecttoscrutiny
bybothParliamentandindependentinstitutionsandthatparliamentariansof
both the Government and the Opposition participated in decisions as to
whether information should be released [Paragraph 65]. Although it was not
thefocusofthatdecision,theSwedishsystemdidprovideforanappealtothe
courtsintheeventthatanauthorityotherthanParliamentortheGovernment
refused an individual access to information held on the police register, in a
limitednumberofcases[Paragraphs4142].TheCourtfinallynotedthatfor
thepurposesofthepresentproceedings,aneffectiveremedyunderArticle13
must mean a remedy that is as effective as can be, having regard to the
restricted scope for recourse inherent in any system of secret surveillance for
theprotectionofnationalsecurity[Paragraph84].

114. OfgreaterutilityisthemorerecentjudgmentoftheECHRinSegerstedtWiberg
v Sweden (2006) 21 BHrC 155. In that case, prior to April 1999 the five
applicantsrequestedaccesstotheirsecuritypolicerecords.Theirrequestswere
ZvFinland(1998)25EHRR371,para95
GaskinvUnitedKingdom(1989)12EHRR36
45(1987)9EHRR433
46Indeed,inBaker,theTribunalreferredtotheEuropeanjurisprudenceinsomedetailandacceptedthat
boththeholdingofdataandtherefusaltoallowaccesstoitqualifiedasinterferencesunderarticle8.
TheTribunalstated:Knowledgeastowhetherfilesareheldisapreconditionofactionbythedata
subject.Denialofthatknowledgemaypreventhimtakingactionwhichhewouldotherwisetakei.e.by
accessandrefutation(Paragraph67.)
43
44

27

refusedundertherulesonabsolutesecrecyapplyingtoinformationheldinthe
recordsofthesecuritypolice.FollowingalegislativeamendmentinApril1999
abolishing the absolute secrecy requirement, the applicants repeated their
requestsforaccesstotheirsecuritypolicerecords.Thesecuritypolicegranted
the applicants limited access to their records. The applicants appealed to the
Administrative Court of Appeal requesting authorisation to view their entire
filesandotherentriesconcerningthemthathadbeenmadeintheregister.In
eachcasethecourtrejectedtheappealandtheSupremeAdministrativeCourt
refused to grant the applicant leave to appeal. The applicants alleged, in
particular,thatthestorageinthesecuritypolicefilesofcertaininformationthat
hadbeenreleasedtothemconstitutedunjustifiedinterferencewiththeirright
torespectforprivatelifeunderart8oftheConvention.Underthisarticlethey
further complained of the refusal to impart to them the full extent to which
information concerning them was kept on the security police register. The
applicants also relied on arts 10 and 11 of the convention. Moreover, they
complained under art 13 that no effective remedy existed under Swedish law
withrespecttotheaboveviolations.

115. ThegroundsrelieduponbytheSwedishauthoritiesareinterestingforpresent
purposes.Quotingfromthejudgment:
By a decision of 17 June 1998 the Ministry of Justice refused her request. It
reiterated that absolute secrecy applied not only to the content of the
policeregisterbutalsotowhetherornotapersonwasmentionedinthe
register. The government did not find that the reasons relied on by the
first applicant, with reference to s 9A of the Police Register Act, could
constitute special grounds for derogation from the rule of absolute
secrecy.[Paragraph10]

andlater(dealingwiththesecondapplicant):

On 14 February 2000 the Administrative Court of Appeal rejected the

appeal in its entirety giving essentially the same reasons as the security
police,withthefollowingfurtherconsiderations:
In connection with the introduction of [s 3 of the Police Data Act] the
Government stated that even the information that a person is not
registeredbytheSecurityPoliceissuchthatitshouldbepossibletokeep
itsecretunderthesaidprovision(prop1997/98:97,p68).Accordingtothe
GovernmentBill,thereasonisthefollowing.Apersonwhoisengagedin
criminalactivitymayhaveastronginterestinknowingwhetherthepolice
have information about him or her. In such a case it could be highly
prejudicial to the investigation for the person concerned to be informed
whether or not he or she is of interest to the police. It is therefore
importantforadecisiononarequestforinformationfromtheregisternot
tohavetogiveinformationonwhetherthepersonappearsintheregister
or not. The nature of secret intelligence is such that there can only be
disclosureofinformationinspecialcases.
The Administrative Court of Appeal finds that it is not clear that
information, beyond that which emerges from the disclosed documents,
about whether [the second applicant] has been the subject of any Secret

28

PoliceactivityfallingunderChapter5,section1(2),oftheSecrecyAct,can
be disclosed without jeopardising the purpose of measures taken or
anticipatedorwithoutharmingfutureoperations.

