Information management

Data protection principles

The General Data Protection Regulations (GDPR) and the Law Enforcement Directive (LED) takes effect from 25th May 2018. Work is currently being carried out to ensure that these regulations are reflected here. In the meantime, further information can be found here.

The data protection principles set out the standards governing the processing of personal data. All chief officers, in their capacity as data controllers, must comply with the principles unless an exemptions applies.


Principle 1 – fair and lawful processing

The first principle tends to be the most significant of the eight principles. It includes detailed conditions that apply to obtaining and processing personal data, and a requirement for lawfulness which necessitates consideration of other legal rules.

The first principle requires that personal data shall be processed lawfully and fairly and in particular should not be processed unless at least one of the conditions in Schedule 2 is met, and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. It requires the police force to ensure that it has a legitimate basis for processing all personal data. If a police force cannot comply with this principle, the processing is in breach of the DPA.

Lawfully and fairly are not precisely defined in the DPA, although Part 2 of Schedule 1 provides interpretation of fairly in terms of obtaining.

The exemption at DPA section 29(1) provides the police with a useful relief from some requirements of the first principle where it is necessary to prevent or detect crime, or to apprehend or prosecute offenders.

Lawful processing

Personal data must not be processed in contravention of any statute, legal obligation or restriction ‒ to do so would represent unlawful processing and thus breach the first principle. There should be a positive legal justification for the processing.

The power for the police to process personal data can be derived from its policing purpose.

The police may also be subject to other common law, statutory obligations or by order of the court which require or permit certain types of processing.

Where data is processed for a policing purpose, it is likely that the requirements of this element are met. Unlawful processing may arise where the police process personal data is:

  1. beyond or in contravention of their statutory or common law powers (eg, ultra vires), for example, the police sell the names and addresses of burglary victims to companies trying to sell double-glazing
  2. in breach of an obligation of confidentiality, for example, the police publish the names and home addresses of all staff on the internet
  3. in breach of any law or prohibitions, for example
    • the police obtain personal data in contravention of the Regulation of Investigatory Powers Act 2000
    • the police process personal data in contravention of the DPA
    • the police process personal data in a manner which breaches the Article 8 rights of the Human Rights Act 1998
  4. in breach of an enforceable contractual agreement
  5. in a manner where the ‘need to know’ is not established.
Lawful processing ‒ confidentiality

There are circumstances where an obligation of confidence arises between the police and a data subject and to breach that confidence without reasonable justification would be likely to represent unlawful processing.

The obligation of confidence means that the police are restricted from processing the personal data for a purpose other than that for which it was provided unless the:

  • data subject consented to the processing or,
  • processing was required by law or,
  • processing was in the public interest.

The nature of the policing purpose is that either of the latter two grounds are likely to apply where the obligation of confidence needs to be breached to prevent or detect crime, apprehend or prosecute offenders or to protect life.

The Information Commissioner has produced useful guidance on confidentiality as part of a series of a library of good practice guidance designed to help understand and apply the Freedom of Information Act 2000.

Data Protection Act 1998 Schedule 2

The DPA Schedule 2 conditions are relevant for the purposes of the DPA principle 1.

The first principle requires that, in addition to the lawfulness and fairness requirements, personal data must not be processed unless at least one of the conditions in DPA Schedule 2 is met.

The majority of the Schedule 2 (and 3) conditions stipulate that the processing must be necessary for the purpose set out in that particular condition. Forces should consider objectively whether:

  • the purposes for which the data is being processed are valid
  • these purposes can only be achieved by processing the personal data
  • the processing is proportionate to the aim pursued.

Exemptions from the Schedule 2 and 3 conditions include those for national security and domestic purposes – both exemptions also provide relief from other elements of the DPA (see DPA exemptions).

The Schedule 2 conditions stipulate that the processing must be necessary for the purpose set out in that particular condition.

Where forces rely on any of the Schedule 2 conditions under paragraphs 1 to 4, the data subject is unable to claim their right to object to processing under DPA section 10.

The Schedule 2 conditions likely to be of most relevance to the police are examined in more detail below.

Schedule 2 condition 1 ‒ consent

The data subject gives their consent to the processing of their data. Consent must be appropriate to the particular circumstances. Forces may legitimise processing using other conditions and revert to consent in the absence of another condition. Forces must evaluate the adequacy of any consent or purported consent.

Where a data subject does not signify consent to the use of their personal data and is given an opportunity to object to its use, the data controller may rely on another Schedule 2 condition.

No one condition carries more weight than any other, and consent is not particularly easy to achieve and may be withdrawn at any time. The police should attempt to legitimise processing using other conditions and only revert to consent in the absence of another condition.

Consent is not defined in the DPA. It will need to be assessed in the light of the facts. It should be a freely-given, specific and informed indication of the data subject’s wishes where they signify their agreement to their personal data being processed.

Schedule 2 condition 3 – non-contractual legal obligations

Processing must be necessary for compliance with any legal obligation to which the force is subject, other than an obligation imposed by a contract.

Example of Schedule 2 condition 3 ‒ non-contractual legal obligations.

Schedule 2 condition 4 ‒ vital interests

Processing must be necessary in order to protect the vital interests of the data subject.  The ICO places a narrow interpretation on this condition, applying it to life and death situations. However, forces may use this condition where processing of personal data is required in order to prevent harm to an individual.

Example of Schedule 2 condition 4 ‒ vital interests.

Schedule 2 condition 5 ‒ public functions

Personal data can be processed where it is necessary for the:

  • administration of justice
  • exercise of any functions conferred by or under any legislation
  • exercise of any other functions of a public nature exercised in the public interest.

The DPA principles do not define administration of justice, but along with the exercise of any functions conferred by or under any legislation they encompass much police activity such as crime prevention or detection and the apprehension and prosecution of offenders, and the supporting activities that enable this.

