Official secrets

Official secrets

The government creates, re-uses and receives information on a daily basis to carry out the functions of Parliament, the executive and judiciary. Some of this information can be construed as confidential, attracting protection from disclosure, such as:

•
records of meetings—official records of opinions and information shared at internal meetings
•
employee data—contact details, pay and benefits, performance and absence
•
trade secrets—information divulged to government as part of procurement processes and consultation
•
intelligence—on international and national affairs within the police and intelligence agencies
•
patient records—within the NHS information on patients’ illnesses, treatment and check ups

Some information held by the government may damage national security if disclosed to the public and is therefore classified. This subtopic considers some of the key legal issues concerning confidential and classified information, focussing on the protection of official secrets.

The Official Secrets Acts (the Official Secrets Act 1911 and the Official Secrets Act 1989) protect government secrets which would damage national security if made available to the general public. Based on the principle that information which the government needs to collect, store, process, generate or

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

Automated decision-making and DSARs: right to access means a right to explainability (CK v Magistrat Der Stadt Wiendun & Bradstreet Austria GMBH)

Information Law analysis: The Court of Justice provided several clarifications around the scope of data subject access requests (DSARs) in the context of automated decision-making. The court held the determining factor for whether information constitutes ‘meaningful information about the logic involved’ under Article 15(1)(h) of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) is whether the information enables the data subject to understand the logic involved in automated decision-making involving their personal data. The court also held disclosure by controllers should be underpinned by the principles of transparency, which requires information to be clear, accessible and intelligible, both in terms of content and form, from the perspective of data subjects. In the context of automated decision-making this doesn’t necessarily mean providing the exact algorithm, if it doesn’t help the data subject’s understanding of the ‘how’. The court confirmed DSARs do not mandate the disclosure of trade secrets, but this can only be decided by the relevant supervisory authority or competent court, after assessing all relevant information provided to them by a controller. The protection of trade secrets cannot be used as a blanket excuse by businesses to withhold certain information from individuals making a request under Article 15(1)(h) of the EU GDPR. Written by Marija Nonkovic, associate at Kemp IT Law LLP.

NCSC releases new principles for privileged access workstation implementation

The National Cyber Security Centre (NCSC) has published new principles for implementing privileged access workstations (PAWs). The principles provide organisations with guidance on establishing restricted workstations for accessing high-risk systems. The guidance emphasises that PAWs should be implemented as part of broader security controls, with focus on establishing trust through auditable systems and validated controls. The principles aim to help organisations protect against privilege escalation and reduce vulnerability to cyber attacks through administrative interfaces.

Information Law weekly highlights—27 March 2025

Welcome to this week’s edition of the Information Law weekly highlights: a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

ICO fines NHS software provider £3m for data protection breaches

The Information Commissioner's Office (ICO) has fined Advanced Computer Software Group Ltd £3.07m following a 2022 ransomware attack that compromised personal data of 79,404 individuals, including National Health Service patients. The breach occurred due to inadequate security measures at Advanced's healthcare subsidiary, specifically incomplete multi-factor authentication coverage. Advanced agreed to a voluntary settlement, reduced from an initial £6.09m fine, after demonstrating cooperation with authorities including the National Cyber Security Centre and National Crime Agency.

View Information Law by content type :

News