July 1, 2026

250724 to the ICO re s.184 & TP SAR

24/07/2025 to the ICO

Subject: Supporting Information – Concerns Regarding Misapplication of Section 184 DPA 2018

Contents

Please find attached a written submission outlining my ongoing concerns regarding the misapplication of Section 184 of the Data Protection Act 2018 by several UK constabularies. Should Essex appeal, the contents may be of assistance.

The document is intended to provide contextual background, references relevant developments and correspondence, and highlights what appears to be a coordinated reluctance among forces to fulfil legitimate Right of Access requests.

My intention is to assist the ICO in its ongoing work and to contribute constructively to any review or clarification of practice in this area. I appreciate the ICO’s efforts to ensure consistency and fairness in data access rights and hope this material may help inform any future sector guidance or case consideration.

Should you require any further information or supporting evidence, I would be happy to provide it.


Case Reference IC-356699-W0G6

Subject: Concerns Regarding Misapplication of Section 184 DPA 2018 and Coordinated
Disclosure Avoidance by Police Forces

To: Information Commissioner’s Office (ICO)

I am writing to express concerns regarding the ongoing misapplication of Section 184 of
the Data Protection Act 2018 (DPA 2018) by several UK constabularies, despite previous
ICO findings supporting my position.

I also wish to draw attention to what appears to be a coordinated approach among certain
police forces to frustrate legitimate Right of Access (RoA) requests, particularly in the
context of insurance-related matters. This submission sets out relevant legal context, key
developments in police disclosure practices, a summary of my interactions with multiple
constabularies, and my concern regarding coordinated obstruction.

Background and Legislative Context

Section 184 of the DPA 2018 makes it an offence to require an individual to make a Subject
Access Request (SAR) for the purpose of obtaining a “relevant record” (as defined in
Schedule 18). However, the scope of “relevant records” is limited to criminal or medical
data.

My position, consistently upheld by the ICO, is that my requests for disclosure of crime and
RTC reports – made under SAR mandates with appropriate consent – do not fall within the
scope of Section 184.


Guidance on enforced subject access:

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual
rights/right-of-access/can-we-force-an-individual-to-make-a-sar/ – no longer valid

Enforced Subject Access: Disclosure of Criminal Convictions

A guide to subject access | ICO


Relevant Developments in Police Disclosure Policy

a. ABI/NPCC MoU (2022)

The 2022 Memorandum of Understanding (MoU) between the Association of British Insurers (ABI) and the National Police Chiefs Council (NPCC), introduced notable changes:

    • Disclosure of crime reports was restricted to ABI members only.
    • Non-ABI members were excluded, though NPCC guidance supported disclosure to them at the constabulary’s discretion.
    • MoU Link

    b. NPCC Guidance on RTC Reports (2023)

    A separate development was NPCC guidance to constabularies concerning RTC (Road Traffic Collision) reports, following an ICO determination suggesting section 170 of the Road Traffic Act may restrict disclosure of names and addresses post-collision.

    Links:

    Use of Subject Access Requests and ICO Support

    Following increasing disclosure refusals from police services and a range of attitudes toward applications, I sought access under the DPA 2018 via third-party Subject Access Requests (TP SARs) using client consent. Notably:

      • In 2018, the ICO supported my position that Section 184 had not been committed: Enforced Subject Access Requests (SAR)
      • In 2023, in case IC-242377-T6S4, the ICO again supported my position after it was claimed my approached fell to enforced SAR by Con1.

      Despite this, in 2024–25 the following occurred:

      • Con2 cited s.184: ICO Case IC-348523-P7J8
      • Con3 cited s.184: ICO Case IC-361864-Q4D2
      • Con4 (Essex) cited s.184 and misinterpreted Schedule 18: ICO Case IC-356699
        W0G6

      Each cited s.184 despite:

      • Clear ICO precedent (2018, 2023)
      • Consistent use of signed consent and proper SAR protocols
      • Evidence that Con1 had acknowledged the legitimacy of SAR and consent-based disclosures

      Additionally, Essex Police (Con4) claimed Schedule 18 extended beyond criminal and medical records (it does not) and referenced liaison with the NPCC, ICO, and “others.” FoIA requests revealed no exchanges between Essex Police and either the ICO or the NPCC. No records of external insurer communication were disclosed.

