[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	England and Wales High Court (Administrative Court) Decisions
You are here: BAILII >> Databases >> England and Wales High Court (Administrative Court) Decisions >> Secretary of State for Home Department, R (on the application of) v The Information Tribunal [2006] EWHC 2958 (Admin) (23 November 2006) URL: http://www.bailii.org/ew/cases/EWHC/Admin/2006/2958.html Cite as: [2006] EWHC 2958 (Admin), [2007] 2 All ER 703, [2008] 1 WLR 58

[New search] [Printable RTF version] [Buy ICLR report: [2008] 1 WLR 58] [Help]

IN THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
(DIVISIONAL COURT )

		Royal Courts of Justice Strand, London, WC2A 2LL
		23 November 2006

Lord Justice Latham:

Introduction

1. This application arises out of a dispute between the claimant and the interested party ("the Commissioner") in relation to the functions and powers of the Commissioner when an issue arises in relation to personal data thought by the Commissioner to be in the possession of the claimant, but which the claimant considers should be exempt from disclosure in order to safeguard national security. The application is for judicial review of a decision of the National Security Appeals Panel of the Information Tribunal (the Tribunal) of the 28^th July 2005. In its decision, the Tribunal allowed an appeal by the Commissioner under s 28(4) of the Data Protection Act 1998 (the 1998 Act) against a certificate signed by the claimant on the 31^st March 2004 pursuant to section 28(2) of the Act, and quashed the certificate. The certificate in question was signed by the Rt Hon David Blunkett M.P., was directed to the Commissioner and certified that exemption was required from Part V of the 1998 Act in respect of any personal date not identified in a Schedule to the Certificate, for the purposes of safeguarding national security.

The Story

2. The problem arose out of a request by an individual (whom I will refer to as the data subject) pursuant to section 7 of the 1998 Act to the Immigration and Nationality Directorate of the Home Department (the Department) for information as to any personal data relating to him held by that Department. Subject to any question of exemptions under, inter alia, section 28 of the 1998 Act, the Department, as a data controller was required pursuant to that section to provide such information as to the personal data being "processed", which includes holding or storing, by the Department. The Department replied:

"We have processed your request and enclose copies of all the information which IND is required to supply under the Data Protection Act 1998".

3. No further information was forthcoming. The data subject was dissatisfied by the response and accordingly requested the Commissioner to intervene stating in the form which he submitted to the Commissioner:

" I asked for a copy of my data but some information has been withheld"."

4. The Commissioner concluded that this should be treated as a request "for assessment" pursuant to section 42 of the 1998 Act. This section, so far as material, provides as follows:

"(1) A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.

(2) On receiving a request under this section the Commissioner shall make an assessment in such manner as appears to him to be appropriate ...

(3) ........

(4) Where the Commissioner has received a request under this section he shall notify the person who has made the request –

a. whether he has made an assessment as a result of the request, and

b. to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request."

5. The Commissioner's compliance officer informed the Department of the Commissioner's decision to conduct an assessment by letter dated the 20^th August 2003 identifying matters contained in the material which had been provided to the data subject which suggested that there was other information available and asking for it to be disclosed, in particular asking whether any personal data had been withheld under the exemptions available under the 1998 Act. In its reply the Department indicated that it considered that "the national security exemption provided by section 28" of the 1998 Act applied at least to some material which accordingly would not be made available to the Commissioner. It was also stated that much of the information surrounding the case was confidential; and the Commissioner was asked not to make the information in the letter available to the data subject.
6. The Assistant Commissioner replied:

"I note that you seek to rely on section 28 of the Data Protection Act 1998 in withholding certain information from .... It is not clear from your letter whether a certificate signed by a Minister of the Crown as described in sub-section 2 of section 28 is in existence. It would assist the Commissioner in considering ... request for an assessment of the processing if you could provide us with a copy of the certificate. In the absence of a Certificate the Commissioner would clearly have to give consideration to the question whether it would be appropriate to seek a copy of the information withheld by way of an Information Notice or whether there might be some other means by which he could be assured that proper reliance had been made upon the exemption.

It is also not clear whether in fact you have informed .... of your reliance on section 28 and the existence of any Ministerial Certificate. As you know where a person is directly affected by the issuing of a certificate under sub-section 2 they may appeal to the Tribunal against the certificate. Clearly ....... would wish to consider this option."