Therequestsoftheother3applicantsmetwithasimilarfate.

116. The Court considered the various review processes available to an applicant.
ThesecurityprocesswouldseemtobemoreextensivethanthatoftheUK:

The security police apply the Secrecy Act directly. There are thus no
internalregulationsthatdealwiththeissueofaccesstoofficialdocuments
sincethatwouldbeinbreachoftheSecrecyAct.UndertheSecrecyActCh
5, s 1(2), there is a presumption of secrecy, meaning that whenever it is
uncertainwhetherthedisclosureofinformationinanofficialdocumentis
harmfulornot,suchinformationshallnotbedisclosed.[Paragraph59]

The government stated that it was set practice for the Administrative
Court of Appeal to visit the security police and take part of its filesif
anyineverycasethathadbeenbroughttoit.Thethreejudgesexamine
each document and makean assessment of every document that has not
been released to the appellant. If the appellant does not appear in the
register and files of the security service, the court obtains part of a
computer printout showing that the appellant does not appear in the
documentskeptbythesecurityservice.[Paragraph61]

117. TheCourtfoundthatArt8wasapplicable:

The court, having regard to the scope of the notion of private life as
interpretedinitscaselaw(see,inparticular,AmannvSwitzerland[2000]
ECHR 27798/95 at para 65, and Rotaru v Romania (2000) 8 BHRC 449 at
para 43), finds that the information about the applicants that was stored
onthesecretpoliceregisterandwasreleasedtothemclearlyconstituted
data pertaining to their private life. Indeed, this embraces even those
parts of theinformation that were publicsince theinformation had been
systematically collected and stored in files held by the authorities.
Accordingly, art 8(1) of the convention is applicable to the impugned
storageoftheinformationinquestion.[Paragraph72]

118. TheCourtstatedthattherewasaninterferencewithArt.8:

court further considers, and this has not been disputed, that it follows
from its established case law that the storage of the information at issue
amounted to interference with the applicants right to respect for private
life as secured by art 8(1) of the convention (see Leander v Sweden [1987]
ECHR9248/81atpara48;KoppvSwitzerland(1998)4BHRC277atpara53;
AmannvSwitzerland[2000]ECHR27798/95atparas69and80;andRotaru
vRomania(2000)8BHRC449atpara46).[Paragraph73]

119. TheCourtthenturnedtoconsiderjustification:

The court reiterates its settled case law, according to which the
expression in accordance with the law not only requires the impugned
measuretohavesomebasisindomesticlaw,butalsoreferstothequality
ofthelawinquestion,requiringthatitshouldbeaccessibletotheperson

29

concerned and foreseeable as to its effects (see, among other authorities,

Rotaru v Romania (2000) 8 BHRC 449 at para 52). The law must be
compatible with the rule of law, which means that it must provide a
measure of legal protection against arbitrary interference by public
authorities with the rights safeguarded by art 8(1). Especially where, as
here, a power of the Executive is exercised in secret, the risks of
arbitrarinessareevident.Sincetheimplementationinpracticeofmeasures
ofsecretsurveillanceisnotopentoscrutinybytheindividualsconcerned
orthepublicatlarge,itwouldbecontrarytotheruleoflawforthelegal
discretion granted to the Executive to be expressed in terms of an
unfettered power. Consequently, the law must indicate the scope of any
suchdiscretionconferredonthecompetentauthoritiesandthemannerof
its exercise with sufficient clarity, having regard to the legitimate aim of
the measure in question, to give the individual adequate protection
against arbitrary interference (see Malone v UK [1984] ECHR 8691/79 at
paras6768,reiteratedinAmannvSwitzerland[2000]ECHR27798/95at
para 56, and in Rotaru v Romania (2000) 8 BHRC 449 at para 55).
[Paragraph76]

120. The Court concluded [80] that the interference was in accordance with the
lawwithinthemeaningofart.8butonlybecauseofthespecificmeasuresthat
fettered the discretion of the security services: see [79]. The Court then
considered the aim and necessity of the interference: [81] [92]. It concluded
thatinonecaseitwasproportionate,butthatintheother4casesitwasnot.

