The ICO exists to empower you through information.

This consultation has closed

This consultation ran from 14 December 2021 to 11 March 2022. We have published a summary of responses and our comments below.

Original consultation introduction

The right of access in Part 3 of the Data Protection Act 2018 is a fundamental right that applies to competent authorities. It is more commonly known as the right to make a subject access request.

It allows individuals to find out what personal data is held about them for law enforcement purposes and to obtain a copy of that data. Following on from our initial guidance on this right, the ICO has now drafted detailed guidance which explains in greater detail the rights that individuals have to access their personal data and the obligations on competent authorities. The draft guidance also explores situations involving joint controllers, how to deal with requests involving the personal data of others and the restrictions that are most likely to apply in practice when handling a request.

At the same time, the ICO has also drafted updated guidance on the provisions in Part 3 on how authorities should deal with manifestly unfounded or excessive requests.

We are running a consultation on both of these pieces of draft guidance to gather the views of stakeholders and the public. These views will inform the published version of the guidance by helping us to understand the areas where organisations are seeking further clarity, in particular taking into account their experiences in dealing with subject access requests since May 2018.

Summary of responses and ICO comments

In December 2021, we launched a public consultation seeking views on draft detailed guidance on:

  • the right of access in Part 3 of the Data Protection Act 2018 (DPA 2018); and
  • Part 3 manifestly unfounded and excessive requests.

Prior to launching the public consultation, we engaged with a number of law enforcement agencies across England and Wales, Scotland, and Northern Ireland, to learn about their experiences. The consultation ran until March 2022. This document summarises the key themes emerging from the responses.

We received 14 responses to the public consultation, including a response from the National Police Chief’s Council (NPCC) which represents 43 police forces in England and Wales. We would like to thank everyone who took the time to comment and share their views.

About the consultation

General points

In general, the responses were largely positive. Most respondents said the guidance:

  • was clear and easy to understand;
  • would help them comply with their obligations; and
  • helped them determine which SAR regime to use if they are unsure.

We were asked:

  • why at times the draft guidance linked to our UK GDPR SAR guidance for further information;
  • to provide templates and sample responses; and
  • to include more references to specific legislative provisions.

In addition, we received some feedback about the UK GDPR right of access, rather than Part 3.

ICO response

As competent authorities process personal information under both the UK GDPR and Part 3, we think it’s appropriate to link to our UK GDPR right of access guidance where this is helpful. If there are specific provisions and obligations that only concern Part 3, we have included content in this guidance.

We’ve added a link to our Accountability Framework on ‘logging and tracking requests’ which helps organisations keep records of their decisions. We’ll consider developing additional resources in the future.

As this summary and the consultation is focussed on the Part 3 right of access, we have not covered the feedback about the UK GDPR right of access here. We have previously developed guidance on the UK GDPR right of access and carried out a public consultation. You can find the report of that consultation here.

Since the draft guidance was published in December 2021, we’ve made a number of changes to make it clearer and more accessible. This includes using more plain language terms.

To help you to understand the law and good practice as clearly as possible we’ve also made it clearer what organisations must, should, and could do, to comply.

Legislative requirements

  • Must refers to legislative requirements.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.

Part 3 right of access guidance

Defining ‘public security’

In the consultation, we asked whether we appropriately defined the term, “safeguarding against and the prevention of threats to public security” within the guidance.

Most respondents agreed with our definition, felt that the guidance was clear and that we provided sufficient examples. However, one respondent felt that further content, in particular on whether a risk to one person is considered as a public security matter, would be helpful.

ICO response

We provide further detail on the meaning of the term ‘public security’ in, Can we restrict the right of access under Part 3 – What does ‘protect public security cover?.

Enabling someone to make a SAR

Organisations should inform people that they are processing their personal information, unless a restriction applies. The draft guidance explained that in certain circumstances, once the restriction is no longer relevant, organisations should provide people with their privacy information.

One respondent expressed concerns that this creates an obligation on organisations to routinely check for any changes to the personal information while processing the SAR. As disclosure usually happens at the end of a case, they considered this to be impractical.

It was also suggested that the Part 3 ‘right to be informed’ guidance should cover this section instead.

ICO response

We’ve added additional content on this topic in this guidance, including an example.

Time limits

Respondents asked for greater clarity about how to calculate the time limit under Part 3.

ICO response

We’ve amended the guidance and examples to provide greater clarity on this issue.

Alternative routes of access

The draft guidance explained that in most cases, a SAR is still valid if someone has another route of access available to them.

Respondents suggested that:

  • this position was inconsistent with the manifestly unfounded and excessive guidance;
  • organisations should also be able to take into account the fact that another route is available, when considering if a request is excessive;
  • sometimes it may be more appropriate for people to obtain information though an alternative route; and
  • we provide a definitive list of alternative routes of access.

ICO response

We’ve amended the manifestly unfounded and excessive guidance, to ensure greater consistency.

We’ve added additional content to emphasise that although organisations may explain what other routes of access are available, they cannot refuse to comply with a SAR just because another route exists.

