24/07/2025 to the ICO
Subject: Supporting Information – Concerns Regarding Misapplication of Section 184 DPA 2018
Please find attached a written submission outlining my ongoing concerns regarding the misapplication of Section 184 of the Data Protection Act 2018 by several UK constabularies. Should Essex appeal, the contents may be of assistance.
The document is intended to provide contextual background, references relevant developments and correspondence, and highlights what appears to be a coordinated reluctance among forces to fulfil legitimate Right of Access requests.
My intention is to assist the ICO in its ongoing work and to contribute constructively to any review or clarification of practice in this area. I appreciate the ICO’s efforts to ensure consistency and fairness in data access rights and hope this material may help inform any future sector guidance or case consideration.
Should you require any further information or supporting evidence, I would be happy to provide it.
Case Reference IC-356699-W0G6
Subject: Concerns Regarding Misapplication of Section 184 DPA 2018 and Coordinated
Disclosure Avoidance by Police Forces
To: Information Commissioner’s Office (ICO)
I am writing to express concerns regarding the ongoing misapplication of Section 184 of
the Data Protection Act 2018 (DPA 2018) by several UK constabularies, despite previous
ICO findings supporting my position.
I also wish to draw attention to what appears to be a coordinated approach among certain
police forces to frustrate legitimate Right of Access (RoA) requests, particularly in the
context of insurance-related matters. This submission sets out relevant legal context, key
developments in police disclosure practices, a summary of my interactions with multiple
constabularies, and my concern regarding coordinated obstruction.
Background and Legislative Context
Section 184 of the DPA 2018 makes it an offence to require an individual to make a Subject
Access Request (SAR) for the purpose of obtaining a “relevant record” (as defined in
Schedule 18). However, the scope of “relevant records” is limited to criminal or medical
data.
My position, consistently upheld by the ICO, is that my requests for disclosure of crime and
RTC reports – made under SAR mandates with appropriate consent – do not fall within the
scope of Section 184.
Guidance on enforced subject access:
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual
rights/right-of-access/can-we-force-an-individual-to-make-a-sar/ – no longer valid
Enforced Subject Access: Disclosure of Criminal Convictions
A guide to subject access | ICO
Relevant Developments in Police Disclosure Policy
a. ABI/NPCC MoU (2022)
The 2022 Memorandum of Understanding (MoU) between the Association of British Insurers (ABI) and the National Police Chiefs Council (NPCC), introduced notable changes:
- Disclosure of crime reports was restricted to ABI members only.
- Non-ABI members were excluded, though NPCC guidance supported disclosure to them at the constabulary’s discretion.
- MoU Link
b. NPCC Guidance on RTC Reports (2023)
A separate development was NPCC guidance to constabularies concerning RTC (Road Traffic Collision) reports, following an ICO determination suggesting section 170 of the Road Traffic Act may restrict disclosure of names and addresses post-collision.
Links:
Use of Subject Access Requests and ICO Support
Following increasing disclosure refusals from police services and a range of attitudes toward applications, I sought access under the DPA 2018 via third-party Subject Access Requests (TP SARs) using client consent. Notably:
- In 2018, the ICO supported my position that Section 184 had not been committed: Enforced Subject Access Requests (SAR)
- In 2023, in case IC-242377-T6S4, the ICO again supported my position after it was claimed my approached fell to enforced SAR by Con1.
Despite this, in 2024–25 the following occurred:
- Con2 cited s.184: ICO Case IC-348523-P7J8
- Con3 cited s.184: ICO Case IC-361864-Q4D2
- Con4 (Essex) cited s.184 and misinterpreted Schedule 18: ICO Case IC-356699
W0G6
Each cited s.184 despite:
- Clear ICO precedent (2018, 2023)
- Consistent use of signed consent and proper SAR protocols
- Evidence that Con1 had acknowledged the legitimacy of SAR and consent-based disclosures
Additionally, Essex Police (Con4) claimed Schedule 18 extended beyond criminal and medical records (it does not) and referenced liaison with the NPCC, ICO, and “others.” FoIA requests revealed no exchanges between Essex Police and either the ICO or the NPCC. No records of external insurer communication were disclosed.
Evidence Suggesting Coordinated Approach
A series of NPCC emails obtained via FoIA shows the following:
- Concerns were raised about an expected increase in RoA requests due to the MoU
restrictions.
Thursday, 24 July 2025
Page 2 of 4
Case Reference IC-356699-W0G6 - Some forces expressed reluctance to process RoA requests citing resourcing and
cost. - A Staffs Police representative suggested obtaining DCC sign-off to cease processing
such requests entirely. - Internal NPCC correspondence (13/07/2023) referred to “RoA abuse,” despite no
cited evidence.
Full details and domains disclosed via FoIA.
These patterns indicate that forces may be working in coordination to restrict RoA access,
possibly to avoid administrative burdens rather than due to legal necessity.
Case Developments and Acknowledgements of Error
16/07/2025: The ICO ruled that no s.184 offence had been committed by me regarding
Con4.
16/07/2025: Con2 acknowledged their improper handling of my requests, apologised in
writing, and admitted:
- Incorrect use of legislation
- Baseless accusations of enforced SAR
This was further confirmed in an FoIA response:
“I stated I knew that Section 177 of DPA 2018 was not the right legislation to refer to… and
the accusations of enforced SARs was not the right thing for us to do” – source.
My complaint regarding Con2 (IC-348523-P7J8) is currently under review by Mr Ash at
the ICO. Con3’s complaint is pending assignment.
Conclusion and Request for Action
Despite previous ICO rulings, several constabularies have continued to misapply Section
184 and Schedule 18 of the DPA 2018. They appear to be working in a harmonised fashion
to resist RoA requests from insurance representatives, motivated by operational or financial
concerns. This raises serious concerns about data access rights and equality of treatment.
Law enforcement alleging criminal conduct is a matter of the utmost seriousness. These
accusations have not come from uninformed individuals, but from dedicated disclosure
teams within four separate constabularies – departments whose responsibilities centre on
interpreting and applying a narrow, well-established set of legal provisions daily.
Their role demands a sound understanding of relevant legislation, yet each has erroneously
alleged a breach of Section 184 of the DPA 2018, even though my requests have explicitly
excluded any data that would qualify as a “relevant record” under Schedule 18.
Section 184 is brief, clear, and unambiguous in its scope. It is difficult to accept that all four
constabularies, each with access to legal advisors and senior decision-makers, each request
being subject to senior management attention, could misinterpret it simultaneously and
independently.
I have gone to considerable lengths to assist and clarify, yet their stance has remained
unchanged. This has resulted in reputational damage, a disregard for my legal rights, and
in my view, conduct which borders on unlawful behaviour. To date, only one constabulary
has formally withdrawn the accusation, and I remain unaware of any efforts by the others
to acknowledge or rectify the potential harm caused.
Further, although I have been the subject of serious criminal allegations, none of the
constabularies appear to have followed investigative procedures. By way of examples, no
formal crime reference has been issued, no investigation initiated, and no notification to the
ICO has been made regarding the concerns they claim to hold. This selective and
inconsistent approach raises troubling questions about the legitimacy and intent behind
their actions.
I respectfully suggest that it may be appropriate for the ICO to:
- Investigate potential coordinated avoidance practices that undermine lawful access rights.
- Reaffirm its interpretation of s.184 and Schedule 18 in relation to third-party SARs with consent.
- Consider issuing updated sector-wide guidance to ensure consistent understanding across constabularies
Thank you for your time and consideration.