03/09/2025 to Essex police Force Data Protection Officer
It is your right to challenge the SAR issue. I await the ICO’s consideration but draw to their attention your conduct generally – the behaviour you have engaged to undermine my approach. I suggest, if you had good grounds to resist the TP SAR, the ‘consent’ you would not have engaged in such manner.
However, this is just one aspect of the decision, the other relates to the personally troubling issue of your accusing me of a criminal offence – s.184. That you have ignored this speaks volumes.
I expect an explanation for your conduct. It beggars’ belief that a specialist department, considering DPA issues regularly on behalf of law enforcement would seek to intimidate me in such a fashion.
I also refer you to the issues associated with your conduct insofar as they pertain to your dealings with others, as conveyed to me during our conversation. You referred to dealings with various parties and I was to be included in at least one exchange. In the absence of said inclusion I was forced to engage FoIA, a total of 5 requests:
- Your exchanges with the ICO appear non-existent, misrepresented – no info’ held by
Essex or the ICO - Your exchanges with the NPCC appear non-existent, misrepresented – no info’ held by
Essex or the ICO - Your dealings/exchanges with ‘others’ appear non-existent, misrepresented – no info’
held by Essex
Despite you explaining I was not the only party raising this issue, not the only party utilising SAR, that others had adopted the approach, Essex have failed to locate any information relating to this.
Please explain; either assist me to obtain the exchanges to which you referred or confirm there were none. Possibly there is another explanation, and I invite this. Currently, I find it difficult to place any confidence is what you write.
Loss adjuster’s Role as Third-Party Requestor:
‘loss adjuster’ cannot act independently on behalf of the data subject while simultaneously representing or functioning as an insurer. Their primary objective is to validate a financial claim, which compromises their impartiality’.
A. Please refer me to the section of the Act that requires impartiality
B. We are loss adjusters, we are engaged to take an impartial, fair stance. I take exception to
the suggestion we would act improperly – I have taken an inordinate amount of time to try
and handhold those who suffer a vehicle theft mindful the police consider the issue low
priory yet conversely often refer to this as organised/professional criminal activity – high
reward, low risk crime. An example of my efforts I refer you to HELP and
and my personal blog
C. The information to be disclosed is factual and as such would be unaffected by any
impartiality only you perceive.
However:
D. The ICO is clear that any third party may submit a SAR with the data subject’s valid
authority, regardless of its role or interest. Insurers, solicitors, family members and others
routinely act as representatives
E. There is no requirement in UK GDPR or DPA 2018 that the representative be impartial.
The law requires only (a) identity of the data subject be proven, and (b) clear
authority/consent be given.
F. The motive of the representative is irrelevant to the validity of the SAR. The purpose of the
SAR is determined by the data subject’s right under UK GDPR Article 15.
Validity of Consent:
A. The data subject is obviously aware of the specific data held by Essex Police that would be
disclosed directly to [loss adjuster] – the request is so tightly defined as to be restrictive. They are
consenting to what they imparted i.e. they have full knowledge.
B. Consent is not a prerequisite for claim settlement.
Please evidence your statement.
We cannot and would not adversely affect a claim due to a refusal.
C. The SAR was obviously initiated by [loss adjuster], not the data subject. It is to facilitate an
insurance claim but often it allows for greater understanding of the crime and police
activity. However, the data subject could understand what data Essex Police held; if it
married with their account, we would raise no further questions, if it did not, then we
would disclose the information held and seek explanation.
D. The data subject signed a form indicating the data would be used in connection with the
claim, to ensure they were aware the extent to which we process their information.
E. The scope of data requested is not excessive. It would not be denied under civil disclosure
without a court order; you are able to decide. There is no reason to withhold the crime
report – as evidenced by your willingness to disclose it under other processes. An App E
(suspicion of fraud) could well lead to move detailed disclosure. If, for example, you
objected to the disclosure of ANPR data, then withhold with explanation – I may challenge
this, subject to your arguments.
However:
F. Consent is not the legal basis for a SAR. A SAR is a statutory right under Article 15 UK
GDPR and DPA 2018 s.45. The data subject does not need to demonstrate “freely given”
consent in the GDPR sense – they are exercising a legal right1.
G. What is required for third-party SARs is clear written authority. I believe the ICO holds
that a signed form authorising a representative is valid.
