The ICO exists to empower you through information.

Can we restrict the right of access under Part 3?

Share Download options

Pages

Format

In detail

Can we restrict access to the information we provide under Part 3?

Yes. Although you must tell people whether you are processing their information, and provide access to it, there are circumstances when you can restrict this right. These are referred to as ‘restrictions’ in this guidance.

You could apply a restriction in full, or in part, if it is necessary and proportionate in order to:

  • avoid obstructing an official or legal inquiry, investigation or procedure;
  • avoid prejudice to the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • protect public security;
  • protect national security; or
  • protect the rights and freedoms of others.

You should only apply a restriction to the extent that it is necessary to achieve one or more of these purposes. You must provide the person with any information that does not come within the restriction.

If you are applying a restriction, you still need to provide them with certain supplementary information, eg by providing them with a copy of your privacy notice.

When someone is not aware that you are processing their personal information, you may be able to apply a restriction to their right to be provided with specific privacy information. See When do we need to take action to enable someone to make a SAR?.

What is a “necessary and proportionate measure”?

You must only apply a restriction if it is “necessary”. This means that you must demonstrate that you have identified a reasonable possibility of a potential risk. It must be more than speculative, but doesn’t have to be a foregone conclusion. If you can reasonably achieve your purpose by another means, you should do this instead. For example, by redacting the sensitive information.

You must also demonstrate that your decision to restrict access is “proportionate”. This means that your reasons for applying a restriction must be sufficiently important to justify any impacts that restricting access will have on someone. When considering the impact on the person, you must take into account their fundamental rights and legitimate interests; and consider the actual consequences to them if you apply the restriction. You should only infringe the person’s rights to the minimum extent necessary to achieve your purpose.

In general, you should consider all relevant factors and carefully balance the person’s right of access against your reasons for restricting access. The amount of weight you attach to the person’s right of access depends on how compelling their need to have access to the information is. If you are unsure of the motivation behind the request, you should take into account:

  • the nature of the requested information;
  • how you have categorised the person’s personal information; and
  • why you are processing it.

You should balance the rights of the person against the harm disclosure may cause. The amount of weight you attach to any person’s rights, freedoms or legitimate interests may depend on how compelling or trivial they are, and on how compelling the need to restrict the right of access is.

You could restrict access to some or all of the information depending on the circumstances. As you must only restrict access to the extent necessary to achieve your purpose, you should generally provide as much information as you can – eg by redacting the sensitive data and providing the person with the rest of the information.

In certain circumstances, restricting access will have such an adverse impact on a person’s rights, that you may not be able to justify it as “a necessary and proportionate measure”. In other cases, it will be reasonable to restrict access, even if the person’s rights are adversely impacted. This is the case if the underlying purpose of the restriction is compelling, and there are no other ways to mitigate the risks you have identified.

Ultimately, you should make a reasoned and sensible decision based on genuine risks. You should keep a record of your decision, and be able to justify your position and provide details to the ICO, if asked to. You should explain your reasons to the person, where possible.

Example

An employee is injured at work and the health and safety regulator launches a criminal investigation. The employee makes a SAR to the regulator asking for all the information held about them. They want to use the information to obtain legal advice about their chances of bringing a successful personal injury claim against their employer.

The regulator is concerned that disclosure of certain information may be prejudicial to the investigation. Also, if some of the information were to reach the media, this may have an impact on the fairness of any future trial. However, the person has a legitimate interest in wanting to access the information, as this may help them decide whether or not to make a claim.

The regulator must balance the person’s rights against the possible prejudice to the investigation in disclosing the information. The regulator documents the impacts of disclosure against the impacts on the person of restricting access. It carefully considers any relevant factors and records how it has reached its decision.

For example, refusing to provide the information will not prevent the person from obtaining legal advice. However, the legal advice will be based on more limited information. It also considers that it will only be necessary to restrict access for a certain length of time, and once the investigation has ended, the regulator will be able to provide the information

What rights and interests may be impacted by restricting an individual’s right of access?

