How do we recognise a Part 3 subject access request (SAR)
In detail
- What is a part 3 SAR?
- Are there any formal requirements?
- Do we have to respond to the SAR if the person has an alternative means of accessing their information?
- Can someone ask a third party to make a SAR on their behalf?
- How do we decide which SARs regime applies?
- What is the primary purpose for processing?
- What happens if our primary purpose for processing changes or if the information we collect is no longer relevant?
- At what point do we decide which SARs regime applies?
- Do we need to provide information processed for logging purposes?
- How do we deal with requests for unstructured manual records?
What is a part 3 SAR?
A part 3 SAR is a request made by, or on behalf of, someone for their personal information when you are using it for one of the law enforcement purposes. They can ask you to:
- confirm whether you are processing their personal information; and
- if you are, to give them access to it.
Are there any formal requirements?
No, part 3 does not set out formal requirements for a valid request. Anyone can make a SAR verbally or in writing, including by social media. They can make it to any part of your organisation. They do not have to:
- direct it to a specific person or contact point;
- tell you why they are making the request; or
- explain what they intend to do with the information.
The person does not have to use the phrases 'subject access request', 'right of access' or 'section 45(1) of the DPA'. It just needs to be clear that they are asking for their personal information. A request may be a valid SAR even if it refers to other legislation, such as:
- the Freedom of Information Act 2000; or
- the Freedom of Information (Scotland) Act 2002.
In general, you should have a single contact point for SARs. If you are a joint controller, you must ensure that you designate a contact point for people who wish to make SARs. You must cover this in your joint controllership arrangements. (See What can we consider when acting as joint controllers?.)
You should have a policy for recording details of all the requests you receive. You should keep a log of any verbal requests you receive, as these are also considered valid SARs.
Where appropriate, you may respond to routine requests for information in your normal course of business. (See our UK GDPR SAR guidance – Can we deal with a request in our normal course of business?.)
Do we have to respond to the SAR if the person has an alternative means of accessing their information?
Yes. A SAR is still valid even if the person can possibly use another statutory disclosure or legal route to obtain their information, for example:
- the Criminal Procedure and Investigations Act 1996; or
- the Criminal Justice and Licensing (Scotland) Act 2010.
If you know that someone is seeking their information for a specific purpose (eg for court proceedings), you can remind them that they can only obtain their own personal information by making a SAR. They cannot obtain information about other people or copies of documents.
You can also explain what other routes may be available for obtaining their information. In some circumstances, they may agree to use an alternative method. However, you cannot refuse to comply with a SAR just because someone has an alternative means of accessing their personal information.
Example
A person makes a SAR to the police seeking information that may help them bring a civil claim against another person.
In responding to the SAR, the police need to redact personal information about other people before disclosing it. Because of the redactions, it may have limited use as evidence in court.
The police contact the person to explain that some information will be redacted, and therefore may not be useful for legal proceedings. They also advise the person to consider whether there are other ways to obtain the necessary information for their civil claim. For example, they could go through the courts, a lawyer or another advice service. However, the police also make it clear that the person is entitled to make a SAR.
If the person still wants to make a SAR, the police should respond within one month of first receiving the request.
A person may not have received all their information through an alternative means, or they may only have been able to inspect it and not received a copy. You may also hold:
- information that the alternative route did not cover; or
- new details that did not exist when they accessed their information through the alternative means.
Alternative disclosure mechanisms may not involve providing direct disclosure to the person, as it may go to their lawyers. Lawyers are generally obliged to make their client aware of all material information in their possession. But this does not mean the person is able to access their information because it is available to their lawyer through another process. For example, lawyers may have:
- only been able to inspect the file, and not received a copy; or
- deleted the information in accordance with their retention and disposal schedule.
You should carefully consider the circumstances of the request, particularly where someone may have changed their legal representative.
There may be limited circumstances when you can refuse to deal with a SAR because the person has already obtained exactly the same information (as now requested) through other means. (For further details, see When can we consider a part 3 request to be manifestly unfounded or excessive?.)
Can someone ask a third party to make a SAR on their behalf?
Some people may prefer a third party to make a SAR on their behalf (eg a relative, friend or solicitor). Part 3 does not prevent this. However, it is essential that you are satisfied that the third party is entitled to act on behalf of the person whose personal information they have requested. For example, the representative may provide a signed letter of authority from the person.
If you have no evidence that the third party is authorised to act, you should request further evidence. The representative is responsible for demonstrating that they have the necessary authority. You cannot comply with the SAR until you receive the appropriate authority. (There is more detail on how you can deal with SARs in these circumstances in our UK GDPR detailed right of access guidance – Can a request be made on behalf of someone else?)