H. The data subject not knowing what data Essex Police holds is irrelevant; the very purpose
of a SAR is to discover what is held -in this case, related to a limited (by event) amount of
data.
I. The claim that disclosure scope would exceed civil disclosure is misplaced: SAR and civil
disclosure are distinct regimes. SAR is not limited by civil disclosure rules (see Durant v
FSA [2003] EWCA Civ 17462, although restricting “mere information” vs “personal data”
— still confirming SAR is separate from litigation disclosure).
Right of Access Limitations:
‘The Right of Access entitles data subjects access to their personal data unless restricted under the
Data Protection Act 2018, Part 3, Chapter 3, Section 45(4)(a)-(e). Investigation reports often
contain sensitive category and criminal offence data. Disclosure to the data subject is appropriate
as it is their personal data and no restriction would apply; disclosure to a private company for
claim settlement is not appropriate and may be unlawful. ‘
A. You are aware of the ability to redact information. You disclosure reports, are prepared to
do so for a fee.
Can you explain how payment of a fee overrides the concerns you cite – it
is a rhetorical question; they do not.
You disclose for a fee and remove/redact as appropriate. No one is asking for a blanket disclosure, clearly you could disclose as per any other disclosure process engaged. You have the added advantage of knowing that, in relation to an insurance claim, there is a further means by which to disclose lawfully –
you have a further safety net, in addition to a consent mandate (which the MoU does not
require). it appears you are clutching at straws.
However:
B. The right of access is the subject’s right, but it can be exercised through a representative
(ICO guidance above). The police cannot convert a lawful exercise of the subject’s right
into an unlawful disclosure by treating the representative as the end-recipient.
C. Data protection law already provides mechanisms to protect sensitive information: Essex
Police may redact or rely on exemptions under DPA 2018 s.45(4) if disclosure would
prejudice ongoing investigations etc. – ‘ongoing investigation’ would preclude disclosure
even under the MoU
D. Denying the request entirely because a representative is involved is disproportionate and I
believe conflicts with ICO’s established practice.
Redaction Misinterpretation:
‘The ICO suggested redacting non-requested data before sending reports to CMA. This contradicts
the essence of a Right of Access request, which mandates full disclosure to the data subject unless
restricted under Section 45.’
A. It was a suggestion’ – it appears you accept any redactions are likely to be minimal – see above.
However:
B. This misrepresents the law. Redaction is a routine, accepted part of SAR compliance – Durant v Financial Services Authority [2003] EWCA Civ 1746
C. The ICO explicitly confirms that organisations may redact third-party data, privileged material, or sensitive operational details before disclosing.
D. The “essence” of the right is to provide the subject’s personal data – which is exactly what remains after lawful redaction.
Section 184 Implications:
‘Allowing [loss adjuster] access to law enforcement data processed under Part 3 of the Act may violate
Section 184. Investigation Reports may contain ‘relevant records’ such as criminal offence or
health data that should not be disclosed via SAR to a third party.’
A. Frankly, I am astounded you would present such a flawed argument. Investigation reports MAY contain criminal/health data:
a. The consent is very clear – we are NOT seeking this
b. You can redact – as you would on an MoU or other similar process
c. If you disclose – this would be your error, not ours – and we would delete, act appropriately.
d. If this were a valid argument, the MoU or your process would be similarly compromised
B. You refer to ‘implications’ there is no inference in the submission/request – criminal & health records are excluded.
C. I remind you that during our conversation your stated Schedule 18 went beyond my understanding. Not wish[ing] to cause friction I simply asked you to send me the information to which you were referring and you agreed to do so
a. You did not send the information
b. Schedule 18 extends to health and criminal records – as I explained
c. It appears, assuming in your position, you are familiar with this simple aspect of the DPA, I was being misled.
D. Section 184 criminalises enforced subject access — requiring an individual to obtain and hand over their record (usually employment context).
E. The ICO has consistently clarified: where the subject has voluntarily authorised disclosure, s.184 is not engaged. I have evidenced this and you have ignored my submissions.
F. Here, the subject has freely authorised [loss adjuster] to act. No “enforcement” exists. The fact the
request relates to insurance does not make it enforced; it is a voluntary contractual matter.
G. As the ICO has (again) confirmed, though it should surely not have been necessary; to constitute ‘enforced SAR’ the data sought must be CRIMINAL and/or HEALTH information. My request specifically EXCLUDES BOTH. The ICO has written, in respect of this matter:
- I have considered the information available to me in relation to this complaint and I am of the view that Essex Police has not complied with its obligations under data protection law in this instance.