You should consider the rights, freedoms and interests of people broadly. Restricting access to personal information can impact any aspect of an someone’s life, and not just in the context of criminal proceedings.

For example, refusal to provide the information may impact fundamental rights and freedoms, such as:

  • the right to a fair trial;
  • the right to liberty and security;
  • the right to respect for private and family life;
  • freedom to choose an occupation and the right to engage in work; or
  • freedom to conduct a business.

Which of the person’s rights and interests are impacted will vary depending on the circumstances, and how you have categorised them.

When can we neither confirm nor deny we hold the information?

Even if you refuse to provide access to requested information by applying a restriction, in most instances you must confirm whether or not you hold the information.

However, if disclosing whether you hold the information may undermine the purpose of restricting the right of access in the first place, you can restrict the individual’s right to know whether you are processing their information – by refusing to confirm or deny whether you hold their information. This is often called a “neither confirm nor deny” (NCND) response.

Again, you must only apply a restriction if it is necessary and proportionate to do so, taking into account the person’s fundamental rights and interests.

The decision to neither confirm nor deny is separate from a decision to restrict access to the information. You should make this decision entirely on its own merits. There may be circumstances when an NCND response may not be a necessary or proportionate measure.

Example

The police are investigating a murder. They suspect a person is involved and place them under surveillance, without their knowledge.

This person makes a SAR for any information held about them relating to the murder investigation. The police restrict access because disclosure is likely to prejudice their investigation.

The police must separately consider whether to confirm or deny they hold the person’s personal information. Since the person is not aware they are under surveillance, the police are likely to undermine the purpose of restricting access if they confirm that they hold any information. This is because the police have reasonable concerns that the person may alter their behaviours and movements if they know they are under investigation. They may also attempt to conceal evidence or take action which could prevent the apprehension of a suspect.

The police therefore respond to the request by providing an NCND response. This is because confirming the information is held would undermine the reason why they restricted access to the information.

Example

Another person makes a SAR to the police for any information held about them relating to the same murder investigation. The police do not hold any information about this person, but are aware they are acquainted with the suspect. Informing this person that they do not hold information about them may undermine the investigation. This is because there is a risk that they may discuss their response with the suspect, and enable them to draw inferences from the different responses they received. The police issue an NCND response.

What does “avoid obstructing an inquiry, investigation or procedure” cover?

You could restrict access to some or all of the information you hold, if disclosing it would obstruct an official or legal inquiry, investigation or procedure. This can include any public investigation or inquiry and not just criminal investigations or proceedings. However, this is only if you are processing the information for a law enforcement purpose. For example, depending on the specific context and circumstances, it could apply if disclosing the information would obstruct an ongoing or future coroner’s inquiry.

“Obstructing” means preventing or delaying an inquiry, investigation or proceedings from taking place or progressing within a reasonable time.

You could restrict the person’s right of access, if you believe that complying with the SAR may frustrate, or cause difficulties or impediments in progressing an inquiry, investigation, or other official or legal procedure. However, you cannot restrict the person’s right of access just because a SAR is inconvenient, time-consuming, or there are ongoing proceedings. You must be able to demonstrate why restricting the right of access is necessary and proportionate.

Example

A person is arrested and questioned by police in connection with a public order offence. The police believe they are a member of a violent gang under investigation for numerous offences. The police do not have enough information to detain the person in custody but investigations are ongoing. The person requests all the personal information the police hold about them.

The police are concerned about releasing some of the information to the person, in case they share it with other gang members, who are potential suspects. The information might alert them to what the police already know about their activities, which could allow them to evade capture or cause them to engage in further criminal activity.

The police want to restrict access to the information on the basis that disclosure could obstruct the ongoing investigation. They decide that the impact to the person is minimal as they have not been charged with an offence due to lack of evidence, and so failure to disclose the information does not impact their rights.

