Latest updates - last updated 10 February 2023
10 February 2023 - This guidance was published.
This guidance discusses the right of access to information processed for a law enforcement purpose under Part 3 of the Data Protection Act 2018 (DPA 2018) in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you apply the right of access under Part 3 in practice. It is aimed at ‘competent authorities’ who process personal information for any of the law enforcement purposes. In particular, Data Protection Officers (DPOs) and those with specific data protection responsibilities in the context of law enforcement processing.
If you haven’t yet read the ‘in brief’ page on the Part 3 right of access, you should read that first. It introduces this topic and sets out the key points you need to know, along with practical checklists to help you comply.
You should read this guidance if you have specific questions about dealing with subject access requests (SARs) in the context of law enforcement processing. You might also find it helpful to refer to the detailed UK GDPR guidance on the right of access and we will signpost to this guidance when it may be useful.
You should also read the separate law enforcement guidance on manifestly unfounded and excessive requests.
Where your processing operations are for general purposes only, you should refer to the right of access guidance under the UK GDPR.
To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.
Must refers to legislative requirements.
Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.
Further reading – responses to the ICO’s consultation
In December 2021, we launched a public consultation on the detailed guidance on the Part 3 right of access, and on the updated guidance on manifestly unfounded and excessive requests. You can read a summary of responses to the consultation and the ICO’s comments here.