251204 to the ICO – Further Review Request

04/12/2025
Sent: 04 December 2025 20:03
To: ‘icocasework’ icocasework@ico.org.uk
Subject: RE: ICO Case Reference: IC-356699-W0G6

Subject: Request for Further Review – Case Reference IC-356699-W0G6

Contents

Thank you for your recent correspondence in which the ICO reversed its earlier finding of 16 July 2025 concerning my subject access request (SAR) submitted on behalf of Mr [redacted] the data subject. I understand that the review followed representations from Essex Police, but the new position appears to have disregarded material issues, relied on assumptions inconsistent with the ICO’s own guidance, and left unresolved a serious allegation of a criminal offence made against me.

Given the potential impact on data subjects, insurers, professional representatives and the wider public, I respectfully request a further review, or, alternatively, a fully reasoned and detailed clarification addressing the concerns set out below.

Section 184 DPA 2018 – the unresolved allegation of criminality

Essex Police explicitly accused me of committing an offence under s.184 DPA 2018 (“enforced subject access”). This allegation remains on record; Essex Police have not withdrawn it or apologised, and the ICO’s review decision does not address it.

Your earlier letter of 16 July 2025 concluded that my SAR did not amount to an enforced SAR because it expressly excluded “relevant records” within the meaning of s.184. That conclusion has not been reversed, explained, or revisited.

I therefore ask for explicit confirmation:

  1. Does the ICO maintain its earlier position that the SAR did not breach s.184 DPA 2018 because relevant records were specifically excluded?
  2. If so, will the ICO direct Essex Police to correct their allegation and acknowledge that the accusation of criminality was unfounded?
  3. If not, please explain how the statutory criteria in s.184(1)–(3) are said to be met in this case, with reference to ICO guidance and the wording of my request.

It is inherently unfair for a criminal allegation made by a police force against a data-protection professional to be left unaddressed.

Third-party SARs – inconsistency with ICO guidance

Your review decision asserts that [loss adjuster] is “not the appropriate party” to make a SAR on behalf of a data subject, and that SARs are “not designed to support insurance claims”.

This position appears inconsistent with:

  • ICO’s Guide to Subject Access, which explicitly states that individuals may authorise any representative, including commercial actors, to make a SAR on their behalf;
  • ICO’s guidance Asking someone to act on your behalf, which states that organisations should generally accept properly authorised representatives;
  • Common practice in the health, legal and employment sectors, where solicitors and other commercial representatives routinely make SARs on behalf of clients for insurance, litigation or financial purposes.

Commercial interest does not invalidate representation. Solicitors, unions, advisers, charities and private adjusters all operate in contexts involving aligned but not identical interests.

I therefore request:

  1. Your explanation of the legal basis upon which [loss adjuster] is deemed “not appropriate”, when other commercial representatives are accepted;
  2. Clarification of how the ICO’s position aligns with its own published guidance.

Purpose of SARs – use in insurance contexts

A SAR may be used for any purpose chosen by the data subject. Article 15 UK GDPR does not restrict it to specific contexts.

ICO has previously cautioned insurers themselves against using SARs to obtain wholesale records, especially medical data. That rationale is not applicable here. The data subject, not the insurer, is exercising rights (via an authorised representative).

This distinction is central. If the ICO now considers that SARs may not be exercised where the purpose is to progress an insurance claim, this represents a significant policy shift with consequences for claimants, solicitors and litigation more broadly.

  1. Please confirm whether this is in fact the ICO’s position, and if so, the statutory foundation for it.

Consent – assertions without factual basis

Your review decision states that consent to [loss adjuster] cannot be considered freely given where the individual is:

  • “told this is required for the claim to be processed,” or
  • “feels obliged to agree”.

There is no evidence of either.

[loss adjuster] documentation states that:

  • consent can be withdrawn at any time;
  • refusal does not affect the claim outcome;
  • the SAR route is purely optional;
  • it exists solely to accelerate disclosure for victims.
  • It does NOT extend to criminal or health records

If the ICO believes consent is problematic, please identify:

  1. The specific wording in [loss adjuster’s] documentation giving rise to this concern;
  2. How this is consistent with ICO guidance permitting third-party representation and
  3. why you believe reference to health & criminal records is fitting, necessary.

“Alternative routes” and the problem of fees

Your decision relies on the existence of “more appropriate routes” (e.g. A98b-type processes).

