Law Commission issues final report on protection of official data

September 9, 2020

The Law Commission has concluded its report on reviewing the Official Secrets Acts to “make sure Britain is safe in the 21st century”. The report follows a consultation in 2017. The findings of the report will be of interest to tech lawyers in a number of ways. 

The Law Commission makes recommendations aimed at ensuring that:

  • the law governing both espionage and unauthorised disclosures addresses the nature and scale of the modern threat;
  • the criminal law can respond effectively to illegal activity (by removing unjustifiable barriers to prosecution); and
  • the criminal law provisions are proportionate and commensurate with human rights obligations.

The Law Commission is recommending that the Official Secrets Acts 1911, 1920 and 1939 be replaced with a new Espionage Act. However, the new Act should retain the two existing types of espionage offence (espionage by trespass or observation and espionage by collection or communication of information). It is not recommending replacement of the Official Secrets Act 1989 (concerned with unauthorised disclosures, or “leaks”), but reform of those existing offences.

Updating archaic language

The Official Secrets Acts 1911-1939 were enacted long before the digital age. They use language that reflects the era in which they were drafted. The 1911 and 1920 Acts contain references to “a sketch, plan, model, note and secret official pass word and code word”, which are anachronistic and do not reflect the types of information needing protection. These terms should be replaced with “document, information or other article” and information should be defined to include any program or data held in electronic form.

Significant link with the UK

The technical reality of modern data sharing and storage, as well as engagement with the private sector, means that UK proprietary data (ie data owned or controlled by the UK government) can be held on servers outside the jurisdiction. The test for offences being committed should be whether there is a “significant link” between the individual’s behaviour and the interests of the UK. Further, “significant link” should be defined to include not only the case where the defendant is a Crown employee or contractor, but also the case where the conduct relates to a site or data owned or controlled by the UK government (irrespective of the identity of the defendant). 

Legal advice

There is a persuasive argument that, in some cases, disclosures for the purpose of legal advice should be authorised. However, such disclosures should not risk the security of highly sensitive information: it is only as secure as the weakest link in the chain. Highly sophisticated actors across the globe will attempt to exploit any weakness (whether personal or technical) in the protection of sensitive information, so safeguards must be in place. The Law Commission recommends that certain disclosures for the purpose of seeking legal advice should be authorised disclosures under the terms of the Official Secrets Act 1989, subject to the lawyer having the requisite security clearance and having undergone systems/premises assurance. Having been through a vetting process would clearly serve to emphasise to the lawyer in receipt of the sensitive information what the consequences might be of unauthorised onward disclosure and failure to safeguard the information. A further value of the vetting process would be to allow the security services to assess the vulnerability of the lawyer to pressure from hostile agents to disclose the sensitive information. Some lawyers would be unwilling to comply with the process even if at the state’s expense. The Law Commission therefore considered whether the objectives of the vetting process can be achieved, albeit in diluted form, by strong professional obligations on legal advisers made via the relevant professional codes. It concluded that they could not.

Application to civilians

The Law Commissions recommend that a statutory public interest defence should be created for civilians, including journalists, that they can rely upon in court. It considers that the defence should succeed only if the court finds that the disclosure was in fact in the public interest. 

This necessitates a two-stage analysis: first, whether the subject matter of the disclosure was in the public interest; and secondly, whether the manner of disclosure was in the public interest. The Law Commission also says that the legal burden of proving the defence should rest on the defendant, and that this is not prevented by the right to a fair trial in Article 6 of the ECHR. Beyond this, the Law Commission regards it as a political matter for the UK government and, ultimately, Parliament to determine in any legislation.

The Law Commission has also concluded that for public servants there should be created in statute a procedural mechanism whereby their concerns about possible wrongdoing can be investigated effectively. This would take the form of an independent commissioner to receive and investigate complaints of serious wrongdoing where disclosure of the matters referred to may otherwise constitute an offence under the Official Secrets Act 1989. That commissioner would also be responsible for determining appropriate disclosure of the results of that investigation. However, there should be a residual statutory public interest defence for public servants upon which they can rely in court.

Next steps

The UK government will now review and consider the recommendations.