Example of Schedule 2 condition 5 ‒ public functions.

Schedule 2 condition 6 ‒ legitimate interests

Data processing must be necessary for the purposes of legitimate interests pursued by the police, third parties or parties to whom the data is disclosed. An exception applies where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Practitioners should carry out a balancing test to determine whether the legitimate interests of the data subject carry more or less weight than those of the police or third party to whom the personal data is disclosed.

There is no generic balancing test. It may be useful for police forces to identify and quantify the likely harm to the data subject, other individuals, the wider public and the police. This assessment could include contacting the data subject to seek their views on any likely impact, or examining the effects of similar processing operations in the past.

Data Protection Act 1998 Schedule 3

Sensitive personal data can only be processed where at least one of the conditions in DPA Schedule 2 and at least one condition from Schedule 3 are satisfied.

The Schedule 3 conditions likely to be of most relevance to the police are examined in more detail below.

Schedule 3 condition 1 ‒ explicit consent

This provision goes beyond that of consent under Schedule 2 in that in the case of sensitive personal data, the consent has to be explicit.

Forces should consider how they can demonstrate consent is explicit. Where forces rely on this condition, they may wish to ensure it is provided in writing or have some other means to prove that the consent was informed, clear, freely given and unambiguous.

The data subject should be advised of the specific detail and purposes of the processing, a description of their sensitive personal data to be processed, and any special aspects of the processing which may affect them, including any disclosures that may be made of the data.

Schedule 3 condition 3 ‒ vital interests

This condition is wider than Schedule 2 condition 4 – vital interests as it covers processing sensitive personal data of the data subject or another person.

Processing under Schedule 3 condition 3 must be necessary in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject, or consent has been unreasonably withheld.

The ICO places a narrow interpretation on this condition, applying it to life and death situations. However, forces may use this condition where processing of sensitive personal data is required in order to prevent harm to an individual. Consent issues must be considered on a case-by-case basis.

Schedule 3 condition 6 ‒ legal proceedings

This condition allows forces to process sensitive personal data where it is necessary for any of the following purposes:

  • in connection with any legal proceedings (including prospective legal proceedings)
  • obtaining legal advice, or
  • otherwise necessary for establishing, exercising or defending legal rights.

Forces should adopt a narrow interpretation of what is necessary when establishing, exercising or defending legal rights, and rely on another Schedule 3 condition if there is any doubt as to whether it applies. In particular, it should not be used to construct a legal right where none exists.

Schedule 3 condition 7 ‒ public functions

Sensitive personal data can be processed where it is necessary for the:

  • administration of justice
  • exercise of any functions conferred on any person (including a constable) by or under an enactment
  • exercise of any functions of the Crown, a Minister of the Crown or a government department.

The DPA principles do not define administration of justice, but along with the exercise of any functions conferred by or under any legislation they encompasses much police activity such as crime prevention or detection and apprehending and prosecuting offenders, and the supporting activities that enable this.

Schedule 3 condition 10 ‒ additional conditions issued by the secretary of state

Established under Schedule 3 condition 10, Statutory Instrument 2000 No 417 Data Protection (Processing of Sensitive Personal Data) Order 2000 created additional conditions for processing sensitive personal data which are relevant to the police service.

Paragraph 1 allows for such processing where it is:

  • in the substantial public interest
  • necessary to prevent or detect any unlawful act or failure to act
  • carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes.

This condition can only be relied on where there would be a prejudice to the purpose if the data subject was to be informed of the processing and asked to consent.

Paragraph 10 allows for such processing of sensitive personal data where necessary for the exercise of any functions conferred on a constable by any rule of law. This also covers processing by the police in the exercise of their common law powers. Processing must be necessary for activity derived from a specific legal power.

Fair processing

Subject to exemptions, the police must obtain and process personal data fairly.

Any data subject should not be surprised by the police’s use of their personal data. The potential for such surprise will be affected by the data subject’s legitimate expectations.

Members of the public who contact the police would expect that if they reported or witnessed a crime or incident the police would collect their personal data and further process it for those purposes. They would not expect their personal data to be provided automatically in all cases to the media. Those subject to police investigations will have a legitimate expectation that the police will process their personal data for the policing purpose.

The DPA assists with interpreting the fairness requirement of the principle in Schedule 1 Part 2 paragraphs 1 to 3 ‒ termed the fair processing requirements by the Information Commissioner. Compliance with the fair processing requirements will not in itself necessarily ensure fair processing.

Fair processing requirements ‒ obtaining

To determine whether personal data is processed fairly, forces must consider how it was obtained ‒ has the person been deceived or misled as to how their information will be used?

Personal data is considered to have been fairly obtained if it is from a person who is authorised by law to supply it or is required to supply it by, or under, any enactment. This is subject to DPA Schedule 1 Part 1 paragraph 2, which sets out the information which must be provided to data subjects.

Fair processing requirements ‒ fair processing notices

DPA Schedule 1 Part 1 paragraph 2 provides that personal data is not to be treated as processed fairly unless certain specified information is provided to a data subject either verbally or in writing. This can be at the time the personal data is gathered from them or, if it is obtained by another route, either before the relevant time (see DPA Schedule 1 part 2 paragraph 2(2) ) or as soon as practicable thereafter.

Exemptions from providing fair processing notices

It is not always necessary to provide a fair processing notice, however, one must be supplied when requested by an individual.

The two occasions that are exempt are where it:

  • would involve a disproportionate effort (which is not defined in the DPA)
  • is necessary for the police to record the information to be contained in the data, or to disclose the data, to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

Where the police rely on the disproportionate effort condition above, the police force should keep a record of the reasons for the decision. When determining the disproportionate effort, the police will consider factors such as the nature of the data, the length of time and the cost in providing the information, balanced against any prejudicial effect to the data subject.

