In detail
- What is a Part 3 subject access request (SAR)?
- Are there any formal requirements for how someone should make a SAR?
- Do we have to respond to the SAR if the person has an alternative means of accessing their information?
- Can someone ask a third party to make a SAR on their behalf?
- How do we decide which SARs regime applies?
- What is the primary purpose for processing?
- What happens if our primary purpose for processing changes, or if the information we collect is no longer relevant?
- At what point do we decide which SARs regime applies?
- Do we need to provide information processed for logging purposes?
- How do we deal with requests for unstructured manual records?
What is a Part 3 subject access request (SAR)?
A Part 3 SAR is a request made by or on behalf of someone for the information they are entitled to ask for under section 45(1). They may ask you to:
- confirm whether or not you are processing their information; and if so,
- provide them with access to it.
Are there any formal requirements for how someone should make a SAR?
No, Part 3 does not set out formal requirements for a valid request. Anyone can make a SAR verbally or in writing, including by social media. They can make it to any part of your organisation. They do not have to direct it to a specific person or contact point, tell you why they are making the request, or what they intend to do with the information.
A request does not have to include the phrases “subject access request”, “right of access”, or “section 45(1) of the DPA 2018”. It just needs to be clear that the person is asking for their own personal information. Indeed, a request may be a valid SAR even if it refers to other legislation, such as the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002.
In general, you should have a single contact point for SARs. If you are a joint controller, you must ensure that you designate a “contact point” for people who wish to make SARs. You must cover this in your joint controllership arrangements. See What should we consider when acting as joint controllers?.
You should have a policy for recording details of all the requests you receive. You should keep a log of any verbal requests you receive, as these are also considered valid SARs.
Do we have to respond to the SAR if the person has an alternative means of accessing their information?
Yes. A SAR is still valid even if the person has the option of using another statutory disclosure or legal route to obtain their information. Examples of other routes include the Criminal Procedure and Investigations Act 1996, or the Criminal Justice and Licensing (Scotland) Act 2010.
They may not have received all of the personal information held about them through that alternative means, or only have had an opportunity to inspect their information, and may not have received a copy. You may also hold information about them that you were not required to disclose under the alternative route, or new information about them that did not exist when they obtained information through the alternative means.
If you are aware that someone is seeking their information for a specific purpose (eg for court proceedings), you could remind them that they will only be able to obtain their own personal information by making a SAR, and not information about other people.
You could explain to them what other routes may be available to them for obtaining their information, and in some circumstances, they may agree to use an alternative method instead. However, you must not refuse to comply with a SAR just because someone has an alternative means of accessing their personal information.
Example
A person who was injured in a road traffic collision makes a SAR to the police in order to pursue a civil claim for damages against the driver responsible for the accident.
The police are aware that the person will be able to obtain this information through other legal mechanisms once they bring a claim. In responding to the SAR, the police are aware they will need to redact the personal information of other people before disclosing it. As the information will be redacted, the police expect that it may have limited use as evidence at court.
The police contact the person and explain that they will need to redact some of the information, and as such, this might not be helpful if the person requires the information for legal proceedings. They also suggest that it would be a good idea for the person to discuss the matter with their solicitor, as there may be other legal methods of obtaining the information they need. However, they also make it clear that the person is entitled to make a SAR for this information.
If the person still wants to make a SAR, the police should respond within one month of first receiving the request.
Alternative disclosure mechanisms may not involve direct disclosure to the person themselves, as the information may be provided to their lawyers. Lawyers are generally under an obligation to make their client aware of all material information in their possession. But this does not mean the person is able to access their information just because it has been made available to their lawyer through another process. You should carefully consider the circumstances of the request, particularly where someone may have changed their legal representative.
However, there may be limited circumstances when you can refuse to deal with a SAR because the person has an alternative way to access their information. In particular, if the person has already been given exactly the same information (as they have now requested) and you can demonstrate that their new request is part of a pattern of disruptive behaviour. For further details, see our guidance on manifestly unfounded and excessive requests.
Can someone ask a third party to make a SAR on their behalf?
Some people may prefer a third party to make a SAR on their behalf (eg a relative, friend or solicitor). In the context of criminal justice and law enforcement, it is not uncommon for people to ask their solicitor to act on their behalf. Part 3 does not prevent this. However you need to be satisfied that the third party making the request is entitled to act on behalf of the person. Follow the recommendations in our UK GDPR detailed right of access guidance Can an individual make a request on behalf of someone?.
If a third party makes a SAR on behalf of an someone else, you should respond to the requester as if you were responding directly to the person the information is about.
Example
A requester makes a SAR to the Planning Service on behalf of their mother, who is being prosecuted for failure to comply with an Enforcement Notice to remove an illegal house extension. The requester is appropriately authorised to act on their mother’s behalf, and to obtain the information. The Planning Service is satisfied that it is appropriate to release the information to the requester.