      Evidence Suggesting Coordinated Approach

      A series of NPCC emails obtained via FoIA shows the following:

        • Concerns were raised about an expected increase in RoA requests due to the MoU
          restrictions.
          Thursday, 24 July 2025
          Page 2 of 4
          Case Reference IC-356699-W0G6
        • Some forces expressed reluctance to process RoA requests citing resourcing and
          cost.
        • A Staffs Police representative suggested obtaining DCC sign-off to cease processing
          such requests entirely.
        • Internal NPCC correspondence (13/07/2023) referred to “RoA abuse,” despite no
          cited evidence.

        Full details and domains disclosed via FoIA.

        These patterns indicate that forces may be working in coordination to restrict RoA access,
        possibly to avoid administrative burdens rather than due to legal necessity.

        Case Developments and Acknowledgements of Error

        16/07/2025: The ICO ruled that no s.184 offence had been committed by me regarding
        Con4.
        16/07/2025: Con2 acknowledged their improper handling of my requests, apologised in
        writing, and admitted:

          • Incorrect use of legislation
          • Baseless accusations of enforced SAR

          This was further confirmed in an FoIA response:

          I stated I knew that Section 177 of DPA 2018 was not the right legislation to refer to… and
          the accusations of enforced SARs was not the right thing for us to do
          ” – source.

          My complaint regarding Con2 (IC-348523-P7J8) is currently under review by Mr Ash at
          the ICO. Con3’s complaint is pending assignment.

          Conclusion and Request for Action

          Despite previous ICO rulings, several constabularies have continued to misapply Section
          184 and Schedule 18 of the DPA 2018. They appear to be working in a harmonised fashion
          to resist RoA requests from insurance representatives, motivated by operational or financial
          concerns. This raises serious concerns about data access rights and equality of treatment.

          Law enforcement alleging criminal conduct is a matter of the utmost seriousness. These
          accusations have not come from uninformed individuals, but from dedicated disclosure
          teams within four separate constabularies – departments whose responsibilities centre on
          interpreting and applying a narrow, well-established set of legal provisions daily.

          Their role demands a sound understanding of relevant legislation, yet each has erroneously
          alleged a breach of Section 184 of the DPA 2018, even though my requests have explicitly
          excluded any data that would qualify as a “relevant record” under Schedule 18.

          Section 184 is brief, clear, and unambiguous in its scope. It is difficult to accept that all four
          constabularies, each with access to legal advisors and senior decision-makers, each request
          being subject to senior management attention, could misinterpret it simultaneously and
          independently.

          I have gone to considerable lengths to assist and clarify, yet their stance has remained
          unchanged. This has resulted in reputational damage, a disregard for my legal rights, and
          in my view, conduct which borders on unlawful behaviour. To date, only one constabulary
          has formally withdrawn the accusation, and I remain unaware of any efforts by the others
          to acknowledge or rectify the potential harm caused.

          Further, although I have been the subject of serious criminal allegations, none of the
          constabularies appear to have followed investigative procedures. By way of examples, no
          formal crime reference has been issued, no investigation initiated, and no notification to the
          ICO has been made regarding the concerns they claim to hold. This selective and
          inconsistent approach raises troubling questions about the legitimacy and intent behind
          their actions.

          I respectfully suggest that it may be appropriate for the ICO to:

            • Investigate potential coordinated avoidance practices that undermine lawful access rights.
            • Reaffirm its interpretation of s.184 and Schedule 18 in relation to third-party SARs with consent.
            • Consider issuing updated sector-wide guidance to ensure consistent understanding across constabularies

            Thank you for your time and consideration.