Police use of fair processing notices

The police will obtain and further process personal data relating to a wide variety of data subjects, including staff, victims, and criminals. Any application of the fairness requirement, including the use of fair processing notices, will need to be adjusted according to the nature of that relationship.

Police forces should ensure that general fair processing notices are provided as and when required:

  • publicly as a leaflet
  • on force websites
  • on footers of all emails.

Forces should provide specific fair processing notices:

  • on police forms and associated policy related to employment or personnel matters, including recruitment, commendations, discipline, personal development plans, payroll, sickness, and contracts
  • on signs for overt CCTV systems operated by the police force
  • on signs for overt ANPR systems
  • to victims of crime in respect of referrals to victim support services
  • where necessary on an ad hoc basis.

Under DPA section 29(1), a fair processing notice may not have to be provided where doing so would likely prejudice preventing or detecting crime, or apprehending or prosecuting offenders.

Police forces are not expected to place fair processing notices on telephone lines that may receive emergency calls (including misdirected ones) because of the associated risk of harm that may be caused through the delay in response to the call.

Principle 2 ‒ notification and compatible use

The second principle requires that forces only obtain personal data for one or more specified and lawful purpose(s) and do not, subject to exemptions,  further process it in any manner incompatible with that purpose or those purposes.

The specified purpose(s) in the second principle may be achieved either through a fair processing notice given by the force to the data subject in accordance with the fair processing requirements, or in a notification given to the Information Commissioner.

Forces must notify the Information Commissioner when they process personal data. Processing must be assessed against all the principles, and the notification should be regarded as a high-level public description of processing that a force may undertake. The police service has adopted a standard notification to ensure corporacy and consistency.

When deciding whether any disclosure of personal data is compatible with the purpose for which the data was obtained, forces should consider the purpose(s) for which the personal data is intended to be processed.

Compatibility may allow that the processing is different although not contradictory or inconsistent with the purposes for which the data was obtained.

If processing is not compatible with the purpose(s), exemptions may still allow for the processing to occur.

Example of compatibility and incompatibility.

Principle 3 ‒ adequate, relevant and not excessive

Personal data must be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.

Forces must identify the minimum amount of personal data that is required. Forces must regularly monitor compliance with this principle as changes in circumstances or failure to keep the information up to date may mean that personal data that was originally compliant becomes non-compliant.

A necessity test will identify the minimum amount of personal data that is required to achieve the specific purpose(s). Personal data must not be excessive for the purpose for which it is held. If personal data is kept for longer than necessary then it is likely to be both irrelevant and excessive.

Anyone recording personal data must ensure that it is adequate, unambiguous and appropriately worded. Forces should:

  • apply common data standards
  • avoid jargon
  • only use acronyms where it is appropriate to do so
  • take a proportionate approach when recording personal data, meaning they will not hold information on all individuals where that particular item of data type is only relevant in certain individual cases
  • ensure that all personal data processed by the force is sufficient for the purpose(s) for which it is used or likely to be used
  • ensure that personal data is clear in meaning and sufficient for others to understand at all times, taking particular care to ensure that records of investigations are recorded such that subsequent enquirers can understand the context, rationale and outcome of what took place
  • ensure that opinions are distinguishable from matters of fact
  • record sufficient information to ensure that personal data held on police systems relating to one individual cannot be confused with that of another individual with similar details
  • evaluate personal data as to its quality, provenance and reliability.

Principle 4 ‒ accurate and up to date

Personal data must be accurate and, where necessary, kept up to date. Adherence to these requirements and those from principle 3 help ensure that police information has the necessary data quality for operational decision-making and risk management.


Forces must adopt procedures to prevent factual inaccuracies being entered onto force information systems by:

  • ensuring that the source of the personal data is reliable
  • taking steps to verify the personal data if possible with another source or, if reasonable, with the data subject
  • using automatic validation procedures to ensure procedures for data entry and the information system itself do not introduce inaccuracies
  • using constrained fields in computer databases.

Forces should maintain accuracy standards by implementing protection compliance audits, inspections and monitoring. Where there are inaccuracies, forces must take steps to lessen the damage or distress caused to the data subject or any other person.

Keeping data up to date

Keeping data up to date is only required where necessary. The purpose for which data is held or used will be relevant in deciding whether updating the data is required. Where personal data is intended to be used as a historical record or snapshot in time then updating would be inappropriate. Forces may consider appending new information where necessary. When it is decided that data needs to be updated, forces should consider whether:

  • there is a record of when the personal data was recorded or last updated
  • personal data has been updated appropriately
  • out-of-date personal data is likely to prejudice the policing purpose or cause damage or distress to the data subject.

Principle 5 ‒ retention

If personal data is kept for longer than necessary then it is likely to be both irrelevant and excessive.

Personal data processed for any purpose(s) must not be kept for longer than necessary. Forces should regularly review personal data to establish whether it is still required, and dispose of it as necessary. Information asset owners must ensure that review and disposal procedures are adopted for both electronically and manually-held personal data.

Forces should:

  • develop processes to resolve data quality disputes or complaints regarding the retention or otherwise of personal data
  • have a systematic approach that includes the definition of review periods for particular categories of documents or information containing personal data
  • consider certain statutory requirements that may specify required retention periods, or the potential value of some personal data and other information which may suggest further retention for historic purposes
  • maintain a flexible approach towards retention issues which allow them to properly assess individual cases and reach proportionate decisions regarding retention.

Principle 6 ‒ rights of data subjects

Principle six provides a number of data subject rights which must be respected. These include:

  • rights of access to a copy of the information comprised in their personal data (subject access)
  • preventing processing likely to cause damage or distress
  • preventing direct marketing
  • automated decision taking
  • correcting inaccurate personal data
  • compensation
  • requesting assessment by the Information Commissioner.