7. The Department's reply made it plain that the data subject had not been informed of any reliance on section 28 and the Department did not intend to do so. The letter ended:

"Beyond this, and as I explained in my previous letter, because of the constraints imposed by section 28, we cannot comment further. I appreciate that this makes it difficult for you to form a judgment whether personal data has been unreasonably withheld. You have suggested there might be another way of exploring and progressing this assessment without recourse to the documents retained under section 28. I will be pleased to hear more about your approach."

8. The Commissioner's response was set out in a letter from the Assistant Commissioner. It is worthwhile setting out substantial parts of the letter, which sets the scene for the formal proceedings.

"As you will see we believe that the best means of bringing these matters to a conclusion is through the formal process envisaged by the Data Protection Act 1998. Enclosed, therefore, is a copy of a Preliminary Information Notice issued to the Secretary of State for the Home Department, indicating the information which the Commissioner considers should be supplied to .... to allow .... to conduct an assessment of the processing of personal data under section 42 of the Act.

If the Department wishes to make representations to the Commissioner before he makes his final decision as to whether to serve an Information Commissioner (sic) these should be received by 12 December 2003.

It seems to me that the options open to the Department are as follows:

1. Obtain a Ministerial Certificate as envisaged by section 28 of the Act. The effect of this would be to advise .... of the grounds for the partial refusal ... subject access request and allow ... to make a decision as to whether to exercise ... rights of appeal to the Information Tribunal. The issue of a Certificate would also have the effect of preventing the Commissioner himself from issuing a final Information Notice. The Commissioner would himself then have to consider an appeal to the Tribunal. ......

2. The Department may then make representations, as indicated above to the Commissioner as to why it would be inappropriate to serve an Information Notice. In effect the department would seek to persuade the Commissioner that it had properly relied upon section 28 without the need to demonstrate this through obtaining a Ministerial Certificate. It is clearly open the (sic) department to make whatever representations in this regard it deems appropriate. As an alternative to providing the Commissioner with copies of all the Information set out in the Schedule to the Preliminary Notice, we suggest that one option might be to agree to make some or all of the information available to the Commissioner personally in this course (sic) of a visit to the Home Office. If the concern of the Department is in the release of sensitive information the Commissioners Office, we believe such a solution may at least address that concern. Naturally that may also provide an opportunity for the Department to make its representation directly to the Commissioner.

In conclusion, I would stress that although we find the general practice of not explaining the grounds for the refusal of such access for requests to be objectionable, we do not seek to suggest that in this particular case that (sic) the Department has improperly intended to rely upon the exemption. The purpose of the Preliminary Information Notice to be followed, if necessary, with a final Notice is simply to allow the Commissioner to fulfil his duties under section 42 of the Act. There is no suggestion in other words, at this stage, that the commissioner has reached any conclusion that it seems likely or unlikely that the Department has complied with the requirements of the Act.

A Preliminary Information Notice was then issued by the Commissioner in respect of information held by the Department in respect of the data subject. The affective part of that Notice stated that the Commissioner was minded to issue a formal notice under section 43 of the 1998 Act requiring the disclosure of the information which had been requested in the Commissioners original letters. It was clear from the notice itself that the Commissioners intention was to bring the matter to a head as the Assistant Commissioner had indicated in his letter. "

9. The Department in its reply, first stated:

"As you are aware, section 28 of the Data Protection Act limits the extent to which we are able to assist you in this case. We will obtain a Ministerial Certificate signed by the Home Secretary should we be required to do so, but would first like to provide you with as much information as we possibly can given the limits imposed on us by the Act"

10. The letter, however, was accompanied by a set of papers as to which it was said:

"Although we cannot supply you with copies of the full documents we can supply information from them beyond that supplied .... in response to .... subject to access request. I hope that this will be of some assistance to you in carrying out this assessment. Although certain parts of the text have been redacted, I hope that you will agree the remainder of the text not provided .... is not..... personal data and its disclosure was therefore not required when responding to ... request. Please do not disclose the information contained in "Annex A" to ....

I hope that you find this letter and enclosed documents useful in conducting your assessment in this case. However should you still feel it to be necessary, we will provide you with a Ministerial Certificate. I look forward to receiving your further views on this matter."

