Skip to main content

What is the right of access in Part 3 of the DPA 2018?

Contents

In detail

What is the right of access in the context of law enforcement processing?

People have a right to obtain their personal information that is being used for a law enforcement purpose. The definition of the law enforcement purposes is:

"...the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."

It's important to consider whether you are using the personal information for general purposes or the law enforcement purposes. (See How do we decide which SARs regime applies?)

The right of access helps people understand how and why you are using their information and check you are doing so lawfully. You must publicise details of the right of access (eg on your website, in your privacy statement or in other communications with people). Requests made under the right of access are often called subject access requests (SARs).

If you are a competent authority and using the requested information for one of the law enforcement purposes, you must use part 3 to respond to a SAR.

What is a person entitled to under part 3?

The right of access under part 3 gives people the right to obtain the following from you:

  • confirmation that you are using their personal information;
  • access to their personal information; and
  • other supplementary information.

You must ensure that your processing is lawful and fair and aim to be as open and transparent as possible with people about how you use their personal information.

You must make a reasonable and proportionate search to respond to a SAR. Where possible, you must respond in writing. You should provide the person with a copy of their information, except where you don't hold the information or a restriction applies.

You could provide the information in its existing format if this is the most accessible form for the person (eg where you cannot convey the full context and meaning of the information solely in writing). This may include providing secure access to CCTV footage or audio recordings. You do not have to create transcripts to respond to a SAR if you do not already have them. (For further information about how to carry out a reasonable and proportionate search, see our UK GDPR right of access guidance - What efforts do we need to make to find information?)

In most cases, you can confirm in general terms whether you are using someone's personal information. However, if the request is for a specific piece of information, you must confirm or deny whether you are processing it unless a restriction applies. However, in some circumstances and because of the sensitivities of law enforcement processing, you may not be able to be fully transparent with the person about:

  • how you're using their information; or
  • whether you hold the information.

This applies if transparency would undermine your law enforcement activities. (See When can we neither confirm nor deny that we hold the information?)

What other information is a person entitled to under part 3?

People have the right to receive the following information:

  • Your purposes and lawful basis for processing.
  • The categories of personal information you're processing.
  • The identities or categories of recipients you have disclosed their personal information to (including recipients or categories of recipients in countries or territories outside the UK, or international organisations).
  • How long you will keep their personal information for, or, where this is not possible, your criteria for deciding how long you will store it.
  • Their right to request rectification, erasure or restriction of the information you are processing.
  • Their right to make a complaint to the controller.
  • Their right to make a complaint to the ICO.
  • Their right to apply to court to require the controller to comply.
  • Details of their personal information you are processing.
  • Any available information about the source of the information.

This mostly matches your privacy information. 

When responding to a SAR, you must supply this information along with a copy of the personal information itself, even if the person does not specifically ask for it, unless a restriction applies. If the information is in your privacy notice, you could provide a link to it or a copy.

When using personal information for a law enforcement purpose, you must distinguish, where possible, between the different categories of people whose information you use. This may include information about: 

  • a suspect;
  • an offender;
  • a complainant;
  • a victim;
  • a witness;
  • an informant; or
  • any other person. 

How you categorise a person may affect: 

  • what information you are able to provide; 
  • how you search for information (eg if you hold it in different contexts); or
  • whether you need to restrict their right of access. 

Are people only entitled to their own personal information?

Yes, in most circumstances, unless:

  • their information also relates to other people; or
  • they are exercising another person's right of access on their behalf.

Before you respond to a SAR, you must decide whether the information you hold is personal information and, if so, who it relates to.

Information is personal information if it relates to a living person who is identifiable from that information (directly or indirectly). In most cases, it's obvious whether the information is personal information, but we have produced guidance on What is personal data? to help you decide.

Some information may be the personal information of two (or more) people. You can consider restricting access to the information if responding to a SAR involves providing information about both the person making the request and another person. (See What should we do if the part 3 request involves information about other people? for further details.)

Who is responsible for responding to a request?

This depends on whether you are a 'controller' or a 'processor'. Controllers, not processors, are responsible for complying with SARs.

If you use a processor, you must have contractual arrangements in place to guarantee that you can deal with SARs properly, whether people send them to you or the processor. The processor must help you meet your SAR obligations. You must make this clear in your agreement.

A processor may hold personal information on your behalf. If so, you must ensure that your contractual agreement allows you to require the processor to help you by any appropriate means. This may include asking them to conduct searches and provide you with the information you need to respond to the SAR. However, as the controller, you remain responsible for deciding how to deal with the request.

If you are a joint controller, you must have an arrangement in place with your fellow joint controller(s) that sets out each of your responsibilities. This includes how you deal with SARs. Under part 3, you must specify a central point of contact for people, which must be one of the joint controllers. (See What can we consider when acting as joint controllers?)

Further reading

UK GDPR guidance:

When do we need to take action to enable someone to make a SAR?

People have a right to be informed about how you are using their personal information. Where possible, you should be open and transparent about:

  • what information you use about them; and
  • why you are using it.

Letting people know you are using their personal information will greatly help them exercise their right of access under part 3.

People may not always know that you hold information about them (or have enough information to be able to make a SAR), particularly if you have obtained it from another source. In these circumstances, you must provide the person with the following information, unless a restriction applies:

  • your lawful basis for processing;
  • your retention period for storing their personal information or, where this is not possible, the criteria for deciding how long you will store it;
  • the recipients or categories of recipients you have disclosed their personal information to (including recipients or categories of recipients in countries or territories outside the UK, or international organisations), if applicable; and
  • any other information the person needs to make a SAR.

You could:

  • contact the person directly;
  • or direct them to the privacy information on your website. 

You may withhold some of the information listed above if a restriction applies (eg where complying with the SAR may prejudice a criminal investigation). Follow the approach outlined in the chapter Can we restrict the right of access under part 3? You should make the decision to restrict access to privacy information independently from the decision to restrict the right of access.