Forces need to ensure that arrangements are in place to recognise the above rights and that there is close liaison between the various departments to ensure that individual rights are respected. The force DPO must be informed when individuals are exercising their data protection rights. The DPO will ensure:

  • prompt action is taken
  • an assessment is carried out to determine if the request is valid, meets the necessary criteria and the level of compliance required
  • liaison with legal services where appropriate
  • a formal written response is provided within the statutory timescales
  • auditable records are created to evidence the management process
  • organisational learning occurs.

Any person may directly request the Information Commissioner to make an assessment of the data controllers’ processing, if they believe they are affected by the processing of personal data by a force. This may lead to the Information Commissioner taking enforcement action.

Where the appeals process relates to the use of the exemption under DPA section 28 (national security) the force should contact the ACPO director of information.

Subject access

Personal data must be processed in accordance with the rights of the data subject. Subject to exemptions (DPA section 7) individuals have a right of access to their personal data processed by a data controller – a process known as subject access. Subject access is a statutory right that forces must accommodate and should not be seen as an alternative or replacement for routine disclosures. Where personal data forms part of a document, the subject right is only on the personal data, and not the document itself. It may, therefore, be necessary to extract the information from the document and reproduce it into another Word document or spreadsheet. This should be determined on a case-by-case basis and could be necessary where, for example, the disclosure of an intelligence record or part of a record or memo would reveal only a small amount of data that is considered to be the subject’s personal data.

This process will also allow the practitioner not to reveal the extent of any redaction.

In some instances it might be more appropriate and easier for the data controller to provide the actual document.

Following a valid request, an individual is entitled to be:

  • informed of whether their personal data is being processed by a force and, if so, to be given a description of
    • the personal data
    • the purposes for which they are being processed
    • those to whom they are or may be disclosed
  • given a copy of any personal data held and, where necessary, this information
    • must be a permanent copy of the data unless doing so would involve disproportionate effort or the individual agrees otherwise
    • must be in an intelligible form explained to the individual
  • given details of the source of the data, if available ‒ the data controller is not obliged to disclose this information where the source of the data is, or can be identified as, an individual.
Managing subject access requests

Forces must ensure that there is a link on their public-facing website to the ACRO website. Forces should also publish the template subject access form (SA2) for non PNC data, on their public-facing websites and/or have the templates available on request and ensure that arrangements are in place to recognise subject access requests (SARs) that may be made via other routes, for example, complaints departments (or equivalent).

Single requests for both FOIA and DPA data must be coordinated.

Types of subject access requests

Subject access requests are initially assessed against the DPA subject access provisions. If the request is unsatisfactory, the requestor must be advised accordingly and as soon as possible. Subject access requests can be divided into two categories.

  1. PNC – these requests are carried out by ACRO in accordance with the ACPO, ACRO Data Processing Agreement.
  2. Non-PNC – these requests are carried out by forces. Where these requests involve data sourced or in operational use by another force, the request should be considered in liaison with those forces prior to response.

Officers and staff should encourage requestors to apply to the force where they reside or most recently resided. They should direct requests for personal data held or processed by a particular force to that force in a timely manner. Forces should keep requestors up to date on the progress of their applications as necessary.

Validating requests

A valid data subject access request must be:

  • in writing – with reasonable information to allow the force to locate the personal data. Forces cannot compel applicants to use the subject access templates.
  • accompanied by the required fee (£10) – forces must charge a standard fee, subject to the statutory maximum. Where a single request is made for personal data that is held on both the PNC and non-PNC, forces can charge only one fee.
  • subject to validation of the applicant’s identity.
Finding and retrieving relevant information

Extensive efforts should be made to find and retrieve the requested information as soon as the application is received. This may include contact with the relevant business area lead to identify the data and any prejudice in its disclosure. This process should be auditable and the decisions and rationales should be recorded. Any decision on these matters should reflect the right of the subject and the requirement to respond within the statutory timescale.

Forces are not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information.

Forces must consider all personal data in their possession when they receive a subject access request, irrespective of where that personal data originated from. Forces may write to the provider of the information to ask formally for their views on disclosure of any personal data to the requestor. This correspondence could indicate that unless an objection was received before the end of the 40-day deadline, the police force may disclose the personal data sought. The final decision on disclosure rests with the force receiving the subject access request.

Any personal data produced from a search, relating to the requestor, must be scrutinised by relevant staff (normally by the information system owner, data protection officer and others as necessary).

Further clarification of the request

Before responding to a subject access request, forces may ask the requester for further information to find the data in question. Forces need not comply with the request until this has been received. Officers should not delay responding to a request unless further information is required to help them find the data in question.

Clarification may include:

  • time periods
  • emails between certain people
  • location/storage.
Routine amendment and deliberate destruction

The information supplied in response to a subject access request must reflect the personal data held at the time the request was accepted by the police force. However, forces may take account of any routine amendment or deletion made between receiving and responding to a request, provided that it had not been made as a result of receiving the request.

Under FOIA section 77, it is an offence for a force to alter, deface, block, erase, destroy or conceal information and personal data sought under the subject access and FOIA, if it is done with the intention of preventing the disclosure of all or part of the information and personal data sought.

Withdrawal and requests

Where a subject access request is withdrawn, forces are encouraged to obtain confirmation of the withdrawal in writing.

Circumstances when information and personal data may be withheld

Access to personal data sought under the subject access process may be withheld in the following circumstances:

  • third-party personal data
  • disproportionate effort
  • subject access exemption.

There may also be statutory obligations that further restrict the disclosure of personal data.