121. Of greater relevance for present purposes are the sections dealing with the
NCND response. While the Court held that it did not breach art 8, it is
necessarytoconsiderthemechanismsavailabletotheappellants:

Astotheissueofnecessity,thegovernmentarguedthatunderSwedish
law there were adequate safeguards against abuse: (i) The discretion
afforded to the security police was subject to limitations set out in the
more general Personal Data Act, which dealt with the processing of
personalinformationwhereverittookplace,andthemorespecificPolice
Data Act, which in positive terms obliged the security police to keep a
register, specified its aims and laid down the conditions under which
personal information could be included in the register. (ii) Both the
constitution and the Police Data Act expressly provided that certain
sensitive information could only be registered in exceptional
circumstances,thatistosaywhenitwasunavoidablynecessary.Under
no circumstances could a person be registered by the security police
simply because of his or her political views or affiliations. (iii) The Data
Inspection Board was an important safeguard, considering its mandate
with respect to the overall treatment of personal information. It was
empoweredtotakevariousmeasurestoprotectpersonalintegrity,suchas
prohibiting all processing of personal data (other than merely storing it)
pending the rectification of illegalities. It could also institute judicial
proceedings in order to have registered information erased. (iv) The
Records Board, another important safeguard, had two functions. It
monitored the security polices filing and storage of information and the

30

servicescompliancewiththePoliceDataAct.Italsodeterminedwhether
information held by the security police could be disclosed in security
checks.(v)Theparliamentaryombudspersonssupervisedtheapplication
of laws and other regulations not only by the security police themselves
but also by the bodies monitoring them (the Data Inspection Board and
the Records Board). The ombudspersons were empowered to carry out
inspections and other investigations, to institute criminal proceedings
againstpublicofficialsandreportofficialsfordisciplinaryaction.Itwasto
be recalled that the third applicants trade union had in fact lodged a
complaintwiththeparliamentaryombudspersons,arguingthattherehad
been a breach of the Personnel Security Check Ordinance in connection
withthesecuritycheckcarriedoutwithregardtothethirdapplicant,and
that the ombudspersons had voiced some criticism about the manner in
which the matter had been handled. (vi) The Chancellor of Justice hada
role similar to that of the parliamentary ombudspersons, was competent
to report public servants for disciplinary action, to institute criminal
proceedingsagainstthemandtoawardcompensation.
In addition, damages could be claimed under the Tort Liability Act in
direct judicial proceedings. The Personal Data Act moreover contained a
separate ground for damages that was of relevance in the context of the
presentcase.
The government argued that, in view of the absence of any evidence or
indication that the system was not functioning as required by domestic
law, the framework of safeguards achieved a compromise between the
requirements of protecting a democratic society and the rights of the
individualwhichwascompatiblewiththeprovisionsoftheconvention.
[Paragraph98]

122. TheCourtthenconcluded:

Thecourt,bearinginminditsassessmentatparas7273,above,findsit
established that the impugned refusal to advise the applicants about the
fullextenttowhichinformationwasbeingkeptaboutthemonthesecret
police register amounted to interference with their right to respect for
privatelife.
100.Therefusalhadalegalbasisindomesticlaw,namelyinCh5,s1(2),
of the Secrecy Act. As to the quality of the law, the court refers to its
findings at paras 7980, above, as well as paras 5761, above, describing
theconditionsofapersonsaccesstoinformationabouthimorheronthe
secret police register. The court finds no reason to doubt that the
interference was in accordance with the law within the meaning of art
8(2).
101.Moreover,therefusalpursuedoneormorelegitimateaims;reference
ismadetopara87,above.
102.Thecourtnotesthat,accordingtotheconventioncaselaw,arefusal
of full access to a national secret police register is necessary where the
state may legitimately fear that the provision of such information may
jeopardisetheefficacyofasecretsurveillancesystemdesignedtoprotect
national security and to combat terrorism (see Klass v Germany [1978]
ECHR 5029/71 at para 58, and Leander v Sweden [1987] ECHR 9248/81 at
para 66). In this case the national administrative and judicial authorities
involved all held that full access would jeopardise the purpose of the

31

system.Thecourtdoesnotfindanygroundonwhichitcouldarriveata
differentconclusion.
103. Moreover, having regard to the convention case law (see Klass v
Germany [1978] ECHR 5029/71 at para 50; Leander v Sweden [1987] ECHR
9248/81atpara60;EsbestervUK(Appno18601/91)(admissibilitydecision,
2April1993);andChristievUK(Appno21482/93)(admissibilitydecision,
27June1994))andreferringtoitsfindingsregardingthequalityofthelaw
(see paras 7980, above) and the various guarantees that existed under
nationallaw(seeparas5268,above),thecourtfindsitestablishedthatthe
applicablesafeguardsmettherequirementsofart8(2).
104.Inthelightoftheforegoing,thecourtfindsthattherespondentstate,
having regard to the wide margin of appreciation available to it, was
entitled to consider that the interests of national security and the fight
against terrorism prevailed over the interests of the applicants in being
advised of the full extent to which information was kept about them on
thesecuritypoliceregister.
Accordingly,thecourtfindsthattherehasbeennoviolationofart8ofthe
conventionunderthishead.[Paragraphs99104]

