Personal information, including sensitive special category data, could be shared with commercial partners, and may be transferred to nations with an adequacy agreement, according to policy document for INDEX service
The Cabinet Office has revealed details of the data-protection policies of a national security-focused repository that houses the personal information of world leaders.
The Information and Data Exchange (INDEX) was created in 2021 and, according to its freshly published privacy notice, the platform “is a secure digital service for the national security community”.
The data system, which is managed by the Cabinet Office, is intended for use by “HM government analysts and consumers who draft and read assessments on situations and issues of current concern”
“The assessments provide geopolitical analysis, foreign policy analysis and risk analysis on national security priorities,” the privacy notice added. “[INDEX] is based on ‘information assets’ which include government analysis and assessment from HMG and international allied governments and publicly accessible electronic information from commercially available sources.”
A public data-protection policy is required because INDEX houses sensitive information related to individuals – which “may include personal data of world leaders or persons working in a public capacity” .
“INDEX does not intentionally collect or process personal data of the general public or anyone whose personal data is not relevant to national security priorities,” the notice said. “However, the content of the information assets collected and processed by INDEX may include incidental personal data, including special category data, of members of the public, within the body of an open source information asset. INDEX uses a number of methods to actively minimise the processing of this personal data.”
The privacy policy revealed that information could be stored outside the UK and shared with partners in other countries, as well as commercial tech providers. Data may end up in nations that have not been certified as having a data-protection regime offering the same levels of protection as the UK.
Related content
- DHSC amends personal data policy to reflect ‘automated decision making’ and remove consent pledge on commercial use
- Government plans to expand departments’ powers to share personal data to support One Login
- DWP amends personal data guidance to reflect use of ‘automated processing in some decision making’
“Where necessary and proportionate, personal data which is relevant to national security assessments may be shared with other public authorities – including those overseas,” it said. “As personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide software development, email, document management and storage services.”
The notice added: “As personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision or the use of Standard Contractual Clauses, or a UK International Data Transfer Agreement. We may occasionally transfer personal data outside the UK to a country without an adequacy decision where this is necessary for important reasons of public interest – e.g. national security.”
As well as special category data – which includes the likes of information on ethnicity, sexual orientation, biometric data, and details of religious and political beliefs – the national security platform may also process data on criminal offences.
“Where that is the case, this data will only be held for as long as is necessary. This personal data is necessary to the integrity of national security analysis,” the notice added.
All data stored and processed via the platform “will be retained for as long as is necessary for the purpose for which it was collected – i.e. safeguarding national security – [and] all data is reviewed after three years and, if no longer needed for the purpose for which it was collected, will be deleted”.
“Some personal data may be retained for the purpose of archiving in the public interest – i.e. historic records,” the notice added.
The privacy document also indicated that “the Cabinet Office does not make decisions which produce legal effects concerning the data subject based on automated processing, including profiling”.