We’ve also added content to clarify that:

  • organisations may explain to someone why using an alternative process may be more appropriate or effective for their purposes; and
  • where an organisation has already provided a copy of information by an alternative route, this may be a factor to consider in deeming a request as excessive.

As alternative routes of access vary widely, depending on the circumstances, we cannot provide a definitive list.

Logs of information

Section 62 of the DPA 2018 explains that organisations can only use logs of information for specified purposes, including for the purpose of “verifying the lawfulness of the processing”.  

Respondents pointed out that disclosing logs of information would not help people verify the lawfulness of the processing. Instead, respondents suggested that the organisation could review the logs and confirm to the person whether or not the processing was lawful.

There were also comments that logs of information:

  • may not necessarily be the person’s personal information;
  • may be operationally sensitive; and
  • may relate to personal information being processed under the UK GDPR, rather than Part 3.

ICO response

In response we’ve:

  • amended the guidance to clarify that organisations focus their searches on personal information contained within logs of information;
  • included a link to other ICO guidance on the obligation on organisations to explain information which may be incomprehensible to the person; and
  • clarified that this section specifically refers to the logging requirement under Section 62 in Part 3, as there is no requirement under the UK GDPR to keep similar logs.

We already have guidance on deciding whether information is personal data and whether a restriction applies. We’ve not included any additional content on this.

Format of the response

Respondents commented that:

  • whilst the UK GDPR states that people have a right to a copy of their information, Part 3 states that people only have a right to access their information in writing;
  • it may not be appropriate to provide information in its existing form, for example, if it is coded or otherwise incapable of being understood; and
  • it would be helpful to include examples of non-written material being specifically requested, eg digital media.

The draft guidance explained that organisations ‘must’ help people exercise their rights. One respondent disagreed with using the term ‘must’ in some instances, and suggested that we substitute each occurrence of ‘must’ with ‘should’.

ICO response

We’ve added further content to explain that, in limited circumstances, organisations could comply with a Part 3 SAR by only providing access to the information.

If information is in a coded format, or if the person is unlikely to fully understand the information, the organisation should explain this when it responds to the SAR. We’ve added links to other ICO guidance on this.

We’ve also amended the guidance to make it clearer that Section 52(6) of the DPA 2018 specifies that organisations ‘must’ help people exercise their rights.

Unstructured manual records

Respondents commented that:

  • organisations may incorrectly label information as ‘unstructured’ as a result of poor record-keeping;
  • they are unclear why the definition of unstructured manual data does not apply to information processed under Part 3 of the DPA 2018; and
  • we should link to other relevant ICO guidance and include examples of unstructured data.

ICO response

The guidance explains that Part 3 only applies to automated data or structured manual data, not to unstructured manual data. We’ve included a link to section 29(1) of the DPA 2018. The guidance provides examples of unstructured data.

Personal information about third parties

Respondents asked for more guidance on how they should deal with a SAR which may involve providing information that relates to both the person making the request and a third party.

The draft guidance indicates that organisations may take into account whether or not the third party provided consent, in deciding if it is reasonable to disclose the information. One respondent queried this.

Some respondents raised concerns about one of the examples in this section.

ICO response

The section on third-party data sets out a process for organisations to follow if personal data contains information about other people. We’ve added a link (in the further reading section) to other detailed ICO guidance which explains how organisations should deal with information that the person already knows.

In our view, organisations are best placed to decide whether it is or is not appropriate to seek the consent of the third party. We think it is important to leave this as an option for organisations, so that they may exercise their discretion, depending on the circumstances.

We’ve replaced the example in question with two different examples.

Joint controllership

We asked respondents whether the draft guidance would help them comply with their obligations if they had a joint controllership arrangement in place.

Most respondents said it would help them, and said that the section:

  • helped them clarify their thinking around this issue; and
  • provided clear guidance around the need to provide a point of contact and to allocate roles and responsibilities in joint controller arrangements.

Respondents also suggested that:

  • the guidance should confirm it may be possible to appoint more than one point of contact (depending on the processing operation), or one for each organisation; and
  • joint controllership arrangements should be incorporated within the data sharing agreements between the parties.

ICO response

We’ve amended the guidance to make it clearer that section 58(3) specifies that the designated contact point can only be one of the joint controllers.

We cannot comment on how joint controllers should structure their arrangements. The organisations themselves should decide whether to include their arrangements within data sharing agreements or not.

Restrictions

Respondents commented that the examples in this chapter were helpful – including the example used to illustrate the ‘prejudice’ restriction and the example of prosecutors withholding data.

Respondents also suggested that we should:

  • amend an example to make it clearer that organisations cannot apply restrictions in a blanket manner;
  • clarify whether organisations could withhold information on the basis of legal professional privilege (LPP);
  • include more examples of when organisations could issue a ‘neither confirm nor deny’ (NCND) response;
  • clarify whether a SAR could be viewed as ‘obstructive’ in the context of court proceedings;
  • state that a person must state whether they are subject to legal proceedings when they make a SAR (so that the organisation would know if the information was accessible through another route);
  • clarify how organisations should record their reasons for restricting access; and
  • make earlier references to restrictions in the guidance.

