Notice

National Security and Investment Act 2021: privacy notice (updated November 2023)

Updated 27 November 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/national-security-and-investment-act-2021-privacy-notice/national-security-and-investment-act-2021-privacy-notice

This privacy notice is for anyone who has dealings with the Cabinet Office in connection with the National Security and Investment Act 2021.

Cabinet Office is committed to protecting the privacy and security of your personal information. This notice describes how we collect and use personal information about you in accordance with data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.

Cabinet Office is a data controller. This means that we are responsible for deciding how we hold and use personal information about you.

We are required under data protection legislation to notify you of the information contained in this privacy notice.

This notice and the [Cabinet Office Personal Information Charter, explains your rights, and the reasons we are using your information.

National Security and Investment Act 2021: background

The National Security and Investment Act 2021 (the ‘NSI Act’) gives the government the powers to scrutinise and intervene in acquisitions of entities and assets that may pose risks to national security. The Secretary of State in the Cabinet Office (“the Secretary of State”) is the ultimate decision maker under the NSI Act.

The NSI Act:

  • establishes a requirement for qualifying entities operating in 17 sensitive areas of the economy to seek authorisation for specific types of acquisitions
  • creates a voluntary notification system to encourage notifications from parties who consider that their acquisitions may raise national security concerns (where the business in question is not one of those automatically required to notify)
  • enables the Secretary of State to ‘call in’ statutorily defined acquisitions or other events to undertake a national security assessment (whether or not they have been notified to the government)
  • creates the power to apply remedies to address risks to national security
  • creates sanctions for non-compliance with the Act and provides clear routes for parties to challenge decisions in the courts

The NSI Act is operated by the Investment Security Unit (ISU) in the Cabinet Office. The ISU is responsible for centrally coordinating a cross-government process to scrutinise investments with potential national security threats and provide balanced advice on such investments to the Secretary of State.

Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  4. Accurate and kept up to date.
  5. Kept in a form that identifies you for only as long as necessary, for the purposes we have told you about.
  6. Kept securely.
  7. Processed in accordance with the UK GDPR, and we must be able to demonstrate our compliance with the Accountability Principle.

The kind of information we hold about you

Personal data is information that relates to an identified or identifiable individual and only includes information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question
  • who can be indirectly identified from that information in combination with other information

Personal data we receive under the NSI Act includes:

1. Notifier name and contact details:

  • the name of the acquirer, or the individual from the acquirer who is submitting the notification, along with their position held, business address, telephone number, and email
  • alternatively, the name and contact details of the representative(s) of the acquirer who are completing the notification, and the relationship between the representative and the acquirer
  • where there is more than one acquirer notifying – the information about each additional acquirer – name, address and telephone number. The control thresholds expected to be met by the additional acquirer and a description of the shares or voting rights expected to be acquired by the additional acquirer

2. Details of the qualifying entity:

  • the name of the authorised individual in the qualifying entity, their email address, and telephone number
  • information submitted on the pre-acquisition ownership structure of the qualifying entity, which will include full names of shareholders with significant share ownership, and their nationality
  • information on the post-acquisition ownership structure of the qualifying entity, which will include full names of shareholders with significant share ownership, and their nationality

3. Details of the acquirer:

  • the acquirer’s name, country of nationality (if the acquiring party is an individual), and a description of the acquiring party’s product or activities within the UK and outside of the UK
  • an ownership structure chart to show the share ownership and voting rights in the acquirer, which will include:
    • full names of shareholders with significant share ownership
    • the nationality of individuals
    • their percentage of ownership
    • the shareholders with voting rights
    • details of their voting rights
    • information specifying whether or not any individual is acquiring indirect control over the qualifying entity
  • information provided by the acquirer on members of the Board of Directors, or equivalent, within the acquirer. This will include:
    • their individual name
    • date of birth
    • position held
    • whether they are classified as a politically exposed person (PEPs)

We also collect public open-source data that is necessary for us to exercise our public functions under the NSI Act. This can include opinions, and news reports that include a broad range of categories of personal data, but only where these are necessary for us to exercise our public functions under the NSI Act. 

We may also process data on criminal convictions, where that is considered relevant to the national security assessment and shared with the ISU.

Where we run surveys, we collect your contact details and opinions. 

