Contents

What is the right of access in Part 3 of the DPA 2018?

• What is the right of access in the context of law enforcement processing?
• What does “safeguarding against and the prevention of threats to public security” mean?
• What information is someone entitled to under Part 3?
• What other information is someone entitled to under Part 3?
• Are people only entitled to their own personal data?
• Who is responsible for responding to a request?
• When do we need to take action to enable someone to make a SAR?

How do we recognise a Part 3 subject access request (SAR)?

• What is a Part 3 subject access request (SAR)?
• Are there any formal requirements?
• Do we have to respond to the SAR if the person has an alternative means of accessing their information?
• Can someone ask a third party to make a SAR on their behalf?
• How do we decide which SARs regime applies?
• What is the primary purpose for processing?
• What happens if our primary purpose for processing changes, or if the information we collect is no longer relevant?
• At what point do we decide which SARs regime applies?
• Do we need to provide information processed for logging purposes?
• How do we deal with requests for unstructured manual records?

What should we consider when responding to a Part 3 request?

• How long do we have to comply?
• Can we extend the time for a response?
• If both the UK GDPR and Part 3 information is covered by the SAR, can we deem the request complex and extend the deadline?
• How long do we have to deal with requests for information processed for different purposes?
• Can we clarify the request in Part 3?
• Can we stop the clock and ask for clarification?
• Can we charge a fee under Part 3?

How should we supply Part 3 information to the requester?

• What information must we supply under Part 3?
• In what format should we provide the information?
• What should we do if the information exists in different forms?
• Can we provide remote access?
• In what circumstances can we provide someone with access to their information but not a copy?
• Do we need to make reasonable adjustments for disabled people?

Can we restrict the right of access under Part 3?

• Can we restrict access to the information we provide under Part 3?
• What is a ‘necessary and proportionate measure’?
• What rights and interests may be impacted by restricting someone’s right of access?
• When can we neither confirm nor deny we hold the information?
• What does “avoid obstructing an inquiry, investigation or procedure” cover?
• What does “avoid prejudicing” cover?
• What does “protect public security” cover?
• What does “protect national security” cover?
• What does “protect the rights and freedoms of others” cover?
• Can we restrict the right of access for more than one reason?
• Can we restrict the right of access for a specified period of time?
• Do we need to record our reasons for restricting someone’s right of access?
• Do we need to tell people why their rights have been restricted?
• Can we rely on the UK GDPR exemptions to withhold personal information under Part 3?
• Can we withhold information on the basis of ‘legal professional privilege’?

What should we consider when acting as joint controllers?

• What do we need to consider if we are acting as joint controllers?
• What are the responsibilities of the “contact point”?
• Do we need to consult with joint controllers before responding to a SAR?
• What happens if we are only processing some of the requested information for joint purposes?
• Can we consult other competent authorities when deciding whether to apply a restriction?
• What happens if independent controllers are processing the same information for different purposes?

What should we do if the Part 3 request involves information about other people?

• What is the basic rule?
• What approach should we take?
• What about confidentiality?
• Does categorising people impact what information we can provide them with?
• How should we deal with requests from people who fall within multiple categories?

What do we need to consider if personal information is processed by a court for law enforcement purposes?

• Does someone have a right to access personal information created by a court?
• What does “by or on behalf of a court or other judicial authority” mean?
• What is a “judicial decision”?
• What information will be created by or behalf of a court for a criminal investigation?
• What information will be created by or on behalf of a court for criminal proceedings?
• What does “relating to” mean?
• What does “for the purpose of executing a criminal penalty” mean?
• Does the exception cover documents filed or placed in the custody of the court?
• Does the exception apply if the court has shared the information with another organisation?
• Is this exception time-bound?

Can the right of access be enforced under Part 3?

• What enforcement powers does the ICO have?
• Can a court order be used to enforce a SAR?
• Can people be awarded compensation?
• Is it a criminal offence to destroy and conceal information?