11. The Commissioner's response was to serve an Information Notice pursuant to section 43 of the 1998 Act asking for an unredacted version of the information supplied in the form of Annex A referred to in the last letter from the Department. The covering letter to that Notice said as follows, in so far as the Department was claiming exemption for the purposes of safeguarding national security.

"I turn now to the information which you do not wish to release. Firstly, I should correct the impression given in the second paragraph of your letter namely that section 28 of the Data Protection Act limits the extent to which we are able to assist you in this case. s. 28 does not prevent you from providing information to the Commissioner. Rather, assuming that the exemption is properly claimed, it prevents the Commissioner from making an assessment or from taking enforcement action or serving an information notice. So that data controllers are not put in the difficult position of having to persuade the Commissioner that the exemption has been properly claimed without in fact disclosing to him information which might prejudice national security there is the provision for the issuing of a Ministerial Certificate. As I understood it from our earlier correspondence, you have two grounds for withholding information from ...... clearly in some cases at least these grounds over lap.

The first ground is the question of prejudice to national security. Without sight of the information which has been redacted, it is impossible for us to reach a view. However, I am not convinced that the parts that have not been redacted could not be released without prejudice of National Security.

To summarise, while I am grateful for the additional information which you have provided, I am not convinced that it is necessarily correct to rely upon s. 28 of the Act nor that all the material which has been withheld can properly be said to lie outside the scope of the Act. For these reasons it has been decided to serve an Information Notice upon the Secretary of State for the Home Department."

12. It was in these circumstances that the Ministerial certificate which was the subject of the appeal came into being. As I have already said in paragraph 1 of this judgment, it was signed by the Rt Hon David Blunkett MP and was directed to the Commissioner. The formal paragraph reads as follows:

"Now therefore, I, the Rt Hon David Blunkett MP being a Minister of the Crown who is a member of the Cabinet in exercise of the powers conferred by section 28(2) of the Act to issue this certificate and certify that exemption is required from Part V (in particular, section 43) of the Act in respect of any personal data which would be disclosed by compliance with the Information Notice which will not already be disclosed to the Information Commissioner in the attached Schedule for the purpose of safeguarding national security."

13. The Notice was accompanied by a letter also dated the 31st March 2004 which said as follows as to the Schedule:

"Before issuing the certificate, the degree to which section 28 exemption applies has been reconsidered again. As a result of this the schedule to the certificate differs in certain respects from the document "Annex A" enclosed with my letter dated .... you will note that in the draft letter attached to the memorandum dated ..... the sentence in the third paragraph beginning...... is now disclosed to a greater extent than was the case before. In addition the names of individual ministers are now included in the memorandum dated .... and a letter dated ... However all the material previously held continues to remain subject to the exemption in section 28."

14. The result of the issuing of the Information Notice under section 43 of the 1998 Act, and the Ministerial Certificate under section 28 of the 1998 Act was to trigger rights of appeal of the Information Tribunal as will be apparent from the sections to which I will return later. Those rights were exercised by the claimant in respect of the Information Notice under section 43, and the Commissioner in respect of the Ministerial Certificate under section 28. The Tribunal directed, as I understand it with the consent of the parties, that the Commissioner's appeal under section 28 should be dealt with first; and it is the Tribunal's decision in respect of that appeal which is the subject of the proceedings before us. As far as the claimant's appeal under section 48 of the 1998Act is concerned, in relation to the Information Notice, that stands adjourned pending determination of these proceedings.

The Statutory Provisions

15. The statutory provisions with which these proceedings are directly concerned, apart from sections 7 and 42 of the 1998 Act to which I have already referred, which were essentially the trigger for the dispute, are sections 28 and 43. But the argument about their effect necessarily involved consideration of the structure of the Act as a whole, and its genesis in the Convention for the Protection of Individuals with regard to Automatic Processing Personal Date (the Convention) and Directive 95/46EC of the European Parliament and the Council 24 October 1995 on the protection of individuals with the regard of the processing of personal data and on the free movement of such date ("the Directive").
16. Part I of the Act includes the basic interpretative provisions, and by reference to Schedule 1 to the Act sets out the "data protection principles". For our purposes the most significant principle is principle 6, which is that:

"Personal data should be processed in accordance with the rights of data subjects under this Act."