How your personal information is collected

We collect personal information directly from you in circumstances such as:

  • if you have made a mandatory or voluntary notification or a retrospective validation under the NSI Act
  • if we have issued you an information notice under the NSI Act asking for further information about an acquisition
  • if you have made a complaint or enquiry to us
  • if you have made an information request to us
  • if you have participated in user research or any feedback survey with us

We also receive personal information indirectly, from the following third parties and/or in the following scenarios:

  • from other public authorities, including other government departments, regulators or law enforcement bodies
  • where you have made your contact information available on your organisation’s website and we use this to contact you and your organisation in our role as a government department
  • publicly available sources, including Companies House
  • your agent or representative
  • public authorities, regulators or law enforcement bodies in other jurisdictions
  • specialist commercial data providers

In exercising its statutory functions under the NSI Act 2021, the ISU within the Cabinet Office may observe, monitor, record, retain and share within government internet data which is available to anyone. This is known as ‘open source’ material and includes:

  • News reports
  • Internet sites
  • Public records such as Companies House and Land Registry
  • Blogs and social networking sites where no privacy settings have been applied

The Cabinet Office may also use third party service providers, including aggregators of open-source information, to obtain information.

Purposes for using your personal information

We will also process your personal data in the following circumstances:

  • to check the data we hold about you is accurate and up to date
  • to compare it against other information to help protect national security
  • to assess national security risk and potential remedies to address that risk, including evidence gathering, evidence analysis and storage in line with statutory obligations
  • to implement civil and/or criminal penalties against companies who do not comply with their legal obligation under the NSI Act
  • to respond to questions sent to the department
  • to disclose personal data to law enforcement agencies
  • to process and/or follow up on feedback we have received during any surveys or user research

Our lawful basis under UK GDPR for using your personal information

Our lawful basis for assessing national security risks is that it is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority as a government department. In this case that is the exercise of our functions under the NSI Act 2021. 

https://www.legislation.gov.uk/ukpga/2021/25/contents/enacted

If we conduct user research or surveys, our lawful basis will be because you gave us consent to process your data. 

Processing of special categories of personal data and criminal offence data

As part of the Cabinet Office’s statutory and corporate functions, our lawful basis for processing special category and criminal convictions data under UK GDPR are set out in Schedule 1, Data Protection Act 2018, see below.

Our lawful basis for processing special category and criminal convictions data under UK GDPR is that processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department (paragraph 6, schedule 1, Data Protection Act 2018). 

Special category data

Special category data is defined as personal data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Criminal conviction data

Section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.

Conditions for processing special category and criminal offence data

Schedule 1 conditions for processing special category data and criminal convictions data

Cabinet Office processes special category data for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

a. Statutory and government purposes (para 6, schedule 1, DPA 2018)

The NSI Act:

  • establishes a requirement for qualifying entities operating in 17 sensitive areas of the economy to seek authorisation for specific types of acquisitions
  • creates a voluntary notification system to encourage notifications from parties who consider that their acquisitions may raise national security concerns (where the business in question is not one of those automatically required to notify)
  • enables the Secretary of State to ‘call in’ statutorily defined acquisitions or other events to undertake a national security assessment (whether or not they have been notified to the government)
  • creates the power to apply remedies to address risks to national security
  • creates sanctions for non-compliance with the Act
  • provides clear routes for parties to challenge decisions in the courts

The NSI Act is operated by the Investment Security Unit (ISU) in Cabinet Office. The ISU is responsible for centrally coordinating a cross-Government process to scrutinise investments with potential national security threats and provide balanced advice on such investments to the Secretary of State.

Processing of personal data by Cabinet Office in this context is for the purposes of substantial public interest and is necessary for the exercise of a function of the Crown, a Minister of the Crown or a government department (see DPA 2018, Part 2, Schedule 1).

b. Preventing or detecting unlawful acts (para 10, schedule 1, DPA 2018)

Processing of personal data by Cabinet Office in this context is where it is necessary for the purposes of the prevention or detection of an unlawful act, which must be carried out without the consent of the data subject so as not to prejudice those purposes and is necessary for reasons of substantial public interest.

