31/07/2025
To: West Midlands Police
Cc: icocasework icocasework@ico.org.uk
Subject: FW: ICO Guidance – third party SARs – The ABI/NPCC MoU of 2022 and Crime Report Disclosure Prejudice ICO – Case Reference IC-348523-P7J8
I am writing further to our conversation of 16/07/2025, about your constabulary only disclosing crime reports, in accordance with the MoU, to Association of British Insurers (ABI) members; that non-members are not provided the same access, assistance.
Additionally , I comment further upon my response of that date, 16/07/2025.
My understanding, when it comes to the disclosure of information by police, is that the principles of fairness, equality, and transparency are paramount. Treating requests for disclosure differently based on whether the requesters are members of a group or not could undermine these principles and lead to a variety of negative consequences.
The principle of equality before the law is a fundamental aspect of democratic societies. According to this principle, all individuals and groups should be treated equally by law enforcement agencies, without discrimination based on group membership. This ensures no individual or group receives preferential or prejudicial treatment, maintaining the integrity and fairness of law enforcement processes.
Transparency in the operations of the police fosters trust between the community and law enforcement. If police responses to information disclosure requests vary depending on the requester’s group affiliation, it could lead to perceptions of bias or hidden agendas. This could erode public trust, which is crucial for effective policing and community cooperation.
Law enforcement agencies must be accountable to the public they serve. Consistent standards in handling disclosure requests help ensure that police actions can be effectively scrutinized. Inconsistencies in how information is disclosed based on group membership could complicate accountability measures, as it would be more difficult to assess and compare actions taken in similar situations.
Differentiating how information is disclosed to groups versus individuals may violate legal standards concerning competition, discrimination and privacy. Ethically, it is important for police to uphold the rights of all citizens equally. Arbitrary distinctions based on group affiliation could potentially lead to legal challenges and a loss of public confidence in the ethical standards of the police.
Effective law enforcement depends on the cooperation and participation of the public. If certain groups believe they are being treated unfairly in terms of information disclosure, they may be less likely to cooperate with the police. This could hinder investigations and community policing efforts, ultimately affecting overall public safety.
It is therefore crucial for police to treat all requests for disclosure of information with the same criteria, regardless of the requester’s group affiliation.
In this instance, favour is being shown to a group; ABI members. This has a direct effect upon their customers, members of the public who the police serve. In effect your constabulary are saying ‘unless you insure with an ABI member, in the event of a claim (for example theft), we will not assist you or your insurer’.
In a time of increased car theft, reduced recovery and seemingly recovery of components i.e. vehicles damaged beyond repair that still represent a total-loss claim, the public’s reliance upon insurers in increased. The police being unable to ensure a vehicle stolen is returned to the victim promptly in ‘as was’ condition means the victims look to their insurance company.
Aside of monopoly considerations, by your constabulary favouring certain insurers, there appears to be a lack of consideration for the victims – some of whom may have been forced not to utilise an ABI member. This may be because of price, the type of vehicle they own (the press is alive with reports about insurers withdrawing from providing cover to some brands) or the individuals circumstances / antecedents i.e. their occupation or convictions (as examples) may preclude them from utilising a ‘mainstream’ insurer.
Your constabulary is prejudicing the position of these people.
Please ensure the conduct is investigated and stopped without further delay; that all are treated fairly.
Yours is not a common approach to disclosure making it more concerning.
The NPCC ABI guidance is merely a formalisation of the process, supported by the relevant aspects of the data protection act, which includes assurances concerning how ABI members maintain security and meet the standards expected of membership. We and our clients satisfy these too. To suggest otherwise is illogical:
- That ABI members engage with us; we are subject to their rigorous requirements regarding data security – we are expected to put safeguards in place just as the insurer. We are not a ‘weak link’, far from it.
- We act for ABI and non-ABI members. What grounds are there for believing, thinking, that for one group we would act differently regarding the security of data?
- ABI members, non-ABI members and we are subject to the same legislation. Insurers are subject to yet further scrutiny and regulation whether ABI or non-ABI member.
Any company that is not associated with ABI, i.e. not a member, will not come under their structure. However, this does not prevent non-ABI members from data sharing. When requesting information from police forces, the company simply needs to describe the reasons and purposes for the request for information, including any legal proceedings considerations if appropriate. Any receiving police force can then assess and decide on whether to release the information – in every case it is a local risk decision by the receiving force to consider a voluntary disclosure, there no statutory requirements to disclose.
Why has your constabulary applied a blanket block on disclosure to non-ABI members only?
Please confirm this will cease with immediate effect.
‘True Representative’ of the Data Subject
Your remaining objection to our TP Sar requests is a concern that we, a third party, should be acting on behalf of a data subject when fully prepared to represent that data subject beyond simple disclosure to litigation processes in relation to their data subject access rights. However, the links you have sent do not convey this, I have located nothing on line supporting this.
Your position that representing someone as a third party is not just for the purpose of gaining access to their data, as yet to be corroborated such that it would undermine a TP SAR, such as that utilised.
Given the mandate is very specific, why do you believe we are acting on behalf of the data subject, in the best interest of them, as a data subject and as an individual, not just to access the crime report? A SAR does not have to be ‘all encompassing’. For example, it can be time restrictive or exchange related. In this case, the request is very narrow; a crime report, a specific vehicle, from a specific date (last seen).
A recent ICO finding, in addition to the previous I have drawn to your attention, can be found here – https://carcrime.uk/250716-ico-enforced-sar-consent-disclsoure/ . I draw your attention to the finding, specifically:
‘… I am not satisfied that CMA’s right of access request of 10 October 2024 was an “enforced SAR” for the purposes of Section 184 of the Data Protection Act 2018.
The reason for this is that the scope of this request specifically excludes “relevant records.”
And:
‘We have required it to review its handling of this right of access request, and provide CMA with a comprehensive disclosure of any personal data to which it would be entitled.’
The above resulted from the use of a TP SAR mandate as presented to WMP.
TP SAR mandates
During our conversation I explained being keen to assist. If there is indeed concerns about our right to access approach, I asked to be provided phraseology that I can include within the mandates that will satisfy you, that does not go beyond your concerns.
I would appreciate being provided this asap.