-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Subject access request self serve
-
1. What is your question about?
Refusing a request or withholding information
-
2. What is your question?
Can I refuse a request if some of the information relates to a criminal investigation?
The following information might help answer your question
There are two parts to this exemption. Firstly, personal data processed for crime and taxation-related purposes is exempt from the right of access. These purposes are:
- the prevention or detection of crime;
- the apprehension or prosecution of offenders; or
- the assessment or collection of a tax or duty or an imposition of a similar nature.
However, the exemption applies only to the extent that complying with a SAR is likely to prejudice the crime and taxation purposes set out above. You need to judge whether or not this is likely in each case. You should not use the exemption to justify denying access to whole categories of personal data, if its disclosure is unlikely to prejudice the crime and taxation purposes.
Example
A bank conducts an investigation into one of their customers for suspected financial fraud. During their investigation, the bank receives a subject access request for all of the personal data they hold from the customer in question. The bank decides that they will withhold information about the investigation, because it would be likely to prejudice the investigation as the individual may abscond or destroy evidence. However, the bank is able to provide other information in response to the request which would not prejudice the investigation (for example the individual’s account details and transactions).
The second part of this exemption applies when another controller obtains personal data processed for any of the reasons mentioned above for the purposes of discharging statutory functions. The controller that obtains the personal data is exempt from complying with a SAR to the same extent that the original controller was exempt.
Note that if you are a competent authority processing personal data for law enforcement purposes (eg the police conducting a criminal investigation), your processing is subject to the rules of Part 3 of the DPA 2018. See our guidance on law enforcement processing for information on how individual rights may be restricted when competent authorities process personal data for law enforcement purposes. If you are an intelligence service under Part 4 of the DPA 2018, please see our guidance on intelligence services processing.