17. As I have already said, "processed" includes holding or storing. And one of the rights of a data subject under the Act is the right under section 7 to access to his personal data.
18. By section 6 the office of the Commissioner is provided for, as is the Data Protection Tribunal. As far as the Commissioner is concerned, section 54 (1)(b) of the Act states that the Commissioner shall be "the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive". By Article 28 of the Directive, it is provided:

"1. Each member state shall provide that one or more public authority is responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive. These authorities shall act with complete independence in exercising the functions entrusted to them.

....

3. Each of the authorities shall be endowed with:

– Investigative powers, such as powers of access to data forming the subject matters of processing matters and powers to collect all the information necessary for the performance of it supervisory duties.

.....

– Effective powers of intervention.

.....

4. Each supervisory authority shall hear claims lodged by any persons, or by an association representing that person, concerning the protection of his rights and freedoms in regard of the processing of personal data. The person concerned shall be informed of the outcome of the claim. Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive applies. The person shall at any rate be informed that a check has taken place.

...."

19. I will return to Article 13 later in this judgment.
20. Part II of the 1998 Act sets out the rights of data subjects, and includes section 7 to which I have already referred in general terms and which is the only relevant section for the purposes of these proceedings. So far as is relevant this section provides:

"(1) Subject to the following provisions of this section and sections 8 and 9, an individual is entitled –

(a) to be informed by any data controller whether the personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b) if that is the case, to be given by the data controller a description of –

(i) the personal data of which that individual is the data subject ,

(ii) the purposes for which they are being or are to be processed, and

(iii) the recipients or classes of recipients to whom they are or may be disclosed,

To have communicated to him in intelligible form

(i) the information constituting any personal data of which that individual is the data subject and

(ii) any information available to the data controller as to the source of those data …"

21. Part III relates to obligations of data controllers and does not provide any significant assistance in the present dispute.
22. Part IV contains section 28 and is headed "Exemptions". Section 28 provides:

"(1) Personal data are exempt from any of the provisions of –

(a) the data protection principles,

(b) Parts II, III and V, and

(c) Section 54A and section 55,

if the exemption from that provision is required for the purpose of safeguarding national security.

(2) Subject to sub-section (4), a certificate signed by Minister of the Crown certifying that exemption from all or any of the provisions mentioned in sub-section (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.

(3) A certificate under sub-section (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.

(4) Any person directly affected by the issuing of a certificate under sub-section (2) may appeal to the Tribunal against the certificate.

(5) If on an appeal on sub-section (4) the Tribunal finds that, applying the principles applied by the court on an application for judicial review, the minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.

.........

(11) No power conferred by any provision in Part V may be exercised in relation to personal data which by virtue of this section are exempt from that provision.

…."

23. This section, the meaning and effect of which is critical to the issues in this case, has to be read in the context of certain provisions of the Directive to which we have already referred.
24. Paragraph 13 of the preamble to the Directive provides:

"Whereas the activities referred to in Titles V and VI of the Treaty on European Union regarding public safety, defence, State security or the activities of the State in the area of the criminal laws fall outside the scope of Community law, without prejudice to the obligations encumbent upon Member States under Article 56 (2), Article 57 or Article 100 (a) of the Treaty establishing the European Community; whereas the processing of personal data that is necessary to safeguard the economic well-being of the State does not fall within the scope of the Directive where such processing relates to State security matters;"

25. Article 3 provides:

"Scope"

.............

(2) This Directive shall not apply to the processing of personal data:

in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles in V and VI of the Treaty on European Union and in any case to processing any operations concerning public security, defence, State security (including the well-being of the State when the processing operation relates to State security matters) and the activities of the State and areas of criminal law."

26. Article 13 provides:

"Exemptions and Restrictions"

1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for an Article 6, 10, 11(1), 12 and 21 when such restriction constitutes a necessary measure to safeguard;

(a) national security;

(b) defence

(c) public security;

(d) The prevention, investigation, prosecution of criminal offences or breaches of ethics for regulated professions….."

27. Part (V) of the 1998 Act contains the enforcement provisions. These include sections 42 and 43. I have already set out the relevant provisions of section 42. Section 43 provides:

"(1) If the Commissioner –

a. has received a request under section 42 in respect of any processing of personal data or

b. reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles,

he may serve the data controller with a notice (in this Act referred to as "an information notice") requiring the data controller within such time as is specified in the notice, to furnish the Commissioner in such form as may be so specified, with such information relating to the request or to compliance with the principles as is so specified

……."