However, the information contains some personal information of the requester, who is acting on behalf of their mother. The requester’s personal information contains important context about the circumstances of the prosecution. However, the Planning Service must deal with the SAR as if it had been made by the person themselves. As it is releasing the information directly to the requester, it contacts them to enquire whether they are happy for their personal information to be disclosed in the response.
However, if the Planning Service sends the response directly to the mother, it should redact the personal information of the requester, as it would have done if the mother had made the SAR directly. If the Planning Service is unable to contact the requester to check their preference, it should be cautious and redact the requester’s personal data.
In circumstances where someone has appointed a legal representative or other professional to act on their behalf, you may receive repeat requests for information that you have previously disclosed. For example, if the person changes their representative. How you respond may depend on the circumstances, and on any other laws or policies you are subject to. You should document the reasons for your decision.
Depending on the circumstances, you could also consider such requests to be manifestly unfounded or excessive. See our Guide to Law Enforcement processing – Manifestly unfounded or excessive requests.
Example
A solicitor makes a SAR to the prosecution service on behalf of someone who was convicted of assault occasioning actual bodily harm. The prosecution service discloses the information. Several weeks later, the person changes their solicitor, who then makes a request for the same information.
The prosecution service considers the SAR as if it had been made by the person themselves. It could therefore view the SAR as a repeat request, which means the manifestly excessive provisions may apply to the information which has already been disclosed. However, depending on the circumstances, the prosecution service may still decide to provide this information. For example, it may consider any relevant legislation, policies, or other matters, including any difficulties the person might have in obtaining the information, or the impact on them if it does not provide the information.
However, if it has obtained any new information since responding to the previous request, it should provide it unless a restriction applies. It is important that the prosecution service documents the reasons for its decision.
You may also receive requests for information made on behalf of someone through an online portal. See our UK GDPR detailed right of access guidance Do we have to respond to requests made via a third party online portal?.
If you receive requests by or on behalf of children or young people, see our UK GDPR detailed right of access guidance What about requests for information about children or young people?.
How do we decide which SARs regime applies?
Before responding to a SAR, you must determine whether you are using the personal information for general purposes or for any of the law enforcement purposes. This is important as there are many differences between the UK GDPR and Part 3. You may also process information for more than one reason.
If your primary purpose for using the information is for one of the law enforcement purposes, you must deal with the SAR under Part 3. If you are using the information for general purposes, you must deal with the SAR under the UK GDPR.
You should consider your reason for processing the information at the time you receive the request.
Example
A seaside town regularly experiences flooding. The police work with other agencies to develop an incident response plan, which explores how to prevent future floods, and how best to protect human life and property should future incidents occur.
While dealing with such emergencies is an important policing function, it is not criminal law enforcement. Any of the personal information police collect about this matter should therefore be processed under the UK GDPR. If police receive a SAR from someone whose information they process for this purpose, they should deal with it under the UK GDPR, not Part 3.
If you process the same personal information for more than one purpose (eg for a law enforcement purpose and for general purposes), you need to identify your primary purpose for processing the information.
What is the ‘primary purpose’ for processing?
The term ‘primary purpose’ is not defined in the legislation but generally means your principal objective for processing the information. This does not necessarily mean your original reason for collecting it.
In general, any information you obtain in connection with your law enforcement purposes is likely to be processed under Part 3. This can include (but is not limited to):
- information you discover, seize, or download as part of an investigation;
- expert reports (eg medical or forensic);
- legal advice; or
- information provided to you by third parties.
Although your primary purpose for processing the information will usually be obvious, you should consider the following factors, if you aren’t sure:
- your reasons for collecting or obtaining the information;
- any legislation that forms the basis of your processing, and whether it has an underlying law enforcement purpose;
- whether your purpose for processing has changed;
- any relevant policies; and
- any other relevant circumstances.
Example
A suspect is detained in a custody suite on suspicion of having committed an offence. They have a pre-existing medical condition that requires them to take medication at regular intervals.
The custody officer has been provided with some of their medical information to enable the suspect to self-administer their medication.
The suspect makes a SAR for all the information held about them.
While the information relating to the criminal offence will clearly be dealt with under Part 3, the organisation needs to decide whether their primary purpose for processing the medical information is under the UK GDPR, or Part 3. They may consider any relevant legislation or policies (eg about the care and welfare of detainees at police stations) or any other matter. They should also document the reasons for their decision.
Your reason for processing the information may change over time. You may collect information under the UK GDPR (eg for general administrative purposes), but as circumstances progress and the purpose changes (eg as you identify elements of criminality), you may end up processing it for law enforcement purposes (under Part 3) instead or under both simultaneously.