Third-party personal data

Forces may not be obliged to disclose data relating to someone other than the requestor. Due regard has to be given to a balance of interest of those concerned. It may be appropriate to disclose:

  • the staff name or other identifiers, where they are acting in an overt professional capacity
  • a statement or a transcript of a 999 call provided by the requestor where they refer to third parties (and these are their spoken words).
Disproportionate effort

Where disproportionate effort is appropriately claimed, the force will be required to look for alternative means to supply access to the personal data. The following factors will be considered as part of any deliberations on disproportionate effort:

  • information/assistance the requestor has provided to identify the personal data
  • what a reasonable person would believe to be a reasonable amount of effort
  • extraction/redaction time needed, depending on the complexity of the information and the manner in which it is stored. For example, the request for personal data is contained on an old computer system. The system is such that the information can only be viewed on screen and cannot be exported or printed.
Subject access exemptions

There are a number of exemptions within the DPA that recognise that there may be a public interest in withholding personal data sought under subject access. Exemptions must only be used on a case-by-case basis, to the extent necessary, and not as a blanket to withhold all the information captured. When an exemption is applied and personal data is not disclosed under the subject access process, forces should record the reasons for applying the exemption, in case it is necessary to defend the force’s position to the Information Commissioner.

The exemptions provided under the DPA, as outlined below, are commonly used by the police service for subject access.

National security

Forces are allowed to withhold personal data sought under subject access for the purpose of safeguarding national security. The DPA section 28 exemption is not restricted to non-disclosure under subject access, but also applies to most of the DPA where necessary, to protect processing for national security purposes.

When a force is considering whether a DPA section 28(1) applies, it may decide that a DPA section 29(1) also applies. In which case it may be content to rely on the DPA section 29(1) exemption.

The force must ensure that the DPO contacts the ACPO director of information before responding to such requests. A certificate signed by a Minister of the Crown, certifying that the use of the DPA section 28(1) exemption is required for the purpose of safeguarding national security, must be conclusive evidence of that fact.

In the event of any appeal against the disclosure decision, the ACPO director of information must be informed immediately to issue further guidance. Throughout the above procedure, personal data should only be processed where absolutely necessary.

Examples of national security exemptions.

Crime and taxation

The police are allowed to withhold personal data sought under subject access where disclosure would be likely to prejudice the prevention or detection of crime, apprehension or prosecution of offenders.

When an applicant has requested access to information that is still part of an ongoing police investigation or criminal investigation into alleged criminal activity, it is recommended that the practitioner contacts the officer in charge and/or the Crown Prosecution Service (CPS) to advise of the subject access request and discuss the degree of prejudice and engaging the exemption. In cases where the personal data has been released to the requestor through disclosure under the Criminal Procedure and Investigations Act 1996 or any rule of law, it is unlikely that the exemption would apply.

Where a case has been no further actioned or undetected, consideration should be given to the likelihood of the case being reopened, and the potential for prejudice to proceedings through a disclosure under subject access.

Examples of crime and taxation exemptions.

Health, education and social work

An exemption can be applied [The Data Protection (Subject Access Modification) (Health) Order 2000] to personal data if disclosure is likely to cause serious harm to the physical or mental health of the applicant or another individual. This exemption cannot be applied where the personal data is already known to the data subject.

Before deciding if this exemption applies, forces must consult the health professional responsible for the clinical care of the requestor or, if there is more than one, the most suitable available health professional. Forces should record any refusal by the health professional to engage in the process(es).

An exemption can also be applied where a third party is making the request on behalf of the requestor, and the requestor does not wish that information to be disclosed to the third party.

In view of the sensitivity of personal data relating to a requestor’s health, forces may wish to ensure that it is disclosed directly from the health professional to the requestor. Alternatively, it could be given to those handling the subject access request in a sealed envelope for onward transmission to the applicant.

An exemption under The Data Protection (Subject Access Modification) (Health) Order 2000 could be considered where disclosure could cause serious harm to the physical or mental health of an individual.

Forces must be cautious when an applicant requests access to:

  • their personal data without knowing the full scale of the information held ‒ practitioners must assess the impact of the disclosure on the mental health of the applicant and liaise as necessary with medical practitioners
  • injury photos or CCTV of an assault where the applicant was a victim ‒ practitioners should discuss the impact with the officer in charge and medical practitioners, if necessary.

Examples of health, safety and social work exemptions.

Regulatory activity

Forces can withhold personal data sought under subject access where disclosure would prejudice regulatory activity conducted by the force, eg, internal investigations into dishonesty, malpractice or other serious improper conduct by police officers and special constables.

Example of regulatory activity exemption.

Manual data held by public authorities

Category (e) data (any other data recorded by a public authority) is exempt from subject access if it is held in an unstructured manual file and relates to appointments, removals, pay, discipline, or other personnel matters in relation to service in any office or employment under the Crown or under any public authority.

If a subject access request is received for category (e) data, the practitioner should consider:

  • if the applicant has specified or given a description of the data
  • if the FOI fees regulations can be applied
  • if the request for personnel information will engage section 33A.
Appropriate fees limit (unstructured personal data)

If the estimated cost of complying with a subject access request would exceed the appropriate fee limit, an exemption may apply. This is currently set at £450 or a total of 18 hours’ work. The exemption does not cover the need to inform the requestor whether their personal data is being processed unless to do so alone would exceed the appropriate fees limit.

Example of appropriate fees limit exemption.

Miscellaneous exemptions

Within DPA Schedule 7 there are a number of exemptions which could apply to a SAR. These include:

  • confidential references given by a force in relation to education, employment or provision of services
  • personal data consisting of records of the data controller’s intentions in relation to negotiations with the data subject
  • personal data in respect of which legal professional privilege could be claimed. Legal opinion provided by the CPS may not be covered by this exemption.

Examples of miscellaneous exemptions.

