What is the right of access in Part 3 of the DPA 2018?
- What is the right of access in the context of law enforcement processing?
- What does “safeguarding against and the prevention of threats to public security” mean?
- What information is someone entitled to under Part 3?
- What other information is someone entitled to under Part 3?
- Are people only entitled to their own personal data?
- Who is responsible for responding to a request?
- When do we need to take action to enable someone to make a SAR?
How do we recognise a Part 3 subject access request (SAR)?
- What is a Part 3 subject access request (SAR)?
- Are there any formal requirements?
- Do we have to respond to the SAR if the person has an alternative means of accessing their information?
- Can someone ask a third party to make a SAR on their behalf?
- How do we decide which SARs regime applies?
- What is the primary purpose for processing?
- What happens if our primary purpose for processing changes, or if the information we collect is no longer relevant?
- At what point do we decide which SARs regime applies?
- Do we need to provide information processed for logging purposes?
- How do we deal with requests for unstructured manual records?
What should we consider when responding to a Part 3 request?
- How long do we have to comply?
- Can we extend the time for a response?
- If both the UK GDPR and Part 3 information is covered by the SAR, can we deem the request complex and extend the deadline?
- How long do we have to deal with requests for information processed for different purposes?
- Can we clarify the request in Part 3?
- Can we stop the clock and ask for clarification?
- Can we charge a fee under Part 3?
How should we supply Part 3 information to the requester?
- What information must we supply under Part 3?
- In what format should we provide the information?
- What should we do if the information exists in different forms?
- Can we provide remote access?
- In what circumstances can we provide someone with access to their information but not a copy?
- Do we need to make reasonable adjustments for disabled people?
Can we restrict the right of access under Part 3?
- Can we restrict access to the information we provide under Part 3?
- What is a ‘necessary and proportionate measure’?
- What rights and interests may be impacted by restricting someone’s right of access?
- When can we neither confirm nor deny we hold the information?
- What does “avoid obstructing an inquiry, investigation or procedure” cover?
- What does “avoid prejudicing” cover?
- What does “protect public security” cover?
- What does “protect national security” cover?
- What does “protect the rights and freedoms of others” cover?
- Can we restrict the right of access for more than one reason?
- Can we restrict the right of access for a specified period of time?
- Do we need to record our reasons for restricting someone’s right of access?
- Do we need to tell people why their rights have been restricted?
- Can we rely on the UK GDPR exemptions to withhold personal information under Part 3?
- Can we withhold information on the basis of ‘legal professional privilege’?
What should we consider when acting as joint controllers?
- What do we need to consider if we are acting as joint controllers?
- What are the responsibilities of the “contact point”?
- Do we need to consult with joint controllers before responding to a SAR?
- What happens if we are only processing some of the requested information for joint purposes?
- Can we consult other competent authorities when deciding whether to apply a restriction?
- What happens if independent controllers are processing the same information for different purposes?
What should we do if the Part 3 request involves information about other people?
- What is the basic rule?
- What approach should we take?
- What about confidentiality?
- Does categorising people impact what information we can provide them with?
- How should we deal with requests from people who fall within multiple categories?
What do we need to consider if personal information is processed by a court for law enforcement purposes?
- Does someone have a right to access personal information created by a court?
- What does “by or on behalf of a court or other judicial authority” mean?
- What is a “judicial decision”?
- What information will be created by or behalf of a court for a criminal investigation?
- What information will be created by or on behalf of a court for criminal proceedings?
- What does “relating to” mean?
- What does “for the purpose of executing a criminal penalty” mean?
- Does the exception cover documents filed or placed in the custody of the court?
- Does the exception apply if the court has shared the information with another organisation?
- Is this exception time-bound?