260408 ICO & TP SAR Follow-Up

08/04/2026 to the ICO:

Contents

ICO Follow-Up Submission (IC-356699-W0G6)

I write further to your email of 16 February 2026, in which you indicated that an outcome of the review would potentially be provided within approximately 28 days. As that period has now passed, I wished to provide a brief update and, importantly, to assist your review by setting out several points arising from the ICO’s revised position dated 4 December 2025.

In reviewing the ICO’s revised position, it is apparent that a number of the arguments advanced by Essex Police have been adopted. I have therefore addressed those points only insofar as they appear to form part of the ICO’s reasoning, and where they raise questions of legal interpretation

1. Purpose of this Further Submission

Having carefully reviewed the ICO’s decision to reverse its earlier position, I am concerned that the reasoning applied appears to introduce legal thresholds which are not reflected within either the UK GDPR or the Data Protection Act 2018, nor within the ICO’s own published guidance.

I therefore hope the following observations assist in clarifying the legal position.

2. Purpose-Blind Nature of Subject Access

The ICO’s decision states that subject access rights are:

  • “not designed to support a process for handling insurance claims”

With respect, I have been unable to identify any statutory provision which imposes a purpose-based limitation on the right of access.

ICO guidance confirms that individuals are entitled to access their personal data without needing to explain their reasons.

Accordingly, a subject access request is a purpose-blind statutory right, and its exercise cannot be restricted by reference to the intended use of the data.

  1. If the ICO considers otherwise, I would be grateful if you could identify the specific statutory provision or binding authority upon which that interpretation relies.

3. Third-Party Representation and “Alignment of Interests”

The decision further suggests that CMA is not an appropriate third party because its interests are not aligned with those of the data subject. However, ICO guidance expressly permits third parties to act on behalf of data subjects, subject only to appropriate authorisation

I have not been able to identify:

  • any statutory requirement that a representative’s interests be “aligned” with those of the data subject, nor
  • any ICO guidance introducing such a test

Accordingly, this appears to represent a new and unsupported threshold.

  1. I would therefore be grateful for clarification as to the legal basis for introducing an “alignment of interests” requirement.

A subject access request submitted via an authorised representative remains a request exercised by the data subject. The origin of the request is not determinative

  • If the ICO considers otherwise, I would be grateful for clarification as to the legal basis for that position.

4. “Freely Given” Consent in a Commercial Context

The ICO’s position suggests that consent cannot be considered freely given where it is provided in connection with an insurance claim. Under UK GDPR Article 4(11) and Recital 43, the concept of “freely given” consent is primarily concerned with imbalance of power (for example, employer–employee relationships).

I have not identified any authority indicating that:

  • a commercial or financial context, or
  • the existence of a contractual claim

renders consent invalid.

On the contrary, a data subject choosing to pursue an insurance claim is exercising a legal right, not being subjected to coercion.

  1. If the ICO considers that such consent is inherently invalid, I would be grateful for clarification as to the legal basis for that position.

The suggestion that a representative must be ‘independent’ or free from commercial interest does not appear within the statutory framework governing subject access requests.

  • If the ICO considers otherwise, I would be grateful for clarification as to the legal basis for that position.

The existence of a financial or contractual context does not, in itself, invalidate consent. No such principle appears within the UK GDPR.

  • Again, if the ICO considers otherwise, I would be grateful for clarification as to the legal basis for that position.

5. “More Appropriate Route”

The decision places weight on the existence of an alternative route for insurers to obtain information.  However, I have not identified any provision within the UK GDPR or Data Protection Act 2018 which permits a controller to refuse a subject access request on the basis that:

  • another route exists, or
  • the data may be disclosed in a more limited form via that route

A subject access request is a standalone statutory right, and its availability is not contingent upon the existence of alternative mechanisms.

The availability of an alternative disclosure mechanism does not displace the statutory right of access.

  1. I would therefore welcome clarification as to the legal basis for this aspect of the ICO’s reasoning.

6. Disclosure to the Data Subject vs Disclosure to a Representative

The decision suggests that certain data:

  • may be disclosable to the data subject
  • but not to their authorised representative

I would respectfully note that, a third-party SAR is, in law, a request exercised by the data subject via an authorised agent. As such, I would be grateful for clarification as to

  1. how:
  2. the same data can be lawfully disclosed to the data subject,
  3. but becomes unlawful when disclosed via their authorised representative
  4. in the absence of any statutory distinction.

7. Section 184 Data Protection Act 2018

While not central to the ICO’s revised reasoning, I would also note that Essex Police relied on Section 184 Data Protection Act 2018. As you will be aware, Section 184 applies only to specific categories of “relevant records” (health and criminal conviction records), and does not apply to general personal data.

The repeated reliance on this provision across multiple constabularies raises a concern that:

statutory provisions are being invoked outside their intended scope to justify refusal.

I raise this point for completeness.  While not determinative, the reliance on Section 184 (which applies only to limited categories of records) illustrates a broader pattern of misapplication of the statutory framework.

8. Systemic Concern

Finally, I would respectfully note that the position adopted in this case is not isolated. Similar reasoning has been advanced by multiple constabularies, suggesting that this may reflect:

  • a shared interpretation, potentially influenced by national policing guidance,
  • rather than case-specific analysis

Given the implications for data subject rights, I consider this to be a matter of wider regulatory importance.

9. Closing

I hope the above is of assistance in your review.

My intention is not to restate previous arguments, but to seek clarity on the legal basis underpinning the ICO’s revised position, particularly where it appears to depart from both legislation and published guidance.

I look forward to hearing from you.