If a third party makes a SAR on behalf of someone else, you should respond to the requester as if you were responding directly to the person the information is about.
Example
A requester makes a SAR to the local authority on their mother's behalf. Their mother is being prosecuted for failure to comply with an enforcement notice to remove an illegal house extension. The requester is authorised to act on their mother's behalf and to obtain the information. The local authority is satisfied that it is appropriate to release the information to the requester.
However, the information contains some personal information about the requester, who is acting on their mother's behalf. The local authority must deal with the SAR as if the mother had made it. As it is releasing the information directly to the requester, it contacts them to ask if they are happy for their personal information to be disclosed in the response.
However, if the local authority sends the response directly to the mother, it must either:
- have the consent of the requester; or
- consider whether it is reasonable to disclose their personal information without consent.
If it doesn't have consent, it must consider if it is reasonable to disclose the information anyway.
In circumstances where someone has appointed a legal representative or other professional to act on their behalf, you may receive repeat requests for information that you have previously disclosed (eg if the person changes their representative). How you respond may depend on the circumstances and if you think the request may be manifestly unfounded or excessive. You should document the reasons for your decision.
Example
A solicitor makes a SAR to the prosecution service on behalf of someone who was convicted of assault occasioning actual bodily harm. The prosecution service discloses the information. Several weeks later, the person changes their solicitor, who then makes a request for the same information.
The prosecution service considers the SAR as if the person themselves had made it. It may view the SAR as a repeat request, which means the manifestly excessive provisions may apply to the information which has already been disclosed. However, depending on the circumstances, the prosecution service can still decide to provide this information. For example, it may consider any relevant legislation, policies or other matters, including:
- any difficulties the person might have in obtaining the information; or
- the impact on the person if it does not provide it.
If it has obtained any new information since responding to the previous request, it must provide the new information unless a restriction applies. It's important that the prosecution service documents the reasons for its decision.
Depending on the circumstances, you could consider such requests to be manifestly unfounded or excessive. (See When can we consider a part 3 request to be manifestly unfounded or excessive?.)
You may also receive requests for information made on behalf of someone through an online portal. (See our UK GDPR detailed right of access guidance Do we have to respond to requests made via a third-party online portal?.)
If you receive requests by or on behalf of children or young people, see our UK GDPR detailed right of access guidance What about requests for information about children?.
How do we decide which SAR regime applies?
Before responding to a SAR, you must decide whether you are using the personal information for general purposes or for any of the law enforcement purposes. This is important as there are many differences between the UK GDPR and part 3. You may also use information for more than one reason.
If your primary purpose for using the information is for one of the law enforcement purposes, you must deal with the SAR under part 3. If you are using the information for general purposes, you must deal with the SAR under the UK GDPR. If you are using the information for intelligence service processing, you must deal with it under part 4.
Example
The police attend a private residence to help a person experiencing significant distress during a mental health crisis. Responding to such incidents is an important policing function. Therefore, the police must consider whether the processing falls within part 3 or the UK GDPR.
If this person, or someone acting on their behalf, submits a SAR, the police must handle it:
- in accordance with the UK GDPR if it is general processing; or
- under part 3 if it is considered a law enforcement function.
You should consider your reason for using the information at the time you receive the request.
You may use the same personal information for more than one purpose (eg for a law enforcement purpose and for general purposes). In this case, you should identify your 'primary purpose' for processing the information.
What is the primary purpose for processing?
The term 'primary purpose' is not defined in the legislation but generally means your principal objective for using the information. This is not necessarily your original reason for collecting it.
In general, any information you obtain in connection with your law enforcement purposes is likely to be processed under part 3. This can include (but is not limited to):
- information you discover, seize or download as part of an investigation;
- expert reports (eg medical or forensic);
- legal advice; or
- information provided to you by third parties.
Your primary purpose for using the information is usually obvious. However, if you aren't sure, you should consider:
- your reasons for collecting or obtaining the information;
- any legislation or other laws that form the basis of your processing, and whether it has an underlying law enforcement purpose;
- any change in your purpose for processing;
- any relevant policies; and
- any other relevant circumstances.
Example
A suspect is detained in a custody suite on suspicion of having committed an offence. They have a pre-existing medical condition that requires them to take medication at regular intervals.
The custody officer has been provided with some of the suspect's medical information to enable the suspect to self-administer their medication.
The suspect makes a SAR for all the information held about them.
The information relating to the criminal offence will clearly be dealt with under part 3. However, the police should decide whether its primary purpose for using the medical information is under the UK GDPR or part 3. It may consider any relevant legislation or policies (eg about the care and welfare of detainees at police stations) or any other matter. It should also document the reasons for its decision.