28. Section 48 gives to any person on whom an information notice has been served the right to appeal to the Tribunal against the Notice.
29. Part VI of the Act headed "Miscellaneous and General" contains, in section 51, a description of the functions of the Commissioner. The relevant provisions of this section are as follows:

"(1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this act as to promote the observance of this Act by data controllers

….

(6) The Commissioner, may with the consent of the data controller assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment

.……

(9) In this section – "good practice" means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with this Act".

30. Finally, by Schedule 6 to the 1998 Act provision is made for appeals. Paragraph 2 deals with the constitution of the Tribunal in National Security cases, that is appeals under section 28(4) which is to be comprised of those specifically designated by the Lord Chancellor. Paragraph 7 contains the rule making power and includes reference to hearings in camera, in the absence of an appellant and determination of an appeal without a hearing. The relevant rules are the Information Tribunal (National Security Appeals) Rules 2005 which include an obligation under Rule 4(1) to ensure that information is not disclosed contrary to the interests of national security. It is to be noted that Rule 7(1)(b)(ii) provides that the copy of any notice of appeal should be sent to the Commissioner "Where he is not the appellant". Further by Rule 13 provision is made for the procedure to be followed where the Minister objects to information being disclosed to the Commissioner.

The Issues

31. The claimant's case is essentially set out in the witness statement of Oliver Lendrum dated the 27^th January 2005. In this he explains that the nature of the disclosure given by the Department to the data subject was in conformity with the Government's policy in relation to matters involving security and intelligence agencies, namely to "neither confirm or deny" the existence of information. He identifies the issues in the following paragraphs:

"22. The Respondent acknowledges that the core issue in this appeal is whether the information should be disclosed to the Appellant, who wishes to assess whether non-disclosure of the information to .... was necessary to safeguard National Security.

23. However, the respondent believes that the disclosure of the information to the appellant is unnecessary for the proper performance by the appellant of functions under the 1998 Act. The appellant's functions do not include the making of such an assessment. The supervision under the 1998 Act of the respondent's decisions about non disclosure for that reason are reserved to this tribunal by section 28 as intended by Parliament when passing the Act. Furthermore the Investigatory Powers Tribunal is the appropriate forum for any complaint by a member of the public that the respondent has made an erroneous decision to adhere to the "neither confirm nor deny" policy."

32. He went on to state that the claimant could not be assured that security of information if it were to be disclosed to the Commissioner and set out a number of reasons for his having taken that view. He concludes:

"26. Consequently the precautionary principles underling the protection of national security required the respondent to regard the information as at risk of further disclosure .... (or other members of the public) once it has been disclosed to the appellant.

27. Therefore, as it is unnecessary under the 1998 Act to disclose the information to the appellant, and as none disclosure of the information to the appellant is necessary to ensure none disclosure of the information to .... (or other members of the public) which in turn is necessary for the safeguarding of national security, the respondent had reasonable grounds for signing the certificate which is the subject of this appeal."

33. A necessary consequence of this argument was that the Commissioner was not a person "affected" by the section 28 certificate because he had no duty or function to perform which was being in any way interfered with by the existence of that certificate. In other words, the Commissioner had no right to appeal under section 28(4) of the 1998 Act. In issuing the Information Notice in relation to material exempted from the enforcement provisions of Part 5 of the 1988 Act, he was acting outside his statutory remit. The Commissioner submitted that this was an untenable argument. He pointed to the duties imposed upon him under section 51(1) of the 1998 Act, which are unaffected by section 28. The Commissioner was under a duty pursuant to that section, and in accordance with Article 28(4) of the Directive, to enquire into the extent which the national security exemption was being properly claimed. The section 28 Certificate as drawn was directed to disclosure to the Commissioner, but appeared essentially to be based upon the conclusion that the material was exempt from disclosure to the data subject, and that accordingly exempt from the provisions of Part 5 including the provisions of Section 43 of the 1988 Act.
34. That completely misunderstood the Commissioners position. He was entitled to make such enquiries as were not precluded by the interests of National Security, that is safeguarding the information from such breech of National Security which might be occasioned by disclosure to him. It followed that the questions which should have been asked by the Secretary of State were whether the material was so sensitive that even the Commissioner should not be permitted to see it. That was not the question asked by the Secretary of State and accordingly the decision to issue the certificate was flawed.