Example
Police process information about a disciplinary matter between two staff members during their employment. There is an ongoing dispute between them which has resulted in numerous arguments and allegations of harassment and bullying by both parties. The police are processing this information under the UK GDPR, and dealing with it in accordance with standard policies.
However, while investigating the matter, the police identify potential criminal issues. Following this, the investigation into the matter becomes a criminal investigation.
Both people make a SAR for the personal information held about them in relation to this matter. As it is now being treated as a criminal investigation, the police should deal with the SARs under Part 3.
It may be easier to identify a change in regime if the information is passed to a specialist team or department to use for a specific purpose. You may also have the option of dealing with a particular issue either as a criminal or civil matter.
Example
A dedicated fraud unit has obtained information about someone for the purposes of an investigation. It received this information from another department that had collected it under the UK GDPR, as part of its routine processing operations.
The fraud unit has powers to deal with the matter as a civil or criminal investigation. If it decides to deal with it as a criminal investigation, then it should use Part 3 to process the information. However, if it treats the matter as a civil investigation, the fraud unit will be processing the information under the UK GDPR instead.
Remember that you should document your rationale.
What happens if our primary purpose for processing changes, or the information we collect is no longer relevant?
If you originally collected the information under the UK GDPR, you will be able to use it for law enforcement purposes under Part 3, if it becomes relevant to a criminal matter. If you receive a SAR, you should carefully consider your main reason for processing the information.
Example
The police receive a SAR from a staff member for details of their medical absences within the last three years. Their human resources file contains information relevant to a criminal investigation.
However, the police decide that details about the person’s medical absences are not relevant to the current investigation.
As the primary purpose for processing details of the person’s medical absences is for human resources reasons, the police deal with the SAR under the UK GDPR.
You may incidentally collect some irrelevant information, if you collect bulk information for a law enforcement purpose (eg to investigate a crime). As you can only process personal information collected for law enforcement purposes under the UK GDPR in limited circumstances, information which is irrelevant to your law enforcement purpose will not automatically fall within the UK GDPR regime. Therefore, you should continue to deal with the information under Part 3.
If someone makes a SAR “for all the information you hold about me”, you must deal with their entire request under Part 3, not just those elements of the SAR that relate to your criminal investigation. Obviously, if you already hold some of the information about the person under the UK GDPR, then you must deal with this part of the request under the UK GDPR.
Example
Police seize a number of laptops and phones from a person for the purpose of investigating allegations that they possess images depicting child sexual abuse. Having determined that it is strictly necessary to do so, police extract the information stored on the devices. On reviewing the extracted material, they find some incriminating evidence, but also a large amount of other information, including the person’s own bank and credit card details, some health information, and family photographs. Some of this information is not relevant to the offences under investigation.
They are still processing the information they collected incidentally (such as bank details, health data and family photos) under Part 3. This is because the primary purpose for collecting the information was for a law enforcement purpose. The person makes a SAR for all the information the police have extracted from their devices. However, the police are still sifting the information, to decide if it’s relevant to the investigation.
Just because some of the information is unlikely to be relevant does not bring it within the remit of the UK GDPR. The primary purpose of processing the information is for investigating crime, and the police should deal with the SAR under Part 3.
Although you may not have any use for irrelevant information, you must still store it in line with your retention and disposal schedule (at least until you have completed sifting it to decide if it is relevant). In general, if information is irrelevant for your law enforcement purposes, you must limit its further use, where possible, and ensure you don’t keep it longer than necessary. You may also need to consider other regulations governing the use and retention of law enforcement data.
At what point do we decide which SARs regime applies?
You should usually consider the SAR under the regime you are using to process the information at the time you receive the request.
For example, if you receive a SAR for information you collected for a law enforcement purpose several years ago but you are now using it for general purposes, you should usually consider the request under the UK GDPR, and not Part 3. However, this will depend on the circumstances, and you should adopt a pragmatic and flexible approach.
If your primary reason for processing changes after you receive the request and before you respond, it is usually appropriate to consider the SAR under the regime that applied on the date you received the request. It may be impractical to change SARs regimes after you have received and logged the request. However, you should take a flexible approach and take the specific circumstances of the request into account.
You should always document the reasons for your decision.
Example
A financial regulator is processing an application for registration. It receives a SAR from the applicant on 9 March for “all the information you hold about me.” The regulator logs the SAR. On 16 March it discovers evidence of fraudulent activity by the applicant.
The staff processing the application send the file to their enforcement department. The file then becomes part of a criminal investigation. The original purpose for processing the application was for general purposes. However, as soon as the file passes to the enforcement department to launch a criminal investigation, the primary purpose for processing becomes for one of the law enforcement purposes – the investigation of crime.
