The Right of Access – Part 3 of the DPA 2018
Latest updates - 07 July 2026
07 July 2026 - This guidance was updated to reflect our style guide and the changes introduced by the Data (Use and Access) Act 2025.
10 February 2023 - This guidance was published.
About this guidance
This guidance discusses the right of access to personal information processed for a law enforcement purpose under part 3 of the Data Protection Act 2018 (DPA) in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you apply the right of access under part 3 in practice. It’s aimed at ‘competent authorities’ that process personal information for any of the law enforcement purposes. In particular, Data Protection Officers and those with specific data protection responsibilities in the context of law enforcement processing.
If you haven’t yet read the ‘in brief’ page on the part 3 right of access, we recommend that you read that first. It introduces this topic and sets out the key points you need to know, along with practical checklists to help you comply.
Read this guidance if you have specific questions about dealing with subject access requests (SARs) under part 3.
Where your processing operations are for general purposes only, refer to the right of access guidance under the UK GDPR. We will signpost to this guidance when it may be useful. If you want to find out more about intelligence services SARs, see our guidance on intelligence services processing – the right of access.
To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should and could do to comply.
Contents
- What is the right of access in part 3 of the DPA 2018?
- How do we recognise a part 3 subject access request (SAR)?
- What can we consider when responding to a part 3 request?
- How can we supply part 3 information to the requester?
- Can we restrict the right of access under part 3?
- Restrictions: what can we do if the part 3 request involves information about other people?
- Exemptions: When can we consider a part 3 request to be manifestly unfounded or excessive?
- What can we consider when acting as joint controllers?
- What do we need to consider if a court processes personal information for the law enforcement purposes?
- Can the right of access be enforced under part 3?