ICO response

In response we’ve:

  • amended the example identified, to make it clear that organisations should apply restrictions on a case-by-case basis;
  • added content to reflect our updated policy position on withholding information based on LPP;
  • added a further NCND example;
  • clarified that a SAR is not obstructive simply because it is inconvenient or there are ongoing proceedings;
  • included factors organisations may take into account in determining how compelling the person’s need to have access to their information is (if they aren’t aware of their motivation); and
  • emphasised that organisations cannot refuse to comply with a SAR just because a person can obtain their data through another process.

The approach of explaining how key provisions work and the obligations on organisations before discussing any restrictions to those obligations is consistent with the style of other ICO guidance on similar topics. As such, we consider that it is appropriate to discuss the restrictions in the chapter ‘Can we restrict the right of access?’ rather than earlier in the guidance.

We have not included further detail about how organisations should record their reasons for restricting access. This depends on the availability of technical systems and resources, which vary across organisations.

Use of multiple restrictions

The draft guidance explained that organisations should usually avoid applying more than one restriction (although there may be circumstances where this would be necessary). This is because organisations may only apply a restriction if it is ‘necessary and proportionate’ after considering the person’s rights and legitimate interests.

We received feedback that applying more than one restriction is not exceptional, as multiple restrictions could apply to the same piece of data. Applying more than one restriction allows organisations to robustly defend their decision to restrict access.

ICO response

We’ve amended the guidance to make it clear that organisations can apply more than one restriction. However, organisations must be able to explain why the use of the restrictions is necessary and proportionate. We’ve also included an example to help illustrate this point.

Personal data processed by a court for law enforcement purposes

There were requests for further guidance and examples on the scope of this exception.

ICO response

We’re currently considering the scope of our remit over persons and courts acting in a judicial capacity. As such, we’re currently unable to provide further clarity on this point. However, we’ll consider adding additional content in the future.

Manifestly unfounded and excessive requests

General considerations

Almost half of respondents wanted more complex examples of manifestly unfounded and excessive requests, to cover a larger variety of scenarios.  

One respondent asked that we provide an example of a reasonable fee for a manifestly unfounded or excessive request.

ICO response

It is not always possible for an example to address all possible scenarios as they vary across organisations. However, we’ve made efforts to clarify our guidance to help organisations better understand how they should exercise their discretion.

At present there are no regulations to specify limits on the fees that organisations may charge, so we cannot provide a specific example. However, we’ve signposted to our UK GDPR SAR guidance which explains how organisations may determine a reasonable fee.

Manifestly unfounded requests 

Most respondents said that the definition of manifestly unfounded requests is clear.

We also received feedback requesting:

  • more complex examples of a manifestly unfounded request;
  • clarification of what ‘substantive damage’ means when balancing the impact on people’s rights; and
  • clarification on whether abusive language should always make a request manifestly unfounded.

Manifestly excessive requests

Most respondents said that the definition of excessive requests is clear.

We also received feedback requesting:

  • specific examples of how much evidence organisations need to establish that a request is excessive, and how a request can be excessive if it concerns a large volume of information;
  • clarity on what is a reasonable period of time for an applicant to make a repeat request;
  • confirmation that requests for additional footage from another camera are usually excessive, unless the camera captures additional information to the initial request; and
  • new guidance for the public on how to make requests that clearly specify the information they are seeking.

Some respondents also queried whether the guidance should use the word ‘manifestly’ alongside excessive.

ICO response

In response we’ve:

  • added a link to relevant ICO guidance to help clarify how to balance any impact to the person’s rights and interests when considering whether a request is excessive or unfounded;
  • added further content about how to consider ‘substantive damage’;
  • provided greater clarity on the suitable period of time between repeat requests; and
  • added content and links to relevant guidance on questions around dealing with requests for large volumes of information.

The inclusion of the word “manifestly” means there must be an obvious or clear quality to the excessiveness. This refers to the need for evidence rather than any degree of excessiveness. If there is sufficient evidence that a request is excessive, then it will be manifestly so. Our guidance provides organisations with a list of factors that can help them determine if a request is excessive. 

A request for information from a different camera is not automatically excessive, and this depends on the circumstances of the request. It is the organisation’s responsibility to justify its reasons for finding that such a request is manifestly excessive.

Our guidance makes it clear that if people use ‘abusive language’ this can support the argument that a request is unfounded.

We’ve already published guidance for the public about how to make an effective subject access request. This includes content on how to make sure the request is clear and a template for them to use.

Next steps

The Part 3 right of access guidance and Part 3 guidance on manifestly unfounded and excessive requests are both available on our website.

Original privacy statement

For this consultation we may publish the responses received from organisations or a summary of the responses. We will not publish responses from individuals. If we do publish any responses, we will remove email addresses and telephone numbers from these responses but apart from this we will publish them in full. Please be mindful not to share any information in your response which you would not be happy for us to make publicly available. For further information, see responding to our consultation requests and surveys.

Should we receive an FOI request for your response we will always seek to consult with you for your views on the disclosure of this information before any decision is made.

For more information about what we do with personal data, please see our privacy notice.