123. To similar effect is the judgment of the ECHR in Rotaru v Romania (2000) 8
BHRC440.TheretheCourtconcludedthatthesafeguardswereinsufficient:

The court must also be satisfied that there exist adequate and effective
safeguardsagainstabuse,sinceasystemofsecretsurveillancedesignedto
protect national security entails the risk of undermining or even
destroyingdemocracyonthegroundofdefendingit(seeKlassvGermany
(1978)2EHRR214at232233(paras4950)).
In order for systems of secret surveillance to be compatible with art8 of
the convention, they must contain safeguards established by law which
apply to the supervision of the relevant services activities. Supervision
proceduresmustfollowthevaluesofademocraticsocietyasfaithfullyas
possible,inparticulartheruleoflaw,whichisexpresslyreferredtointhe
preamble to the convention. The rule of law implies, inter alia, that
interferencebytheexecutiveauthoritieswithanindividualsrightsshould
besubjecttoeffectivesupervision,whichshouldnormallybecarriedout
bythejudiciary,atleastinthelastresort,sincejudicialcontrolaffordsthe
bestguaranteesofindependence,impartialityandaproperprocedure(see
KlassvGermany(1978)2EHRR214at234235(para55)).
60. In the instant case the court notes that the Romanian system for
gatheringandarchivinginformationdoesnotprovidesuchsafeguards,no
supervision procedure being provided by law no14/1992, whether while
themeasureorderedisinforceorafterwards.
61.Thatbeingso,thecourtconsidersthatdomesticlawdoesnotindicate
with reasonable clarity the scope and manner of exercise of the relevant
discretionconferredonthepublicauthorities.
62.ThecourtconcludesthattheholdingandusebytheRISofinformation
ontheapplicantsprivatelifewasnotinaccordancewiththelaw,afact
that suffices to constitute a violation of art8. Furthermore, in the instant
casethatfactpreventsthecourtfromreviewingthelegitimacyoftheaim
pursuedbythemeasuresorderedanddeterminingwhethertheywere
assuming the aim to have been legitimatenecessary in a democratic
society.

32

63.Therehasconsequentlybeenaviolationofart8.[Paragraphs5963]

124. In short, we return once more to the issue of what safeguards are in place to
ensurethatadatacontrollerdoesnotinterfereunlawfullywithadatasubjects
rightsofaccess.Forthereasonssetoutabove, weconcludethatthereareno
adequate safeguards, because there is no effective means of challenging the
datacontrollersrelianceonthes.28certificateinexemptingcompliancewiths.
7(1)(a).47

125. Whilst,hadtheDPAprovidedsafeguards,wewouldnotconsidertheretohave
beenaviolationofarticle8(1),theabsenceofanyreviewmechanisminacase
wherethereisaNCNDresponse,givesabasisforaclaimthatarticle8(1)has
alsobeenbreached.

ARTICLE13

126. Article 13 provides that an individual must have an effective remedy for a
violationoftheConvention.

127. At the risk of repeating ourselves, having analysed the various routes of
appeal,wedonotconsiderthatthereisaneffectiveremedyuponthefactsof
thiscase.Inshort,weconsiderthatthereisastrongargumentthatarticle13
hasalsobeenviolated.

THEEFFECTOFTHEFOREGOING

128. We would strongly emphasise the gravity of such a legal challenge. If the
argument is accepted, it will have farreaching consequences for the
Government. For that reason, it is a challenge that is likely to be met with a
vigorous and sustained defence by the Government. While the term
deferencemaybeoutofjudicialfashions,thesentimentisnot.Betweenthe
vigourofthedefenceandthestartingpointofthecourts,thisisgoingtobea
longdrawn and difficult challenge. The costs involved will reflect that. The
challengethereforeisnotonetobemadelightly.

129. ThefailureoftheDPAtomakesuchaprovisiongivesrisetocomplaintsunder
the European Convention on Human Rights (the Convention), in particular
articles6(1),8,and13.Itistothisaspectthatweturnnext.

47TheneedforadequatesafeguardsisallthemorepressingwhenoneconsidersthataNCNDresponse
inrespectofs7(1)(a),hastheconsequentialeffectofpreventingthedatasubjectfromenjoyingtheother
rightsunders7(1)(b)(c).