The Tribunal Decision

35. The conclusions of the Tribunal on these issues are set out in paragraph 59 of the decision in the following terms:

"Our conclusions are:

(i) As the 1998 Act must be construed, so far as it is possible to do, so as to accord with the Directive .... and given the terms of Article 28(4) and Article 13 (which does not exclude Article 28(4)) The role of the supervisory authority (i.e. the Information Commissioner ....) cannot in our judgment be excluded on the ground of national security. In our judgment, within the context of Section 28 exemptions, the Commissioner and the Secretary of State each has a role to play. This view, it seems to us, is reinforced by section 51(1) of the Act (not a provision from which "personal data" are exempted by section 28) which extends the Commissioners duty

"so as to perform his functions under the act as to promote the observance of the [its] requirements..."

to all data controllers.

ii) Various factors are relevant to any section 28 assessment as to whether exemption from any of the specified provisions is "required" for the purpose of safeguarding national security. Those factors include:

a) the nature of the data – the spectrum of "security-sensitive" material is wide; to some material a significantly greater degree of sensitivity will be attached.

b) the status and attributes of the entity it seeking in disclosure;

c) the degree to which any "risk" attached to a particular disclosure can be "managed";

d) the terms of the specific provision(s) from which exemption is being considered:

e) where information is sought by the Commissioner, the fact that he has a statutory role to play in the context of section 28 exemptions.

iii. The assessment exercise relating to whether exemption is required for the purpose of safeguarding national security is to be conducted objectively both by the data controller and by the Commissioner in considering his Part V powers. In the event of disagreement, the data controller's assessment will be subject to the procedures under the Act for the final determination of the question. (See below)

iv. The terms of section 28(11) highlight the need for scrupulous observance of section 28(1). Exemption from one or more of the specified provisionary is only permissible where an exemption from that provision is required in all the circumstances of that case, for the purpose of safeguarding national security. Section 28(11) provides:

"No power conferred by any provision of Part V may be exercised in relation to personal date which by virtue of this section are exempt from that provision."

In our judgment in relation to section 43, section 28(11) means no more than the power to compel disclosure may not be exercised in relation to "personal data" which by virtue of section 28 are properly exempt from the provision. The Commissioner if confronted with a section 28 certificate can do nothing save appeal against it. Prior to the issuing of a certificate, he is entitled to seek disclosure, indeed to press for it either on the basis of appropriate representations or by issuing a section 43 Notice (but as to the latter course see paragraph 68 below) or both. Section 28(11) does not bite upon those options. That sub-section bites only in relation to personal data which by virtue of section 28, "are exempt from that provision" – not which by virtue of section 28 "are thought to be exempt from that provision". Once the certificate has been issued the position changes – the certificate is "conclusive" evidence of the fact that the exemption from the specified provision(s) is required for the purpose of safeguarding national security. Furthermore, against a s. 43 notice, the Secretary of State has the right of appeal (section 48(1)) and the notice is suspended pending appeal (section 43(4)). If included in the notice is a "section 43(5) statement" although section 43(4) does not apply in relation to that statement, the Secretary of State may none the less appeal against the statement by virtue of, and on the grounds set out in section 48(3). The Tribunal's powers in such a case are to be found in section 49(4). Although by reason of section 49 an appeal by the Secretary of State under section 48(1) would expose him to the risks of having to reveal that national security – sensitive data exist and to their production pursuant to the discretion of the Tribunal, these risks are removed by section 28(2) (the certificate provision) which provides that the certificate is conclusive evidence of the fact that exemption from the specified provisions is (or at any time was) required for the purpose of safeguarding national security.

