Latest updates - last updated 10 February 2023
10 February 2023 - We have published detailed guidance on the Part 3 right of access, and updated our in-brief guidance to reflect this.
At a glance
- People have a legal right to access their personal information. This means that you should provide them with a copy of their personal information, where possible, and other supplementary information.
- This is known as a subject access request, or ‘SAR’.
- People can make SARs verbally or in writing, including via social media.
- A third party can also make a SAR on behalf of another person.
- If you are a competent authority processing personal information for law enforcement purposes, you must deal with the SAR under Part 3.
- You must deal with requests for unstructured manual data under the UK GDPR, and not Part 3.
- You do not have to disclose information processed by a court in connection with criminal matters to respond to a a SAR.
- In most circumstances, you must not charge a fee to deal with a request.
- You must provide the requested information without delay, and at the latest within one month. You must not extend this time limit for any reason.
- You should perform a reasonable search for this information.
- You must provide the information in an accessible, concise and intelligible format.
- You must disclose the information in a manner that ensures appropriate security.
- You could refuse to provide the information if a Part 3 restriction applies or if the request is manifestly unfounded or excessive.
Preparing for Part 3 subject access requests
□ We know how to recognise a request and we understand when the right of access applies.
□ We understand what information is being used for law enforcement purposes, and when to use Part 3 to deal with the SAR.
□ We have a policy for recording verbal requests.
□ We understand what steps we need to take, if necessary, to verify the requester’s identity.
□ We understand that we must respond to requests within one month.
□ We understand when we can restrict the right of access and are aware of the information we still need to provide to people when we do so.
□ We understand the nature of the supplementary information we must provide to respond to a subject access request.
□ We have suitable information management systems in place to allow us to locate and retrieve information efficiently.
Complying with Part 3 subject access requests
□ We have processes in place to ensure that we respond to a request without undue delay and within one month of receipt.
□ We understand how to perform a reasonable search for the information.
□ We understand what we should consider if a third party makes a request on someone’s behalf.
□ We understand how to deal with requests for personal information contained within logs of information.
□ We understand how to deal with requests for unstructured manual data.
□ We understand that we must provide the information in a concise, intelligible and easily accessible form, using clear and plain language.
□ We understand that we should generally provide people with a copy of their personal information and other supplementary information.
□ We have processes in place for when we may consider restricting someone’s right of access, and have a system for recording our reasons.
□ We understand what we should consider if a request includes information about others.
□ We understand that, in circumstances where we are joint controllers, we must have joint arrangements in place. These must set out the responsibilities of each joint controller, and designate one of the joint controllers as the “contact point” for SARs.
□ We can deliver the information securely and in the correct format.
- What is the right of access in Part 3 of the DPA 2018?
- How do we recognise a Part 3 subject access request (SAR)?
- What should we consider when responding to a Part 3 request?
- How should we supply Part 3 information to the requester?
- Can we restrict the right of access under Part 3?
- What should we consider when acting as joint controllers?
- What should we do if the Part 3 request involves information about other individuals?
- What do we need to consider if a court processes personal data for law enforcement purposes?
- Can the ICO enforce the right of access under Part 3?
- Part 3 right of access in more detail
The UK GDPR does not apply to personal information used for any of the law enforcement purposes. There is a separate regime in Part 3 of the DPA 2018 which gives people a right to access their personal information used for a law enforcement purpose.
The right of access in Part 3, commonly known as subject access, gives people the right to access their personal information, as well as other supplementary information. It helps people to understand how and why you are using their data, and check you are doing so lawfully.
Someone can make a Part 3 SAR verbally or in writing, including on social media. A request is valid if it is clear that the person is asking for their own personal information. They do not need to use a specific form of words, refer to legislation or direct the request to a specific contact.
Before responding to a SAR, you must determine whether you are using the personal information for any of the law enforcement purposes. If you are a competent authority, and your primary purpose for processing the information is for one of the law enforcement purposes, you must deal with the SAR under Part 3.
You must comply with a SAR without undue delay and at the latest within one month of receiving the request. The time limit begins the day after you receive the request. You must not extend the time limit for any reason. While you may ask the person to clarify their request, you must not ‘stop the clock’ after doing so. You must still comply with the request within the deadline.
Under Part 3, you must keep logs of information about your processing activities.
Unstructured personal data is manual information that is not, or is not intended to form, part of a “filing system”. Unstructured manual data obtained for law enforcement purposes is not included in the Part 3 processing regime. If you receive a SAR for this type of personal information you will need to treat it as SAR under the UK GDPR.
People have the right to access their personal information. Where possible, you should provide with them a copy of their personal information, and other supplementary information (which largely corresponds with the information that you should provide in a privacy notice).
You must respond to requests in writing, and provide the information in a concise, intelligible, and easily accessible format using clear and plain language. You could provide the information in its existing format, if this is the most accessible form. For example, where you cannot convey the full context and meaning of the information solely in writing. This may include providing secure access to CCTV footage, or audio recordings. You do not have to create transcripts to respond to a request, if you do not already have them.
In certain circumstances you could provide the person with access to their information, rather than providing them with a copy. Our detailed guidance further explains these circumstances.
Yes – but only in specific circumstances.
People have the right to obtain confirmation of whether or not you process their information, and to access it.
You may restrict these rights, in full or in part, if it is necessary and proportionate in order to:
- avoid obstructing an official or legal inquiry, investigation or procedure;
- avoid prejudice to the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- protect public security;
- protect national security; or
- protect the rights and freedoms of others.
In considering whether to apply a restriction, you must also consider the person’s fundamental rights and interests. You must provide them with any information you do not need to restrict access to.
Where two or more competent authorities jointly determine the purposes and means of the processing of personal information, they are acting as joint controllers.
If you are acting as a joint controller, you must ensure that:
- you have an arrangement in place with your fellow joint controllers, which clearly and transparently sets out each of your responsibilities under Part 3, including how you deal with SARs; and
- you specify a contact point for people, which is one of the joint controllers.
Joint controllers must, in their joint arrangements, name one of the joint controllers as the contact point. You must not appoint a third party as the contact point, or have more than one contact point.
The joint arrangements must set out very clearly the duties of each joint controller in relation to SARs.
You should consider first whether it is possible to comply with the request without disclosing information that identifies another person.
If this is not possible, you should consider whether it is reasonable to apply a restriction. In reaching this decision, you must balance the rights and interests of the person making the request with the rights and freedoms of the other person.
If you can demonstrate, on balance, that applying a restriction is necessary and proportionate to protect the rights and freedoms of the other person, then you could refuse to provide the information.
Our detailed guidance provides further information on what you need to consider in these circumstances.
People do not have a right to access their personal data by making a SAR if it is contained in:
- a judicial decision; or
- in another document created by or on behalf of a court or other judicial authority in connection with,
- a criminal investigation; or
- criminal proceedings, including proceedings for the sentencing of an offender.
The DPA 2018 describes such information as “relevant personal data”.
Yes. In appropriate cases, the ICO may take action against a controller or processor if they fail to comply with data protection legislation. The ICO will exercise these enforcement powers in accordance with our Regulatory Action Policy.
If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply or to seek compensation. It is a matter for the court to decide, in each particular case, what action to take.
If you are a joint controller, you are only liable to the extent you are responsible for the specific action in question, under the terms of the joint arrangements.