Responding to requests

When a request has been received and processed, forces must reply to the requestor within 40 calendar days, even if the force does not hold the personal data or relies on an exemption. The transmission must be via secure means and forces must take appropriate measures that reflect the sensitivity of the information being disclosed. Where the 40-day statutory period cannot be met, forces should contact the requestor to advise them of the delay.

All personal data provided must be in permanent form, and be legible to the requestor.  If it cannot be fully transcribed into an intelligible format, an explanation must be given.

Generally, responses to requestors will either be full/partial disclosures or all exempt/nothing held.

Full/partial (eg, some exempt) disclosure ‒ from the personal details supplied in the request, forces must enclose the information the chief officer is required to supply under the provisions of the DPA.

All exempt/nothing held ‒ from the personal details supplied in the request, there is no information the chief officer is required to supply to the requestor under the provisions of the DPA.

All responses should be sent directly to the applicant’s home address, unless otherwise requested by the applicant.

Information other than personal data

Where forces retrieve personal data for disclosure to a subject access requestor, that personal data may also include information that is not the requestor’s personal data. This other information may be disclosed to the requestor. Forces must recognise that this represents a provision of information beyond that required by the DPA. Forces should consider including a disclaimer.

Fast track

Forces should only fast track requests in exceptional circumstances. For example, for the requester to attend a funeral, where delay may cause the requestor significant financial loss, in the event of a short-notice employment offer, or where the force considers the requestor to have an exceptional and genuine reason through no fault of their own.

Criminal Procedure and Investigations Act 1996

Where a subject access request results in the disclosure of copies of intelligence, crime files or prosecution files, forces should ensure that a record of or reference to that disclosure is available with the original documentation.

Retention and deletion

Information generated by a subject access request should only be retained for as long as is necessary (national retention schedule). Where circumstances suggest a longer retention, forces should consider whether the:

  • force’s handling of the request has been, or is likely to be, subject to complaint
  • request is high profile in nature
  • request involved the use of unusual exemptions.
Enforced subject access

The DPA section 56 makes it an offence for a third party to require an individual to use subject access where the information sought is required by the third party in connection with employment purposes or the provision of services, and where the information would reveal prior conviction or caution details.

Updating force records from subject access requests

Where forces receive subject access requests from persons of interest to them for a policing purpose, they should consider, on a case-by-case basis, using information contained in the request to update or augment existing records or to create new records in accordance with national standards. For example, a new address, telephone number or bank details will be useful for updating intelligence records.

Updates to the PNC will be carried out by ACRO following a subject access application.

Multiple/duplicate previous subject access request

At times a force may receive a subject access request from an individual who has made a previous subject access request. Forces should have procedures to identify multiple or duplicate subject access requests. Forces should consider:

  1. Is the subject access request a multiple/duplicate previous subject access request?
  2. Is the subject access request an entirely new request?

If the SAR is a duplicate request, forces should return the fee. The force is obliged to provide only a single, intelligible and permanent copy of an applicant’s personal data. The reply should provide the reference number, received and responded to dates of the original SAR and a list of the personal data provided. If additions or amendments have been made since the original SAR, the relevant data should be considered for release. Fees for providing any additional copies are outlined in NPCC (2015) National Policing Guidelines on Charging for Police Services.

If the request is for access to personal data processed since the previous application, this should be treated as a new subject access request rather than as a continuance of the original subject access request. Only information that has been obtained or amended since the initial disclosure needs to be considered for disclosure in this second request.

Subject access requests from members of staff

Subject access requests may be received from existing or ex-members of staff requesting access to information in relation to a grievance, employment tribunal or personal injury claim. The applicant might be seeking to access their personnel file or other personal data.

An existing member of staff could be referred to the appropriate department, for example, HR or legal services. However, if the applicant is adamant that they want to submit a subject access request then it should be processed accordingly.

Once a formal subject access request has been received from either an existing or ex-member of staff, the force must ensure that the applicant is afforded the same rights as any other applicant.

Forces should ensure that disclosure is completed even if released previously under other legislation or processes.

Requests for additional information

After completing a subject access request, the applicant may contact the force to make a request to access additional personal data. The time period and the waiver of an additional fee will be at the discretion of the force.

Additional subject access requests should be received within a reasonable time period, for example, six to eight weeks after the force has closed the initial request. No additional payment would be required.

The additional request is not considered to be part of the original request and, therefore, is not subject to the same statutory deadlines. However, the practitioner should respond to these in a reasonable and timely manner to avoid delay.

An additional subject access request does not include a request to access personal data that has been created or obtained by the force since the date of the original request. It would be reasonable for the practitioner to consider advising the data subject that they will need to make a further subject access request and pay an additional fee.

Failed job applicants

An individual who has applied to join the force or has failed the vetting process and is not permitted on site may make a subject access request to find out why. Forces may need to redact disclosures or apply exemptions. The DPO should work with the appropriate departments to provide the correct response.

If references have been provided by an external organisation, the force will need to obtain either consent or objections to disclosure. If objections are raised, these will need to be considered under any exemptions. When contacting the organisation a copy of the reference, consent/objections form, self-addressed envelope and date to respond by needs to be included. The organisation should be informed that if a response is not received by that date then the assumption is that there are no objections.

Joint applications

If a request is received from an individual who requests access to information about them and another (eg, partner) the practitioner shall advise the applicant whether it is appropriate to gain access to personal data under DPA section 35(2) or DPA section 7. The practitioner should advise the applicant of the constraints around the release of third-party material unless consent is forthcoming concerning the other party.

A parent may make a request on behalf of their child. If it is not clear on the application, the DPO should contact the applicant to discuss the child’s age and mental capacity to establish if they can make their own request. Children older than 12 with no learning difficulties or mental health difficulties need to make their own subject access requests.

The DPO should also establish parental responsibility using a birth certificate, adoption form or other legal document.

