The Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005

PART 8Information

Sensitive information

45.—(1) In these Regulations, “sensitive information” means information which is –

(a)information the disclosure of which to the public would, or would be likely to, adversely affect national security;

(b)information the disclosure of which to the public would, or would be likely to, adversely affect public safety;

(c)information disclosure of which to the public would, or would be likely to, prejudice the commercial interests of any person; or

(d)information which is personal data, within the meaning of section 1(1) of the Data Protection Act 1998(1) if the condition in paragraph (2) or (3) is satisfied.

(2) The condition in this paragraphs is –

(a)in a case where the information falls within any of paragraphs (a) to (d) of the definition of “data” in section 1(1) of the Data Protection Act 1998, that the disclosure of the information to a member of the public would contravene –

(i)any of the data protection principles; or

(ii)section 10 of that Act(2) (right to prevent processing likely to cause damage or distress);

(b)in any other case, that the disclosure of the information to a member of the public would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act(3) (which relate to manual data held by public authorities) were disregarded.

(3) The condition in this paragraph is that by virtue of any provision of Part 4 of the Data Protection Act 1998 the information is exempt from section 7(1)(c) of that Act (data subject’s right of access to personal data).

(4) In determining for the purposes of paragraph (2) whether anything done before 24^th October 2007 would contravene the data protection principles, the exemptions in Part 3 of Schedule 8 to the Data Protection Act 1998 shall be disregarded.

Sensitive information – certificates in relation to national security

46.—(1) A certificate signed by a Minister of the Crown certifying that disclosure of information to the public would, or would be likely to, adversely affect national security is conclusive evidence of that fact.

(2) A certificate under paragraph (1) may identify the information to which it applies by means of a general description and may be expressed to have prospective effect.

(3) A document purporting to be a certificate under paragraph (1) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

(4) A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under paragraph (1) shall in any legal proceedings be evidence (or in Scotland, sufficient evidence) of that certificate.

(5) The power conferred by paragraph (1) on a Minister of the Crown shall not be exercisable except by a Minister who is a member of the Cabinet or by the Attorney General, the Advocate General for Scotland or the Attorney General for Northern Ireland.

Information sharing – making a request for information

47.—(1) Paragraph (4) applies to a Category 1 responder or a Category 2 responder (referred to in this Part of the Regulations as the “requesting responder”) to the extent that it is satisfied that the conditions in paragraphs (2) and (3) are satisfied.

(2) The condition in this paragraph is that the requesting responder reasonably requires information which is held by a general Category 1 responder or a general Category 2 responder –

(a)in connection with the performance of a duty under section 2(1)(a) to (d) or section 4(1); or

(b)in connection with the performance of another function which relates to an emergency.

(3) The condition in this paragraph is that the requesting responder is satisfied that –

(a)the information is not held by the requesting responder; and

(b)it is not reasonable to seek to obtain the information by other means.

(4) To the extent that this paragraph applies, the requesting responder may make a request for the information to a general Category 1 responder or a general Category 2 responder (referred to in this Part of the Regulations as “the receiving responder”).

Information sharing – procedure for making a request

48.—(1) In this Part of the Regulations, a reference to a “request for information” is a reference to such a request which –

(a)is in writing;

(b)states the name of the requesting responder and an address for correspondence;

(c)describes the information requested; and

(d)states the reason why the requesting responder requires the information in connection with the performance of a duty under section 2(1)(a) to (d) or section 4(1) or in connection with the performance of another function which relates to an emergency (as the case may be).

(2) For the purposes of paragraph (1), a request is to be treated as made in writing where the text of the request –

(a)is transmitted by electronic means;

(b)is received in legible form; and

(c)is capable of being used for subsequent reference.

Information sharing – obligation to provide information

49.—(1) Subject to paragraphs (2) and (4), the receiving responder must comply with a request for information.

(2) To the extent that the receiving responder is satisfied that –

(a)the request for information relates to sensitive information of the kind specified by paragraph (1)(a) of regulation 45 and disclosure to the requesting responder would, or would be likely to, adversely affect national security;

(b)the request for information relates to sensitive information of the kind specified by paragraph (1)(b), (c) or (d) of regulation 45 and disclosure to the requesting responder would, or would be likely to, adversely affect the confidentiality of the information,

the receiving responder must not comply with the request for information.

(3) If a receiving responder refuses to comply with a request in the circumstances specified in paragraph (2)(b), it must give reasons.

(4) To the extent that the receiving responder is satisfied that a request for information relates to sensitive information which has been directly or indirectly supplied to the receiving responder by a body which deals with security matters, the receiving responder must not comply with the request unless that body has given its consent to the provision of the information to the requesting responder; such consent may contain conditions.

Information sharing – response to request

50.  The receiving responder must respond to the request for information –

(a)before the end of such reasonable period as may be specified by the requesting responder; and

(b)at such place as may be reasonably specified by that responder.