The person is therefore only entitled to the information that has not been restricted. The police document their reasons for restricting access. They advise the person that disclosing the information would harm ongoing investigations, but do not provide any specific details as this would undermine the purpose of restricting access.

What does "avoid prejudicing” cover?

You could restrict access to some or all of the information you hold if providing it may prejudice:

  • the prevention or detection of crime;
  • the investigation and prosecution of criminal offences; or
  • the execution of any criminal penalty.

In the context of criminal justice, “prejudice” can have different meanings depending on the context and circumstances.

In the context of the prevention, detection, and investigation of crime, prejudice may occur where disclosing the information may undermine an inquiry. For example, by revealing details about a covert policing operation. It may also be relevant if you have reasonable grounds to believe that disclosing information to a suspect could lead to them taking steps to conceal a crime.

Prejudice, in this context, can also mean preventing an investigation from being conducted independently or fairly. For example, if disclosing the information would impair or damage the rights of anyone under investigation or charged with an offence.

Prejudice can also apply in the context of the “execution of criminal penalties”. This term is not specifically defined in the legislation but generally means any measure or process used to determine an appropriate penalty for an offender. This may include sentences handed down by a judge or out of court disposals. For example, it may be relevant if a judge is deciding whether to sentence an offender to a term in prison or community service. However, it may also apply in the context of a police caution or conditional discharge, for example.

In the context of court proceedings, including sentencing proceedings, prejudice can occur if decision-makers make a decision:

  • before considering the evidence in full;
  • based on unfair, irrelevant or inadmissible evidence; or
  • based on irrelevant circumstances or preconceived opinions.

Example

The victim in a high profile criminal trial requests all the personal information the prosecution service hold about them. This includes witness statements and other evidence gathered by the police, including notes and the opinions of senior officers about the facts or circumstances.

Some of this evidence will not be admissible in court. The rest will need to be properly tested during the course of the trial.

If the prosecutor provides the information to the victim, they cannot control what they do with it. If it’s disclosed to the media, it could prevent the defendant from having a fair trial.

As the victim will be compelled to testify at court, there is also a risk that providing them with this information may affect their testimony. This is because they may use it to help them reconstruct their version of events rather than basing their testimony on their own recollection.

The prosecution service considers the rights of the victim in deciding whether to provide them with access to this information. However, they decide that restricting access to some of the information is a necessary and proportionate measure to ensure that the defendant is tried fairly. They decide that the balance weighs against disclosure in these circumstances.

What does “protect public security” cover?

You could restrict a person’s right of access to their information if you consider it to be a necessary and proportionate measure to protect public security.

“Public security” generally concerns the welfare and protection of the public at large. It may cover the protection of life, institutions and organisations against public threats, crime, disasters and other threats to life, safety and well-being. For example, it may include:

  • use of intelligence to address possible threats;
  • policing large events; and
  • investigating drugs offences, human trafficking, or institutional child abuse.

Public security can encompass most major public policy issues, or anything that threatens public order.

Example

The police are investigating the activities of a criminal gang operating in the local area. This includes violent crime, drugs, and human trafficking offences. They arrest someone on suspicion of affray. The police have CCTV footage of the incident. The person wants to view this footage, and makes a request for “all the data you hold about me”.

The police also hold information that suggests the person is connected to the criminal gang they are investigating. However, they currently do not have sufficient evidence to establish the person’s involvement. They are concerned that if they disclose this information there is a risk that the person might alert other members of the criminal gang who are still at large. They are also concerned that disclosure could risk the life and safety of victims.

Taking this into account, and having considered the impact on the person’s rights, they decide to restrict access to the information that links the person to the activities of the criminal gang. This is based on the need to protect public security.

However, as the incident of affray does not relate to these activities, the police do not need to restrict the person’s access to the CCTV footage. They disclose this information after redacting any personal information about third parties.