Non-specific applications

Applications that request access to all the information held or applicant’s records are unlikely to be valid requests under the DPA section 7. Forces should seek more detail to identify how, where and possibly when the applicant would have come into contact with the force. If no further information is forthcoming from the applicant, forces may wish to consider searching:

  • PNC
  • crime system
  • custody system
  • CAD, events, incident systems
  • domestic abuse systems
  • family protection systems
  • complaints systems
  • stop and search records.

There are a number of considerations to be made when a suspect access request is received.

  • How can the practitioner be confident that on any ANPR hit the registered owner is the driver at that time?
  • Were there any ANPR hits by covert cameras?
  • Will releasing the information prejudice any ongoing policing operation involving the vehicle or applicant?

The applicant will need to provide photo ID as part of their application for comparing with the ANPR photo. The ANPR photo can be compared with the photo ID. Once a positive comparison is made, forces can consider and disclose it under DPA section 7.

The ANPR back office facility (BOF) will record the camera upon which the hit was made. The department responsible for ANPR should identify if it was covert or not. If it was covert and disclosure would prejudice an ongoing police operation, forces need to consider applying exemption the section 29(1) exemption. If the applicant was hit by a covert camera but was not part of an operation, disclosure would not prejudice the operation.

If the force intelligence bureau believes that disclosure would prejudice an ongoing police operation, consideration needs to be given to applying exemption section 29(1).

Prior to any disclosure, the practitioner could consider extracting the personal data from the BOF into a separate document, rather than providing a print direct from the BOF.

Fee waiving

There is no obligation for a force to waive the £10 fee levied under DPA section 7. Forces should consider when fees can be waived. This may be when the application has been misplaced by the constabulary or if information is provided under DPA section 7 as part of a complaint.


When personal data from CCTV systems is requested and the footage relates solely to the applicant, supplying it is relatively straightforward. Where the footage contains images of other parties, forces can often be faced with the technicalities, resource implications and costs of redacting such third-party images. As a consequence, forces have tended to rely on disproportionate effort exemptions to avoid these issues.

This exemption should only be applied in the most exceptional of cases. Where it is unduly onerous to edit, blur or redact third-party images before supplying the data, forces should encourage the applicant to attend the police station to view the footage. Officers should make efforts to physically cover the screen to protect any detrimental third-party disclosure. Where this is not possible, a careful case-by-case assessment should be made to determine how unfair the intrusion is into the privacy of the other parties.

Forces should be mindful that if they edit/pixelate footage for viewing, it will difficult to later rely on DPA section 8(2)(a) to prevent release of a permanent copy to the applicant as, to a certain extent, the costs, resources and time taken to blur the third parties may have already been expended.

Undetected crime reports

When receiving requests for access to crime reports, forces should consider whether the crime is under investigation or could be reopened.

It is recommended that the practitioner considers applying the DPA section 29(1) exemption to withhold specify detailed reasons why charges are not brought or the case has been no further actioned.

Right to prevent processing likely to cause damage or distress

An individual has a right to require that a force does not process their personal data in a manner that causes or is likely to cause unwarranted substantial damage or substantial distress to themselves or another person. This is known as a data subject notice or section 10 notice. Forces must issue a response to such a notice within 21 calendar days.

The processing may be legitimate under DPA section 10(2)(a), where any of the conditions in DPA paragraphs 1 to 4 of Schedule 2 are met.

The condition most likely to apply to the police is paragraph 3 of Schedule 2. The processing is necessary for compliance with any legal obligation to which the data controller is subject. This applies to policing information that is still required in order to allow chief officers to carry out their statutory obligations.

This right to serve a data subject notice applies whether the individual objects to the processing taking place at all, or whether the objection relates specifically to processing for a particular purpose or in a particular way.

Preventing direct marketing

Subject to certain exemptions, an individual has the absolute right to request in writing that a police force stops within a reasonable time, or does not start, using their personal data for direct marketing purposes. This includes the communication by any means (eg, mail, email, telephone, door-to-door canvassing) of any advertising or marketing material directed at particular individuals. Forces must issue a response to such a request within 21 calendar days.

The DPO should have regard to this right as there will be circumstances where it can apply in the policing context, eg, crime prevention advice and services and staff offers.

In the unlikely event that such a request is received, it will be forwarded as soon as possible upon receipt to the DPO to coordinate the response.

Automated decision taking

Subject to certain exemptions, an individual has the right to require that a force ensures no decision that would significantly affect them is taken by the force or on its behalf purely using automated decision-making software. The right must be exercised in writing. If there is a human element involved in the decision making, the right does not apply. A response must be issued within 21 calendar days.

Automated decision taking may include:

  • issuing a court summons to a person recorded as a vehicle keeper with the DVLA, on the basis of a safety camera reading without any further investigation or intervention
  • filtering job applicants using psychometric testing scores without any subsequent human analysis.

The DPA provides for the exemption from such provisions of certain decisions reached in this way. These are called exempt decisions.


Any claim for compensation arising from this provision will be forwarded to the force’s legal services department (or equivalent).

Examples of breaches that have led to compensation claims.

Correcting inaccurate personal data

A data subject has the right to seek a court order for the rectification, blocking, erasure or destruction of inaccurate personal data processed by a force.

On initial application by the data subject to correct inaccurate data, and before any approach to a court for such an order, the force should proactively address any issues identified for which there are justifiable grounds for correction.

Requesting an assessment from the Information Commissioner

A person can request the Information Commissioner to make an assessment, if they believe that they are affected by the processing of personal data by a force. Requests could lead to the Information Commissioner serving enforcement notices, information notices, and special information notices on forces.