Your reason for using the information may change over time. You may collect information under the UK GDPR, but circumstances may change (eg if you identify elements of criminality). Therefore, you may end up using the information for:
- the law enforcement purposes (under part 3); or
- both purposes at the same time.
Example
Police process information about a disciplinary matter between two staff members during their employment. There is an ongoing dispute between them, resulting in numerous arguments and allegations of harassment and bullying by both parties. The police are processing this information under the UK GDPR in accordance with their HR policies.
However, while investigating the matter, the police identify potential criminal issues, and it becomes a criminal investigation.
Both people make a SAR for the information held about them in relation to this matter. As it is now being treated as a criminal investigation, the police should deal with the information that is relevant to the investigation under part 3.
It may be easier to identify a change in regime if the information is passed to a specialist team or department to use for a specific purpose. You may also have the option of dealing with a particular issue either as a criminal or civil matter.
Example
The Financial Conduct Authority (FCA) has powers to deal with a particular matter as a civil or criminal investigation. If it decides to deal with this matter as a criminal investigation, it must use part 3 to process the information. However, if it treats the matter as a civil investigation, it will process the information under the UK GDPR instead.
Remember that you should document your rationale.
What happens if our primary purpose for processing changes, or the information we collect is no longer relevant?
If you originally collected the information under the UK GDPR, you can use it for the law enforcement purposes under part 3, if it becomes relevant to a criminal matter. If you receive a SAR for that information, you should carefully consider your main reason for using it.
Example
The police receive a SAR from a staff member for a copy of their human resources (HR) file. This file also contains some information relevant to a criminal investigation.
As the primary purpose for processing is for HR reasons, the police deal with this part of the SAR under the UK GDPR. Information about the criminal investigation is processed under part 3, and the police decide that it needs to apply a restriction.
If you collect bulk information for a law enforcement purpose (eg to investigate a crime), you may incidentally collect some information that is not relevant to your law enforcement purpose. Information that is irrelevant to your law enforcement purpose does not automatically fall within the UK GDPR regime. You must continue to deal with it under part 3.
In these circumstances, if someone makes a SAR “for all the information you hold about me”, you must deal with their entire request under part 3. You cannot apply part 3 only to those elements of the SAR that relate to your criminal investigation. However, if you already hold some of the information about the person under the UK GDPR, you must deal with this part of their request under the UK GDPR.
Example
Police seize a number of laptops and phones from a person to investigate allegations that they possess images depicting child sexual abuse. Having decided that it is strictly necessary to do so, the police extract the information stored on the devices. On reviewing the extracted material, they find relevant information. They also find a large amount of other information, including the person’s own bank and credit card details, some health information and family photographs. Some of this information is not relevant to the offences under investigation.
The police are still processing the information they collected incidentally (such as bank details, health data and family photos) under part 3. This is because the primary purpose for collecting the information was for a law enforcement purpose. The person makes a SAR for all the information the police have extracted from their devices. However, the police are still searching through the information to decide whether it’s relevant to the investigation.
Just because some of the information is unlikely to be relevant does not mean it falls under the UK GDPR. The primary purpose of processing the information is for investigating crime, and the police must deal with the SAR under part 3.
Although you may not have any use for irrelevant information, you must store it in line with your retention and disposal schedule (at least until you have completed searching through it to decide what is relevant). In general, if information is irrelevant for your law enforcement purposes, you must:
- limit its further use; and
- ensure you don’t keep it longer than necessary.
You may also need to consider other legislation, regulations and codes of practice governing the use and retention of law enforcement data.
At what point do we decide which SAR regime applies?
You should consider the SAR under the regime you are using to process the information at the time you receive the request.
For example, you may receive a SAR for information you collected for a law enforcement purpose several years ago but that you are now using for general purposes. You should consider this request under the UK GDPR, not part 3. However, this depends on the circumstances, and you should adopt a pragmatic and flexible approach.
Your primary reason for using the information may change after you receive the request and before you respond. If so, you should consider the SAR under the regime that applied on the date you received the request. It may be impractical to change SAR regimes after you have received and logged the request. However, you should take a flexible approach and take the specific circumstances of the request into account.
You should document the reasons for your decision.
Example
A financial regulator is processing an application for registration. It receives a SAR from the applicant on 9 March for “all the information you hold about me”. The regulator logs the SAR. On 16 March, it discovers evidence of fraudulent activity by the applicant.
The staff processing the application send the file to their enforcement department. The file then becomes part of a criminal investigation. The original purpose for processing the application was for general purposes. However, as soon as the file passes to the enforcement department to launch a criminal investigation, the primary purpose for processing becomes one of the law enforcement purposes – the investigation of crime.
