(1)A Minister of the Crown may issue a certificate certifying, for the purposes of section 44(4), 45(4), 48(3) or 68(7), that a restriction is a necessary and proportionate measure to protect national security.
(2)The certificate may—
(a)relate to a specific restriction (described in the certificate) which a controller has imposed or is proposing to impose under section 44(4), 45(4), 48(3) or 68(7), or
(b)identify any restriction to which it relates by means of a general description.
(3)Subject to subsection (6), a certificate issued under subsection (1) is conclusive evidence that the specific restriction or (as the case may be) any restriction falling within the general description is, or at any time was, a necessary and proportionate measure to protect national security.
(4)A certificate issued under subsection (1) may be expressed to have prospective effect.
(5)Any person directly affected by the issuing of a certificate under subsection (1) may appeal to the Tribunal against the certificate.
(6)If, on an appeal under subsection (5), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may —
(a)allow the appeal, and
(b)quash the certificate.
(7)Where in any proceedings under or by virtue of this Act, it is claimed by a controller that a restriction falls within a general description in a certificate issued under subsection (1), any other party to the proceedings may appeal to the Tribunal on the ground that the restriction does not fall within that description.
(8)But, subject to any determination under subsection (9), the restriction is to be conclusively presumed to fall within the general description.
(9)On an appeal under subsection (7), the Tribunal may determine that the certificate does not so apply.
(10)A document purporting to be a certificate under subsection (1) is to be—
(a)received in evidence, and
(b)deemed to be such a certificate unless the contrary is proved.
(11)A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (1) is—
(a)in any legal proceedings, evidence of that certificate, and
(b)in any legal proceedings in Scotland, sufficient evidence of that certificate.
(12)The power conferred by subsection (1) on a Minister of the Crown is exercisable only by—
(a)a Minister who is a member of the Cabinet, or
(b)the Attorney General or the Advocate General for Scotland.
(13)No power conferred by any provision of Part 6 may be exercised in relation to the imposition of—
(a)a specific restriction in a certificate under subsection (1), or
(b)a restriction falling within a general description in such a certificate.
(1)Subsections (3) and (4) apply where, for a law enforcement purpose, a controller transmits or otherwise makes available personal data to an EU recipient or a non-EU recipient.
(2)In this section—
“EU recipient” means—
a recipient in a member State other than the United Kingdom, or
an agency, office or body established pursuant to Chapters 4 and 5 of Title V of the Treaty on the Functioning of the European Union;
“non-EU recipient” means—
a recipient in a third country, or
an international organisation.
(3)The controller must consider whether, if the personal data had instead been transmitted or otherwise made available within the United Kingdom to another competent authority, processing of the data by the other competent authority would have been subject to any restrictions by virtue of any enactment or rule of law.
(4)Where that would be the case, the controller must inform the EU recipient or non-EU recipient that the data is transmitted or otherwise made available subject to compliance by that person with the same restrictions (which must be set out in the information given to that person).
(5)Except as provided by subsection (4), the controller may not impose restrictions on the processing of personal data transmitted or otherwise made available by the controller to an EU recipient.
(6)Subsection (7) applies where—
(a)a competent authority for the purposes of the Law Enforcement Directive in a member State other than the United Kingdom transmits or otherwise makes available personal data to a controller for a law enforcement purpose, and
(b)the competent authority in the other member State informs the controller, in accordance with any law of that member State which implements Article 9(3) and (4) of the Law Enforcement Directive, that the data is transmitted or otherwise made available subject to compliance by the controller with restrictions set out by the competent authority.
(7)The controller must comply with the restrictions.
(1)Each controller must implement effective mechanisms to encourage the reporting of an infringement of this Part.
(2)The mechanisms implemented under subsection (1) must provide that an infringement may be reported to any of the following persons—
(a)the controller;
(b)the Commissioner.
(3)The mechanisms implemented under subsection (1) must include—
(a)raising awareness of the protections provided by Part 4A of the Employment Rights Act 1996 and Part 5A of the Employment Rights (Northern Ireland) Order 1996 (S.I. 1996/1919 (N.I. 16)), and
(b)such other protections for a person who reports an infringement of this Part as the controller considers appropriate.
(4)A person who reports an infringement of this Part does not breach—
(a)an obligation of confidence owed by the person, or
(b)any other restriction on the disclosure of information (however imposed).
(5)Subsection (4) does not apply if or to the extent that the report includes a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
(6)Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (5) has effect as if it included a reference to that Part.