However:

  • These routes are discretionary, non-statutory and can be withdrawn.
  • They impose fees (often substantial), whereas SARs are free.
  • They lack the statutory one-month time limit.
  • They lack the right to complain to the ICO about delay or refusal.
  • Not all forces offer them.

Treating the existence of a fee-bearing discretionary route as grounds to displace statutory rights undermines Article 15 and risks inconsistency and unequal treatment of victims.

I therefore ask:

  1. What is the legal basis for the ICO’s reliance on these routes?
  2. What equality and fairness considerations have been taken into account?

Personal data vs non-personal data – lack of clarity

Your decision states that parts of the request concern “non-personal data” yet does not identify which parts.

ICO guidance, case law and NPCC documentation recognise that:

  • VRMs can constitute personal data;
  • ANPR records are personal data when relating to an identifiable owner/user;
  • Police records of vehicle movements often relate to the data subject by connection.

I request that the ICO:

  1. Identify the specific “non-personal” elements;
  2. Confirm that Essex must still disclose any personal data relating to the data subject.

Process concerns

The review appears to give significant weight to Essex’s representations while not addressing:

  • your prior conclusions;
  • the explicit exclusion of relevant records;
  • the lack of evidence for the “consent” concerns;
  • the motive of forces wishing to preserve revenue-generating disclosure processes.

Section 165 DPA requires the ICO’s approach to be reasoned, consistent and fair. The current decision does not meet that standard.

Failure to consider the practical reality for victims of vehicle theft

A fundamental issue has been overlooked: the real-world hardship faced by victims of vehicle theft – the very individuals whose rights are at stake.

Victims suffer:

  • financial loss,
  • disruption,
  • emotional distress,
  • loss of transportation, and
  • delayed closure.

Police routinely acknowledge these harms in public communications, yet the practices of disclosure units often compound them. Crime reports are frequently basic, investigations short-lived, and disclosure delayed.

Victims are then confronted with:

  • inconsistent practices between forces,
  • long administrative delays,
  • failures to respond,
  • resistance to providing reports, and
  • demands for substantial fees.

This is a second victimisation.

My intervention, through properly authorised SARs, subject to previous ICO consideration, has been a philanthropic attempt to reduce delay and hardship. The SAR route gives victims:

  • a clear statutory deadline;
  • a free method of access;
  • an enforceable right;
  • a route to escalate concerns.

If third-party SARs are prohibited, victims will simply be directed to submit their own SARs, which forces cannot refuse. Thames Valley Police already accepts this*. The outcome is the same; however efficiency is lost and the constabulary is highlighted as potentially obstructive, inviting complaint.

The ICO must explain why a third-party SAR is “inappropriate”, when a direct SAR from the insured is lawful, routine, and accepted nationally.

It also cannot be ignored that constabularies appear increasingly coordinated, likely through NPCC channels, in resisting SARs not on principled legal grounds but because civil-disclosure routes are fee-earning processes. Endorsing this approach risks undermining Article 15, reducing transparency, and harming victims.

Because I intend to publish advice to the public, I require a considered, balanced, reasoned decision that can withstand scrutiny. The review outcome does not achieve this.

Requested outcome

I therefore request:

  • a further review of the case at senior level; or
  • a detailed clarification addressing the concerns above with reference to law, guidance and evidence;
  • confirmation of the ICO’s stance on the s.184 allegation;
  • clear identification of any legal basis for rejecting third-party SARs in this context;
  • clarification on the role of discretionary fee-based routes;
  • confirmation of how victims’ rights and interests were weighed.

Until a reasoned decision is provided, I cannot responsibly advise victims, nor can I operate with legal certainty.

I remain committed to lawful and constructive engagement with the ICO and policing bodies in the interests of victims who rely on these processes.

* TVP – option ‘1’:

Subject access request” under section 7 of the Data Protection Act 1998

Your client can request personal information relating to him or her by this process. Full details and an
application form can be downloaded from our website at:

Application for access to your personal data held on Thames Valley Police Information Systems

However, you will be aware that on a subject access request, information relating to other people has to be considered separately and may well be removed from any documents provided to your client.

Depending on the purposes for which your client needs the documents, this may make them unsuitable for use in civil proceedings.

* TVP – option 2:

Consent. If you can provide the written consent of a person who has provided information to the police, we would normally agree to provide that information to you. There may be some limited exceptions, for example, where we consider that providing the information would be likely to prejudice an ongoing criminal investigation or prosecution.

TVP original FoIA response @ WDTK.com