(v) The fact that the Secretary of State may have sound national security reasons for co-operating with a section 42 assessment only up to a point and for not providing all the information sought by a section 43 notice, in our judgment does not mean that the Commissioner is exceeding his statutory functions by persisting with his assessment and participating in appeals. Contrary to the Respondent's submissions in our judgment, the Commissioner does have a statutory role to play in the context of section 28(1) exemptions, and in particular, his functions do include (in appropriate cases):

"the making of an assessment where the non-disclosure of information to .... was necessary to safeguard national security." (Lendrum paragraphs 22 and 23)

vi. National security considerations may impose limitations on the arrangements as to the scope and/or manner of an assessment. These limitations will be to the full extent required for the purpose of safeguarding national security – but no further.

v. As the certificate was signed on the premise that the Commissioner had no statutory role in the context of section 42 exemptions it must follow that the Secretary of State fundamentally misdirected himself as to the law and accordingly did not have reasonable grounds for issuing the certificate. This means that the certificate is liable to be quashed.

vi. Although we recognise that the Secretary of State when considering the position afresh (albeit mindful of the decision) may conclude in respect of the three redacted passages that exemption from one or more of the Part V provisions is, in all the circumstances required for the safeguarding of national security, we cannot be sure either that he will so conclude even that such a conclusion is likely. We say that for these reasons:

a. These proceedings have not been concerned with the detail of the material in the redacted passages.

b. The Secretary of State has hitherto not considered their disclosure having had regard to the existence of the Commissioner's statutory role in this context.

c. At or about the time the certificate was signed the Secretary of State reduced the four redactions to three because on reflection the formerly redacted material was considered to fall outside section 28...... it is also clear from the Departments letter to the Commissioner of the 31^st March 2004 that a point taken by the Commissioner on the Department's view as to what did and what did not constitute "personal data" within the meaning of the Act, was accepted ......

ix. We have accordingly concluded that our discretion should be exercised in favour of the appellant and that therefore the section 28 Certificate signed by the Secretary of State and dated the 31^st March 2004 must be quashed.

The argument before us

36. Mr Crow, on behalf of the claimant, submitted that these conclusions failed to grasp the inescapable logic of section 28. In his submission, section 28 gives effect to the clear principle enunciated in the Directive in Articles 3 and 13 to the effect that issues of national security are matters for the member states and are therefore accordingly excluded from control under the Directive. Section 28 makes it plain that the question of whether or not national security is engaged in relation to the disclosure of any material is a matter to be determined objectively. Exemption from disclosure either is or is not required for the purpose of safeguarding national security. Accordingly, if it is exempt from disclosure the Commissioner has no powers which he can exercise under Part V, and accordingly has no function to perform in relation to those powers which could entitled him to second guess a Ministerial Certificate. He submits that that is the function of the Tribunal on a properly constituted appeal under section 28(4) which could only be brought by the data subject, who is in this context the only person "directly affect by the issuing of a Certificate". That is the inescapable result of section 28(11). He points out that the right of appeal vested in the data subject, together with other avenues by which the data subject can challenge the failure to disclose the material, mean that there is no need for the Commissioner to be given a right of appeal in order to resolve the question whether or not the material is exempt by reason of section 28.
37. Mr Supperstone, on behalf of the Commissioner, submits that the Tribunal came to the correct conclusion. In particular, he submits that the functions of the Commissioner set out in section 51 must include the power to challenge the say so of a Minister as to whether or not material is exempt under section 28 in order to give affect in domestic law to Article 28(4) of the Directive. The issuing of the certificate under section 28(2) accordingly directly affects his performance of his functions so as to give him a right of appeal under section 28(4).

