What is the right of access in Part 3 of the DPA 2018?

In detail

• What is the right of access in the context of law enforcement processing?
• What does “safeguarding against and the prevention of threats to public security” mean?
• What information is someone entitled to under Part 3?
• What other information is someone entitled to under Part 3?
• Are people only entitled to their own personal information?
• Who is responsible for responding to a request?
• When do we need to take action to enable someone to make a SAR?

What is the right of access in the context of law enforcement processing?

Section 45(1) of the DPA 2018 gives people a right to obtain their personal information that is being used for a law enforcement purpose.

This right allows people to request a copy of their personal information from you, as well as other supplementary information. These requests are usually called subject access requests (SARs).

The right of access helps people understand how and why you are using their information and check you are doing so lawfully. You must publicise the right of access, for example, on your website, in your privacy statement, or in other communications with people.

You must only use Part 3 for responding to SARs, if you are:

• a competent authority; and
• using the information for one of the law enforcement purposes.

The law enforcement purposes are defined under section 31 as,

“…the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.

What does “safeguarding against and the prevention of threats to public security mean?”

This means preventing and safeguarding against threats to public security, where this fits broadly within the wider law enforcement purposes of:

• preventing, investigating, detecting or prosecuting crime, or
• executing criminal penalties.

For example, safeguarding against threats to public security may apply to covert surveillance or video surveillance for the prevention and detection of crime. You should consider these uses of personal information under Part 3.

It does not mean wider public security threats, such as natural disasters or other major incidents, that are not usually linked to criminal offences or penalties. You should consider your uses of personal information for these wider threats under the UK GDPR.

What information is someone entitled to under Part 3?

The right of access under Part 3 gives people the right to obtain the following from you:

• confirmation that you are using their personal information;
• access to their personal information; and
• other supplementary information.

Where possible you must respond in writing and provide the person with a copy of their information – unless you don’t hold the information, or you believe a restriction applies. You could provide the information in its existing format, if this is the most accessible form. For example, where you cannot convey the full context and meaning of the information solely in writing. This may include providing secure access to CCTV footage, or audio recordings. You do not have to create transcripts to respond to a request, if you do not already have them.

In most cases, you can confirm whether you are using a person’s personal information in general terms. However, if the request is for a specific piece of information, you should generally be able to confirm or deny whether you are processing the information unless a restriction applies. Depending on the circumstances, and due to the sensitivities of law enforcement processing, you may not be able to be fully transparent with the person about the nature of the processing or whether you hold the information (see When can we neither confirm nor deny we hold the information?).

You must ensure that your processing is lawful and fair, and aim to be as open and transparent as possible with people about how you use their personal information.

However, in some circumstances transparency can undermine your law enforcement activities, and you may be unable to confirm or deny whether you are processing personal information. However, you may only restrict a person’s right of access, if one of the restrictions listed in section 45(4) applies.

What other information is someone entitled to under Part 3?

People have the right to receive the following information (which largely corresponds with the information that you should provide in a privacy notice):

• your purposes and lawful reason (known as lawful basis) for processing;
• categories of personal information you’re processing;
• recipients or categories of recipient you have disclosed the personal information to (including recipients or categories of recipients in third countries or international organisations);
• your retention period for storing the personal information or, where this is not possible, the criteria for determining how long you will store it;
• the person’s right to request rectification, erasure or restriction of the information you are processing;
• the person’s right to lodge a complaint with the Information Commissioner’s Office (ICO);
• details of the personal information you are processing; and
• any available information about the source of the information.

When responding to a SAR, you must supply this information in addition to a copy of the personal information itself, even if the person does not specifically ask for it. If you provide this information in your privacy notice, you could provide a link to it or a copy.

In using personal information for a law enforcement purpose, you must distinguish, where possible, between the different categories of people whose information you process. This may include information about a suspect, offender, complainant, victim, witness, informant, or any other person. How you categorise a person may affect:

• what information you are able to provide;
• how you search for information (eg if it is held in different contexts); or
• if you need to restrict a person’s right of access to their information.

Are people only entitled to their own personal information?

Yes, in most circumstances, unless:

• their information also relates to other people; or
• they are exercising another person’s right of access on their behalf.

Before you respond to a SAR, you must decide whether the information you hold is personal information and, if so, who it relates to.

For information to be personal information, it must relate to a living person who is identifiable from that information (directly or indirectly). In most cases, it is obvious whether the information is personal information, but we have produced guidance on What is personal data? to help you decide if it is unclear.

The same information may be the personal information of two (or more) people, and you may therefore be able to restrict the person’s right of access. Please see What should we do if the Part 3 request involves information about other people? for further details.

Who is responsible for responding to a request?

This depends on whether you are a “controller” or a “processor”. Controllers are responsible for complying with SARs, not processors.

If you use a processor, you must have contractual arrangements in place to guarantee that you can deal with SARs properly, whether they are sent to you or the processor. The processor must help you meet your obligations for SARs and you must make this clear in the agreement between you.

In most cases, the processor may hold personal information on your behalf. If so, you should be able to require the processor to search for this information and, if necessary, give you a copy. However, it is still your responsibility to decide how to deal with the request.

If you are a joint controller, you must have an arrangement in place with your fellow joint controller(s) that sets out each of your responsibilities, including how you deal with SARs. Under Part 3, you must specify a central point of contact for people, which must be one of the joint controllers. See What should we consider when acting as joint controllers?.

When do we need to take action to enable someone to make a SAR?

People have a right to be informed about how you are using their personal information. Where possible, you should be open and transparent about what information you process about them, and why you are processing it. Letting people know that you are using their personal information will greatly assist them in exercising their right of access under Part 3.

People may not always know that you hold information about them (or have enough information to be able to make a SAR), particularly if you have obtained it from another source. In these circumstances, you must provide the person with the following information, unless a restriction applies:

• your lawful basis for processing;
• your retention period for storing the personal information or, where this is not possible, the criteria for determining how long you will store it;
• if applicable, recipients or categories of recipient you have disclosed the personal information to (including recipients or categories of recipients in third countries or international organisations); and
• any other information the person needs to be able to make a SAR.

You could contact the person directly or direct them to the privacy information on your website.

You may withhold some of the information listed above, if a restriction applies (eg where complying with the SAR may prejudice a criminal investigation). Follow the approach outlined in the chapter Can we restrict the right of access under Part 3? In deciding whether to withhold some of the person’s privacy information, you must consider how this might impact their rights and interests.

You should consider any decision on whether you can restrict the person’s right to any of their privacy information on its own merits. You should treat this separately from any decision about whether you need to confirm the information is held, or apply a restriction to the person’s right of access.