What does “protect national security” cover?

You could limit or restrict the right of access where this is a necessary and proportionate measure to protect national security.

“National security” is generally understood to cover the security and well-being of the UK as a whole, its population, and its institutions and system of government.

See our guidance on the national security provisions.

What does “protect the rights and freedoms of others” cover?

You could restrict a person’s right to access their personal information if you consider it is a necessary and proportionate measure to protect the rights and freedoms of others. This is usually relevant if the information contains personal information about someone else.

See, What should we do if the Part 3 request involves information about other people?’.

Can we restrict someone’s right of access for more than one reason?

Yes. However, if you need to restrict access for more than one reason, you should be able to explain why this is necessary and proportionate, and keep a record of your reasons.

Example

The police are investigating a crime. The person under suspicion makes a SAR for their personal information. The police believe that disclosing it is likely to:

  • prejudice the investigation;
  • present a risk to public security; and
  • place another person at risk.

The police decide to restrict the person’s right of access on the basis of sections 45(4)(b), (c), and (e).

However, they should consider each of their aims separately, and be able to explain in sufficient detail, why applying a restriction to the person’s right of access to their information is necessary and proportionate in the circumstances.

Can we restrict the right of access for a specified period of time?

Depending on the circumstances, you could apply a restriction to the person’s right to access their information for a specific length of time. For example, until an investigation is complete or criminal proceedings have ended.

You are not required to keep a SAR open after you have applied a restriction and responded to the person. However, if you only need to restrict someone’s right of access for a specific length of time, you could inform them when they may be able to resubmit their request, if possible.

Do we need to record our reasons for restricting someone’s right of access?

Yes. You must record your reasons for restricting, either wholly or partly, someone’s right of access to the following information:

  • confirmation of the processing (ie if you have issued an NCND response);
  • any of their personal information;
  • any of their supplementary information; and
  • certain privacy information.

You should also record why you have decided this measure is a reasonable and proportionate response to an identified risk. You must be able to make this record available to the ICO, on request (although you should only keep personal information in accordance with the terms of your retention and disposal schedule).

You may find it helpful to refer to our Accountability Framework – see the section on Logging and tracking requests.

Do we need to tell people why we have restricted their rights?

In most cases, if you have restricted someone’s right to access their information, you must inform them as soon as possible about:

  • the reasons why;
  • their right to make a complaint to the ICO; and
  • their ability to seek to enforce this right through the courts.

You do not need to explain that you have restricted their right of access or why, if this undermines the purposes of restricting the right in the first place. However, where possible you should be transparent about your reasons for restricting their right of access to their personal information.

Can we rely on the UK GDPR exemptions to withhold personal information under Part 3?

No. If you are processing information for law enforcement purposes, you cannot apply the UK GDPR exemptions.

Other rules apply to legal professional privilege – see the next section, Can we withhold information on the basis of legal professional privilege?.

Can we withhold information on the basis of legal professional privilege?

There is no specific restriction under Part 3 of the DPA 2018 that says you may withhold information on the basis it is protected by legal professional privilege.

However, legal professional privilege is an established common law principle. Clients have a fundamental right to seek and obtain confidential legal advice, without the risk of such details being disclosed to others. Therefore, you may withhold information on the basis of the common law principle of legal professional privilege.

Example

The prosecution service decides that it has sufficient evidence to prosecute someone for several offences. However, due to numerous complexities in the case, the prosecution service decides to obtain legal advice before proceeding.

The person makes a SAR for any information the prosecution service holds about them, including any advice or reports obtained. The prosecution service decides that the legal advice is protected by legal professional privilege. This is because it is a confidential communication between client and lawyer, made for the purposes of obtaining legal advice.

The prosecution service does not need to consider whether any of the information contained in the legal advice is disclosable as privilege applies to all the legal advice. The prosecution service withholds the legal advice completely.