Conclusions

38. I have unhesitatingly come to the conclusion that the Tribunal and Mr Supperstone are right. Whilst Mr Crow's argument has the apparent attraction of logical simplicity, it seems to me that it fails to grapple with the effect of section 51, in particular section 51(1). That subsection entitles, if not requires, the Commissioner, if he considers it appropriate, to "check" (to use the language of the Directive) whether an exemption under section 28 has been properly claimed. If it has not, it is a necessary corollary that the data controller has not "observed" the requirements of the Act. He has failed to give the data subject access to material which is not exempt by reason of section 28. As the Tribunal has said, the consequence is that the Commissioner is entitled to seek to satisfy himself that the material is indeed exempt under section 28. The claimant can then decide whether the material can be disclosed to the Commissioner without that disclosure damaging national security.
39. A substantial proportion of the material before us provided by the claimant is directed to his concerns as to the possible damage to national security which might result from such disclosure to the Commissioner whose office may not have in place the necessary machinery to ensure the maintenance of an appropriate level of security. It seems to me that this is where the real problem in this case arises. There has been some confusion of thought. The root question is whether or not the claimant as a data controller holds material which is exempt under section 28 from disclosure to the data subject under Part I of the Act, and from the enforcement powers of the Controller under Part V, which are intended to secure the data subject's rights under Part 1. In other words the question at the end of the day is whether or not disclosure to the data subject would in someway compromise national security. And that, ultimately, will be the purpose of the appeal to the tribunal.
40. That issue is being confused with the question of whether or not the Commissioner should himself be precluded from seeing the material, because disclosure to him would compromise national security. As I have said, that seems to me to be a matter about which the claimant in the present case has to make up his own mind, but in the light of the fact that, for the reasons that I have given, the Commissioner does have a role to play in determining whether or not the claim to exemption under section 28 is well founded, which is not the basis upon which he approached the problem in the present case, which is why I consider that the Tribunal came to a correct conclusion.
41. If the Claimant continues to take the view that it would or might, compromise national security then it would be appropriate for him to issue a furthersection 28 certificate. The Commissioner is, in my view, entitled then to appeal that certificate because the fact that the certificate is conclusive evidence of the fact that exemption is required for the purpose of safeguarding national security means that he has been "directly affected" by the issuing of the certificate thereby giving him the right of appeal under section 28(4). He has been "affected" by being restricted in the exercise of his powers under section 51(1). That being so, the Commissioner's right to appeal does not depend upon the conundrum posed by Mr Crow which is that, if the Tribunal is correct in paragraph 59(v) of its decision, the Commissioner is affected by reason of the fact that his powers under section 42 are engaged, which they cannot be if the section 28 certificate is upheld, making it a circular argument. As far as the claimant's anxieties as to disclosure to the Commissioner are concerned, at the appeal stage those will be dealt with by the Tribunal pursuant to the relevant Procedural Rules, which make provision for determination of whether or not material can be disclosed to a party for the purposes of the appeal itself. These rules provide implicit acceptance within the statutory scheme that the Tribunal will be entitled to make its own judgment as to whether or not disclosure to the Commissioner is appropriate for the purposes of the appeal, bearing in mind issues of national security.
42. I do not consider that the Directive requires a different answer. Mr Crow submits that Article 3 means that issues of national security are simply out -with the scope of the Directive and that section 28 is intended to give effect to this provision. The problem seems to me to be that, if he is right, Article 13 is wholly superfluous and unnecessary and Article 28(4) is simply irreconcilable with Articles 3 and 13 if that is the proper interpretation. I consider that the proper meaning and effect of the Directive is that Article 3(2) is the principle which underpins the justification for providing for exclusion under Article 13, but that Article 28(4) envisages that mechanisms will, indeed should, be put in place to determine whether or not any exemption under Article 13 has been properly claimed.
43. For these reasons, as I have said, I consider that the Tribunal was right in the conclusion to which it came. I consider that the way in which this matter was progressed in correspondence was entirely sensible. Particularly it seems to me that the letter to which I have referred in paragraph 8 above sets out the procedural position entirely correctly. The service of the section 43 Notice was a sensible method of bringing the issue to a head. Whether or not the material requested turns out to be exempt from the provision of section 43 by virtue of section 28 is an issue which needs to be decided. The fact that ultimately the Tribunal may conclude that the certificate was justified cannot mean that, until that issue is decided, the Commissioner is precluded from serving the section 43 Notice. Nor do I think that Article 3 of the Directive impels that result. The question of whether or not the material is exempt or not has yet to be decided. The mechanism for deciding it is provided for in section 28(4) and the Procedural Rules. Whilst the data subject is clearly entitled to invoke that mechanism, so is the Commissioner. That not only accords with my view of the statutory structure, but also has the practical consequence, that where the claimant or any other government department decides to invoke the "neither confirm or deny" policy, a section 28(2) Certificate can be issued by the Government Department without it necessarily having to be brought to the attention of the data subject; but the issue of the appropriateness of the certificate can nonetheless be decided. In my view, this provides appropriate protection for security-sensitive information whilst ensuing that the Commissioner can carry out his functions effectively.
44. I would accordingly dismiss this application.

Mr Justice Mackay:

45. I agree and would also dismiss this application.