Examples include where Cabinet Office processes information for the purpose of reducing risks to the national security of the United Kingdom. This can include implementing civil and/or criminal penalties against companies who do not comply with their legal obligation under the NSI Act.

c. Protecting the public against dishonesty etc (para 11, schedule 1, DPA 2018)

For example: where Cabinet Office needs to process Criminal Offence/Special category data to protect members of the public from malpractice, unfitness, incompetence or mismanagement in the administration of a body or organisation and obtaining consent would prejudice the exercise of the protective function. This could include taking enforcement action against a company for non-compliance of the NSI Act or an order against the company.

d. Regulatory requirements relating to unlawful acts and dishonesty (para 12, schedule 1, DPA 2018)

For example: where Cabinet Office needs to process Criminal Offence/Special Category data to comply with a requirement which involves taking steps to establish whether a company has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct. This could include non-compliance of an order.

e. Preventing fraud (para 14, schedule 1, DPA 2018) 

For example: where Cabinet Office needs to disclose personal data to an anti-fraud organisation such as the Financial Conduct Authority.

f. Suspicion of terrorist financing or money laundering (para 15, schedule 1, DPA 2018)

For example: where Cabinet Office needs to disclose personal data to law enforcement agencies.

The Appropriate Policy Document sets out how the Cabinet Office will protect special category and criminal convictions personal data.

When we may share your personal information with third parties

We may share your personal data with other government departments, agencies and public bodies such as the police where it is necessary to do so for the prevention, investigation, detection or prosecution of criminal offences, and other regulatory authorities when it is necessary for the purposes of their regulatory functions.

This will, in some circumstances, involve sharing special categories of personal data and, where relevant, data about criminal convictions or allegations.

Your personal data is stored safely while it is being processed and stored on our digital service hosted on a public cloud, which is also accessed by other government departments. We will have agreements in place with any Data Processors, Independent or Joint Data Controller.

Retention of your personal data

Personal data obtained for the purposes listed above will be retained by the ISU for up to 10 years. In certain circumstances, we may need to keep some records for longer periods of time. This might include, for example, situations where cases lead to further investigations, where the information could be relevant to ongoing or future NSI cases including compliance and enforcement, or where it is needed for ongoing or prospective legal proceedings. In some circumstances we will anonymise your personal information so that it can no longer be associated with you. When this happens, the information will be used without further notice to you.

Please note that your access to information entered on the NSI notification portal will be subject to time limits. This means that if you have started or submitted a notification, your access to full details of your notifications through the portal will be removed after a defined period of time.

The information you have submitted, including personal data, will be kept on our internal systems in accordance with the retention policy above.

Your user dashboards and the email alert you receive when your notification is accepted or rejected will inform you of the time limits to access your notifications in the NSI portal. For further information, please see our Guidance on Submitting a Notification.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

International transfers

Your personal data will be processed in the UK. All international transfers of personal data will be done in accordance with data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.

As your personal data is stored on our digital service hosted on a public cloud, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, the use of Standard Contractual Clauses or a UK International Data Transfer Agreement. 

Our contact details

The data controller for your personal data is the Cabinet Office. The Cabinet Office can be contacted at 020 7276 1234, or here: https://www.gov.uk/guidance/contact-the-cabinet-office

Data protection officer contact details

If you have any concerns about how the department is handling your personal data, you may contact the department’s Data Protection Officer (DPO).

The DPO provides independent advice and monitoring of Cabinet Office’s use of personal information. They can be contacted at the following email address: dpo@cabinetoffice.gov.uk

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/glo…

Telephone 0303 123 1113

Textphone 01625 545 860

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Changes to this privacy notice

We keep our privacy notices under regular review. If there are any changes we will update this page to tell you, for example, about any new uses of personal data.

Check this page to make sure you are aware of what information we collect, how we use it and the circumstances we may share it with other organisations.

From time to time, we may also tell you in other ways about the processing of your personal data.

Changes: 28 November 2022

  • in sub-section How your personal information is collected, we added ‘if you have participated in user research or any feedback survey with us’.
  • in sub-section Situations in which we will use your personal information, we added ‘to process and/or follow up on feedback we have received during any surveys or user research’.
  • in sub-section Retention of your personal data, we added information about NSI notification time limits.

Changes: November 2023 

  • Following the machinery of government change, the Privacy Notice is amended to reflect the change in Department (from BEIS to CO) and the decision maker under the NSI Act.  Some other minor amendments have also been made to reflect latest practices and approach to data sharing.
Back to top