Complaints and resolutions

The DPO must coordinate the response to complaints and disputes regarding force processing of personal data. The following should be considered:

  • complaints should be made in writing to the DPO as the initial point of contact
  • forces should offer the complainant assistance in writing the letter
  • the DPO should ensure that the identity of the complainant is valid
  • the DPO should ensure that a formal process is in place with the professional standards department and other relevant departments in order to establish who will handle the dispute
  • data subject rights.

Where the complaint relates to:

  • personal data owned by another force or organisation – the dispute should be directed to that force or organisation’s DPO
  • information released as part of a Disclosure and Barring Service (DBS) enquiry – the complainant should be directed to the DBS complaints procedure
  • allegations of arrest/conviction information – consideration should be given to taking elimination fingerprints to prove/disprove whether the complainant was the person originally arrested/convicted
  • historic information held on the PNC – the person handling the dispute should consider requesting microfiche, where available, from ACRO
  • personal data processed on an information system – the matter should be referred to the information asset owner.

The DPO must attempt to identify any complaint patterns and trends that may indicate that remedial action is required – for example, the provision of further training, guidance or audit.

A DPO must have a process in place for managing subject access appeals and complaints. The process(es) may take the form of an internal review procedure, followed by referral to the Information Commissioner.

Principle 7 – security and protective measures

Forces must take technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Responsibility for information security issues rests with force security boards or equivalent, and day-to-day responsibility normally lies with the force information security officer (ISO). However, DPOs have a responsibility to advise on the legal requirements and must be consulted on matters relating to personal data.

The seventh principle places obligations upon forces that use data processors to carry out tasks on their behalf involving the use of personal data. Forces must choose a data processor that provides sufficient guarantees (technical and organisational security measures). Forces must ensure that the:

  • processing by the data processor is carried out under a contract (known as a data processing contract) whereby the data processor is to act only on instructions from the force
  • data processing contract requires the data processor to comply with obligations equivalent to those imposed on the chief officer by the seventh data protection principle
  • data processor notifies the Information Commissioner, where necessary.
Data processing contract

Forces must ensure that data processing contracts are developed where required. Data processing contracts will specify what the data processor is and is not permitted to do and will usually cover some/or all of the following:

  • collection
  • use and disclosure
  • security
  • staff training
  • vetting of staff
  • confidentiality agreements
  • weeding/retention/disposal
  • subject access and freedom of information provisions
  • audit/inspection of data processor by the force
  • indemnity.

The DPOs will provide advice and guidance to the force in choosing data processors. The DPO will liaise with contracts and supplies departments to identify occasions where procurement contracts involve access to police information assets or premises in order to ensure appropriate terms and conditions are included in the contract. Many contracts require bespoke terms and conditions.

Where forces identify that a data processor is carrying out similar processing for other forces, they must inform the data protection portfolio group. If it processes personal data outside the EEA, the eighth principle will apply.

Forces should ensure that there are monitoring arrangements in place during the life of the contract and on its conclusion a review to ensure that the terms and conditions have been met. This will include arrangements for any breach of the contract, such as data breaches.

Data protection/information system operating rules

Information asset owners must document how information systems containing personal data under their responsibility will be operated in accordance with the DPA. Data protection operating rules or information system operating rules will set out standards, policies and procedures to ensure that fair and lawful processing, disclosure, data quality review, retention and disposal, training, security – as required by the principle – are appropriately dealt with.

Forces must prioritise the review, or creation of data protection/information system operating rules for those information systems containing the most sensitive and operationally impactive information and personal data.

Once completed, the data protection/information system operating rules will be made available to the DPO and all users of the information system, as part of their system training.

Data protection/information system operating rules should be:

  • developed in accordance with the DPA principles by those responsible for developing RMADSs for those systems
  • closely related to security operating procedures (SyOPs) – SyOPs provide the rules by which information systems and services must be operated.
Security of personal data in decommissioned police premises

DPOs will need to ensure that where a force vacates premises, appropriate measures are in place to manage the disposal or removal of personal data and other information assets, whether in digital or hard copy. The measures should form part of the overall decommissioning process(es) and should involve:

  • removing all IT equipment to secure premises and, where necessary, overwriting digital data in accordance with relevant information assurance standards and policy
  • removing all documents, posters, signs and, where necessary, transferring them securely or disposing of them in accordance with relevant information assurance standards and policy
  • a police search adviser (PolSA) to ensure that no personal data or information assets remain at the premises being decommissioned.

Principle 8 – transfer outside the European Economic Area

Personal data must not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects, in relation to processing their personal data.

Forces may transfer personal data to UK government facilities such as embassies or consulates – these are considered to be UK territory and, therefore, are not transfers beyond the EEA.

The DPO should have regard to this principle as there will be circumstances where it can apply in forces, eg, where third parties are used to process data outside the EEA or individuals on overseas enquiries.

Schedule 4 of the DPA sets out a list of circumstances where the eighth principle does not apply. These exemptions cover instances where forces are likely to transfer personal data beyond the EEA. In addition, DPA section 28 provides an exemption from the eighth principle where the application of the exemption is necessary to safeguard national security. The eighth principle is unlikely to present a barrier to operational policing. When considering transfers or personal data outside the EEA, forces should adopt a four-stage response:

  • Stage 1 – ensure the other seven principles are being complied with before moving onto stage 2.
  • Stage 2 – identify whether a Schedule 4 condition applies – where it does not apply, forces should move to stage 3. Where it does apply then DPA Principle 8 does not need to be considered.
  • Stage 3 – ensure that the EEA and the circumstances surrounding the transfer provide the data an adequate level of protection ‒ where adequacy is satisfied the transfer is not precluded by the eighth principle, where it is not then forces should move to stage 4.
  • Stage 4 – consider whether contractual conditions can be applied to the transfer in order to help safeguard the personal data ‒ where contractual conditions can be made, the transfer is not precluded by the eighth principle.

Page last accessed 22 July 2019