33

NEXTSTEPS

130. Consideration therefore has to be given as to how best to proceed with this
matter.
131. Whilsttheoriginalapproachenvisagedwasthatanapplicationwouldbemade
unders7(9)followedswiftlybyanappealunders28(6),inlightofourdetailed
legalanalysiswenolongerconsiderthistobenecessary.

132. Essentially, the complaint here is that Mr Szoick has no adequate means of
challengingthedatacontrollersdecisionundertheDPA,andhencethereisa
violation of his convention rights. Ordinarily, the approach would be to
presentafreestandinghumanrightsclaimtotheHighCourtpursuanttos7(1)
(a)oftheHumanRightsAct1998.

133. Howeveranumberofproblemsarisewiththis:
(i)
the initial SAR was made in 1999, and a response
receivedin2000i.e.over6yearshavepassedsincethe
decisionsubjecttochallengewasmade;
(ii)
in that interim, there have been developments in the
law, such as the consideration of the Information
Commissionerspowers;
(iii)
more importantly however, section 7 (5) (a) of the
Human Rights Act 1998 provides a time limit of one
year beginning with the date on which the act
complained of took place.48 The act complained of in
thiscaseistheresponseoftheSecurityServicedated20
March 2000, hence the time limit for such a complaint
expired on 19 March 2001. Whilst s7 (5) (b) gives the
Court the power to extend the period as it considers
equitable having regard to all the circumstances we
verymuchdoubtthatitwillextendthetimeperiodto
coverthedelayinthismatter.

134. Next, whilst ordinarily it is the High Court in which any incompatibility
proceedings under the Human Rights Act are brought, s. 65(1)(a) of RIPA
indicatesthattheIPTistheexclusiveforuminwhichsuchacomplaintshould
beheard.

135. Finally,itisalsoaswelltopointoutthatseriousconsiderationshouldbegiven
astowhetherapetitionshouldbepresentedtotheEuropeanCourtofHuman
48 Indeed, a stricter time limit can apply if the rule in relation to the procedure in question imposes a
shortertimelimit.

34

Rights in Strasbourg. A domestic challenge in the IPT is unlikely to provide

any immediate relief: the IPT may, but is not bound to, give a declaration of
incompatibility49,butthedeclarationisnotbindingontheparties.Incontrast,
a judgment of the Strasbourg court is final and binding. However, the time
limitforbringingapetitionbeforetheStrasbourgCourtis6monthsfromthe
conclusion of any domestic court proceedings that could have provided the
individual with a remedy or, if there were no proceedings that it was
reasonable to expect the individual to take, within six months of the event
givingrisetotheapplication.

136. AnalternativeoptionthereforeistomakeafreshSARtotheSecurityService.
Assuming that the Security Service give the same response, at that stage a
freestanding convention claim could be made. We may at that juncture also
wish to consider making a request to the IC, but on the basis of our
interpretationofs28(4),namelythatitdoesnotprovidethespecificremedywe
require,arequestunders42wouldnotserveanypurpose.

137. We consider that this latter approach is preferable. It ensures that the matter
startsafresh,henceavoidinganypossibletimepointsbeingtakenagainstus.50

CONCLUSION

138. Insummary:

(1)
the Data Protection Act 1998 does not provide a mechanism for an

applicant to challenge the use of a section 28 (2) certificate by a data

controllerinjustificationofitsnoncompliancewiths7(1)(a);

(2)
neitherjudicialreviewapplicationnoranappealtotheInvestigatory

PowersTribunalunderRIPA2000providesanadequateremedy;
(3) infailingtoprovideanadequatemechanismforcomplaintunderthe
DPA,weconsiderthattherehasbeenaviolationofarticles6(1),8and
13;
(4)
therearetimelimitdifficultiesinlaunchingproceedingsimmediately;

(5)
in order to surmount this problem, we consider that it is prudent to

makeafreshsubjectaccessrequesttotheSecurityService.

Section8(1)HRA1998.
Forthesakeofcompletenessreferenceshouldbemadetos.8(3),whichprovidesthatwhereadata
controllerhaspreviouslycompliedwitharequest,itdoesnothavetocomplywithasubsequentrequest
unlessareasonableintervalhaselapsedonewouldexpect7yearstoconstituteareasonableinterval.

49
50

35

139. Finally,thisisadifficultandcomplexarea.Weareoftheviewthatitwouldbe
helpfulforustohaveaconferencewithMrSzoickandthoseinstructingus,at
whichpointwecandiscussinpersontheadvantagesanddisadvantagesofthe
optionsidentifiedabove.

PHILIPCOPPEL
SAIMAHANIF

45GRAYSINNSQUARE
LONDON
WC1R5AH

15January2007

Email:pcoppel@45.co.ukorshanif@45.co.uk

36