However, the regulator must still comply with the SAR they received on 9 March. It should generally consider the SAR under the UK GDPR – which was the relevant regime at the time the request was received. It may also consider whether it’s appropriate to apply a UK GDPR exemption (eg crime and taxation) to the information it is now processing for a criminal investigation. The regulator should consider liaising with the enforcement department before responding to the request, if there is a risk that disclosing the information may, for example, prejudice the investigation.
Depending on the circumstances, the regulator may decide that it would be appropriate to deal with the request under Part 3 instead. If it does take this approach, it must be able to justify why it is taking this approach.
Do we need to provide information processed for logging purposes?
In some circumstances, yes.
Logs of information are likely to contain specific metadata about your processing activities, including exact times and dates on which certain processing actions were performed. You must consider, in the circumstances of the request, whether this is personal information of the person whose record the log relates to.
Logs of information create an audit trail of the information processing operations carried out by your employees. Therefore, they are likely to include the personal information of employees, including their name, and the date and time they consulted a particular piece of information.
Example
The police suspect that a member of staff has inappropriately accessed the Police National Computer to stalk and threaten another person. The staff member makes a SAR for all the information held about them. As the logs of information include their personal data, this information is potentially disclosable.
However, as logs of information may be used for the purpose of criminal proceedings, the police consider whether they need to restrict the staff member’s right of access to avoid prejudicing the investigation.
If you receive a SAR for logs of information you keep further to your obligations under section 62 of the DPA 2018, you should use Part 3 to deal with it. For example, you may keep logs to audit and monitor your employees’ activities.
Example
An employee makes a SAR, and asks for “all the information you hold about me”. Most of their personal information is contained within their human resources records that you are processing under the UK GDPR. However, you also hold information about them in other databases and in your information logs.
The information logs contain the employee’s name, the dates and times they accessed electronic criminal records and details of any amendments the employee made to the records.
As the information logs contain the employee’s personal information, you should consider disclosing this information to comply with the SAR. However, it may be necessary to redact any information about third party individuals, (eg information about the person whose records were accessed by the employee).
Although you are not specifically processing this for a law enforcement purpose, you are doing so to comply with the logging requirement under section 62 of the DPA 2018. As such, your underlying purpose is for law enforcement. Therefore, you must deal with this element of the SAR under Part 3.
Remember that you may need to explain information to people if it is in coded form or may not be easily understood.
How do we deal with requests for unstructured manual records?
Unstructured personal data is manual information that is not, or is not intended to be, part of a “filing system”.
You should interpret the term, “filing system” broadly. It can cover the personal information you collect for your law enforcement purposes, if it is structured according to specific criteria. This means you should order it in a way that allows you to easily retrieve the information. However, it does not have to include data sheets, specific lists or other search methods.
Most of the manual information you process for any of the law enforcement purposes will be structured, and therefore form part of a filing system. For example, witness statements and any other evidence used for criminal proceedings. In general, unstructured manual data is only likely to include paper records, such as loose written notes or post-it notes.
Example
Police seize large volumes of paper records to investigate money laundering. This includes notebooks, folders, and loose pages, that all contain personal information. The police store this information in boxes marked with reference numbers that relate to the investigation.
As the information is clearly referenced, it forms part of a filing system, even though some of the documents are in the form of loose notes, and the police have not yet had an opportunity to review it fully. This information is not unstructured manual data because it is clearly referenced and linked to a specific investigation.
If the police receive a SAR for this information, they should deal with it under Part 3.
You must not use the Part 3 SARs regime for responding to requests for unstructured manual data obtained for law enforcement purposes. Instead, you should use the UK GDPR SARs regime to deal with all requests for unstructured manual data, even if you have obtained the information in connection with your law enforcement purposes.
This is because Part 3 only covers personal information that:
- is processed wholly or partly by automated means; or
- is, or is intended to, form part of a filing system.
This means that unstructured manual data obtained for law enforcement purposes is not included in the Part 3 processing regime. However, it automatically comes within scope of the UK GDPR – provided the organisation is a public authority.
Article 2(1A) of the UK GDPR says that:
“This Regulation [the UK GDPR] also applies to the manual unstructured processing of personal data held by an FOI public authority.”
Therefore, unstructured manual data obtained for law enforcement purposes is automatically caught by this provision.
Example
Someone makes a SAR to their local authority for “all the information you hold about me”.
In searching its records, the authority finds an employee’s handwritten notes made to assist them in typing up a penalty notice. This was served on the person several weeks ago, and required them to pay a fine. The notes contain the person’s name, and various other personal details about them that were not included in the typed up penalty notice given to the person.
As the note is unstructured, the local authority should not consider it under the Part 3 SAR regime. Instead, the authority deals with the SAR under the UK GDPR. However, the authority also takes into account the fact the note relates to an ongoing criminal matter. The authority should consider whether the crime and taxation exemption (under the UK GDPR) is relevant.