Disclosure or publication of sensitive information

51.—(1) Except where required to do so under another provision of these Regulations, a general responder must not publish or disclose to any person sensitive information which –

(a)it has received under or by virtue of a provision of these Regulations; or

(b)it has received under or by virtue of a provision in regulations made by the Scottish Ministers under Part 1,

unless paragraph (2) or (6) applies.

(2) This paragraph applies, subject to paragraph (3), if consent for the publication or disclosure has been given by –

(a)in relation to sensitive information of the kind specified by paragraph (1)(a) or (b) of regulation 45 the originator of the information or (if different) a Minister of the Crown;

(b)in relation to sensitive information of the kind specified by paragraph (1)(c) or (d) of regulation 45, the person to whom the information relates.

(3) Paragraph (2) does not apply to information of the kind specified by paragraph (1)(a) of regulation 45 if a Minister of the Crown has issued a certificate in writing indicating that publication or disclosure of the information would adversely affect national security.

(4) Consent under paragraph (2) may –

(a)identify the information to which it applies by means of a general description;

(b)be expressed to have prospective effect;

(c)may include conditions.

(5) In paragraph (2), “originator of the information” means –

(a)if the information has been directly or indirectly supplied to the responder by a body which deals with security matters, that body;

(b)if sub-paragraph (a) does not apply, the information takes the form of a document and that document has been created by a public authority, that public authority;

(c)otherwise, the person who supplied the information to the responder.

(6) This paragraph applies if –

(a)the information is sensitive information of the kind specified by paragraph (1)(c) or (d) of regulation 45;

(b)the information is not sensitive information of the kind specified by paragraph (1)(a) or (b) of regulation 45;

(c)the responder is satisfied that the public interest in publishing or disclosing the information outweighs the legitimate interests of the person to whom that information relates; and

(d)the responder has informed the person to whom the sensitive information relates of its intention to publish or disclose the information and its reasons for being satisfied of the matter specified in sub-paragraph (c).

Use of sensitive information

52.—(1) Subject to paragraph (2), sensitive information which a general responder has received –

(a)under or by virtue of a provision of these Regulations;

(b)under or by virtue of a provision in regulations made by the Scottish Ministers under Part 1,

may only be used by that responder for the purpose of performing the function for which, or in connection with which, the information was requested.

(2) Sensitive information may be used for purposes other than those specified in paragraph (1) or (2) if consent for such use is given by –

(a)in relation to sensitive information of the kind specified by paragraph (1)(a) or (b) of regulation 45, the originator or (if different) a Minister of the Crown;

(b)in relation to sensitive information of the kind specified by paragraph (1)(c) or (d) of regulation 45, the person to whom the information relates.

(3) Consent under paragraph (2) may –

(a)identify the information to which it applies by means of a general description;

(b)be expressed to have prospective effect;

(c)may include conditions.

(4) In paragraph (2), “originator of the information” means –

(a)if the information has been directly or indirectly supplied to the responder by a body which deals with security matters, that body;

(b)if sub-paragraph (a) does not apply, the information takes the form of a document and that document has been created by a public authority, that public authority;

(c)otherwise, the person who supplied the information to the responder.

(5) In this regulation, “use” does not include publication or disclosure.

Security of sensitive information

53.—(1) This regulation applies to sensitive information –

(a)received by a general responder under or by virtue of a provision of these Regulations;

(b)received under or by virtue of a provision in regulations made by the Scottish Ministers under Part 1; or

(c)has been created by a general responder in discharging its duties under the Act or these Regulations.

(2) Each general responder must have in place arrangements for ensuring that the confidentiality of sensitive information to which this regulation applies is not adversely affected.

(3) The arrangements specified by paragraph (2) must include arrangements for ensuring that –

(a)sensitive information is clearly identifiable as such;

(b)only those persons who –

(i)are involved in the performance of a duty under section 2 or 4 or other function which relates to an emergency, and

(ii)as a result, need to have access to sensitive information,

have access to sensitive information;

(c)sensitive information is stored in a secure manner;

(d)sensitive information is transferred (including transferral by electronic means) in a secure manner.

Health and Safety at Work etc Act 1974

54.—(1) Sections 28(2) and (7) of the Health and Safety at Work etc Act 1974(4) (restrictions on disclosure of information) do not apply to the disclosure of information by the Health and Safety Executive to another responder if the disclosure is made –

(a)in connection with the performance by that other responder of a duty under –

(i)section 2 or 4;

(ii)a provision of these Regulations; or

(iii)a provision in regulations made by the Scottish Ministers under Part 1;

(b)in connection with another function of that responder which relates to emergencies; or

(c)in connection with a function of the Health and Safety Executive which relates to emergencies.

(2) For the purposes of paragraph (1), it is immaterial whether the disclosure is made pursuant to a request made under regulation 47.

(3) In paragraph (1), the reference to the Health and Safety Executive includes a reference to an officer of the Executive.