The regulator must comply with the SAR they received on 9 March. It deals with the SAR under the UK GDPR – which was the relevant regime when it received the request. It can also consider whether it’s appropriate to apply a UK GDPR exemption (eg crime and taxation) to the information it is now processing for a criminal investigation. The regulator could consider liaising with the enforcement department before responding to the request (eg if there is a risk that disclosing the information may prejudice the investigation).
Depending on the circumstances, the regulator could decide to deal with the request under part 3. If it does take this approach, it must be able to justify why it is doing so.
Do we need to provide information processed for logging purposes?
In some circumstances, yes.
Logs of information are likely to contain specific metadata about your processing activities, including exact times and dates when you performed certain processing actions. When handling a SAR, you must consider if this is personal information of the person who made the request or if it is about someone else.
Logs of information act as digital footprints and record the actions of users in automated processing systems. They can create an audit trail of the information processing operations carried out by your employees. They are likely to include the personal information of employees, including:
- their name; and
- the date and time they consulted a particular piece of information.
Example
The police suspect that a member of staff has inappropriately accessed the Police National Computer to stalk and threaten another person. The staff member makes a SAR for all the information held about them. As the logs of information include their personal information, this is potentially disclosable.
However, logs of information may be used for the purpose of criminal proceedings. Therefore, the police consider whether they need to restrict the staff member's right of access to avoid prejudicing the investigation.
You must use part 3 to process logs of information you keep in accordance with your obligations under section 62 of the DPA. For example, you may keep logs to audit and monitor your employees' activities. If you receive a SAR for these logs, you must use part 3 to deal with this part of the request.
Example
An employee makes a SAR and asks for "all the information you hold about me". Most of their personal information is contained within their HR records that you are processing under the UK GDPR. However, you also hold information about them in other databases and in your information logs.
The information logs contain:
- the employee's name;
- the dates and times they accessed electronic criminal records; and
- details of any amendments they made to the records.
As the information logs contain the employee's personal information, you should consider disclosing this information to comply with the SAR. However, it may be necessary to redact any information about third parties (eg information about the person whose records were accessed by the employee).
Although you are not specifically processing this for a law enforcement purpose, you are doing so to comply with the logging requirement under section 62 of the DPA 2018. As such, your underlying purpose is for law enforcement. Therefore, you must deal with this element of the SAR under part 3.
Remember – you may need to explain information to people if it's in coded form or not easily understood.
How do we deal with requests for unstructured manual records?
Unstructured personal information is manual information that is not, or is not intended to be, part of a 'filing system'.
You should interpret the term 'filing system' broadly. It can cover the personal information you collect for the law enforcement purposes, if structured according to specific criteria. However, it does not have to include data sheets, specific lists or other search methods.
It is likely that most of the manual information you use for any of the law enforcement purposes will be structured and, therefore, form part of a filing system. In general, unstructured manual information is only likely to include paper records, such as loose written notes or Post-it notes.
Example
Police seize large volumes of paper records to investigate money laundering. This includes notebooks, folders and loose pages. The police store this information in boxes marked with reference numbers that relate to the investigation.
As the information is clearly referenced, linked to a specific investigation and forms part of a filing system, it is not unstructured. This is the case even though some of the documents are loose notes and the police have not yet reviewed the information fully.
If the police receive a SAR for this information, they must deal with it under part 3. However, if the information is not relevant to the investigation, the police should not retain it.
You cannot use part 3 for responding to requests for unstructured manual information obtained for the law enforcement purposes. Instead, you must use the UK GDPR to deal with all requests for unstructured manual information, even if you have obtained it for the law enforcement purposes.
This is because part 3 only covers personal information that:
- is processed wholly or partly by automated means; or
- forms, or is intended to form, part of a filing system.
This means that the part 3 processing regime does not include unstructured manual information obtained for a law enforcement purpose. However, it automatically comes within the scope of the UK GDPR – provided the organisation is a public authority.
Example
Someone makes a SAR to their local authority for "all the information you hold about me".
While searching its records, the authority finds an employee's handwritten notes made to help them in typing up a penalty notice for a criminal offence. The notice was served on the person who made the SAR several weeks ago and required them to pay a fine. The notes contain the person's name and other personal details about them that were not included in the typed-up penalty notice.
As the note is unstructured, the authority cannot consider it under the part 3 SAR regime. Instead, it deals with it under the UK GDPR. However, it also takes into account the fact that the note relates to an ongoing criminal matter. The authority may consider whether the crime and taxation exemption (under the UK GDPR) is relevant.
Further reading – ICO guidance
UK GDPR detailed right of access guidance