- This is because I am not satisfied that CMA’s right of access request of 10 October 2024 was an “enforced SAR” for the purposes of Section 184 of the Data Protection Act 2018. The reason for this is that the scope of this request specifically excludes “relevant records.” (ICO guide – right of access)
s. 184 has a two-part legal test. For a crime to be committed under Section 184, both must be
true:
- A requirement is made (someone is forced, compelled, pressured, etc.)
AND
- The required information is a “relevant record” (i.e. criminal conviction data or health data)
Section 184 is narrow and specific. It is not a general ban on asking people to get information about themselves.
a. What is not understood about this?
Non-Personal Data Requests:
‘CMA requested data such as VRM and ANPR records that do not constitute personal data. Their request also included timeframes beyond the vehicle’s possession by the data subject, such data would not be considered personal data’.
A. Please confirm that by ‘do not constitute personal data’ you mean do not constitute personal data of the data subject.
B. In what respect does the request seek information for timeframes beyond the vehicle’s possession by the data subject and if the case, having identified this, please confirm:
C. You would restrict disclosure to the pertinent times.
D. I acknowledge that the ANPR aspect of my request could be problematic and that I may need to review this:
a. Pre-theft data – was the data subject the driver? The crime report should assist but you may need our statement to address last journey – commencement to park (last seen) – arguably they will know the last user but usage before their last journey may reveal the conduct of another
b. Last seen – parking, leaving unattended, is likely to be the issued but we will obtain a consent form the last user that may address Aa, above – but I accept times would be needed
c. Discovered missing – commonly the vehicle is ‘left locked, secure, unattended, the victim unable to assist re suspects of time of theft’ – this account is often all that occurs by way of investigation save the victim is assured ‘we will check ANPR’ (which we all know is unlikely to be helpful and the check may not occur) – but is the police position you will not disclose ANPR data because the consent is from the victim but the ANPR data could relate to the thief – and the police do not wish to disclose information relating to a subject (criminal) who has not consented?
d. The issue appear sot have been blown out of proportion – the consent extends to the subject’s personal data.
E. Even if certain VRMs are not currently linked to the subject, Essex Police is required to filter and disclose only the personal data subset relevant to the subject.
F. The existence of non-personal data in a request does not invalidate the whole SAR; it simply means the controller should separate what is in scope.
Further comments / observations:
A. Did you ask the victim/insured if they consented, consented freely or had any objects prior to refusing to act upon their consent. If not, why not?
B. Why did you not seek the ICO’s advice before adopting an intimidatory stance toward me?
C. If your latest arguments are valid, carry any weight, they have not been cited previously.
D. We use the disclosure process regularly with another constabulary who, belt and braces, call the victim to confirm they consented (we will have provided a mandate, proof of residence and proof of identity). Their disclosed crime reports generally contain the following:
- a. The [redacted] unit and [redacted] have advised they [loss adjuster] are entitled to this information as long as victim consent is given and the crime assessed low risk by Insp or above.
- i. Original email with consent mandates attached forwarded to Inspector/Band C for risk assessment/redaction advice.
- ii. Victim consent is confirmed via DL signature comparison
- iii. All information provided to [loss adjuster] only through secure email; [redacted]@cma.cjsm.net
It is evident the process we engage is lawful, appropriate.
Should there be any doubt the above process is engaged by another, I am prepared, in confidence,
to provide an unredacted copy of a disclosure to the ICO.
The arguments appear lacklustre, overlapping – ‘doth protest too much’ appears fitting.
I await the ICO review.
In the meantime I anticipate receiving confirmation you have set the record straight that my
name is no longer associated with the criminal offence s.184.
References:
23/03/2025 ICO IC-220316-G1X1
if you aren’t requiring another person to make and provide the results of a SAR for a
‘relevant record’ (which is: is a health record, a record that relates to a conviction or
caution, or information relating to a statutory function), then it would not be an enforced
SAR under the legislation.
21/12/2018 IC-02622-G8Q7
It does indeed seem that the relevant records only relate to health or criminal conviction
data, or to information obtained through such a request in relation to statutory functions.
Please accept my apologies and I am now of the view that the type of data you wish to
advise your customer to obtain would not constitute a ‘relevant record’ under Section 184
of the Data Protection Act 2018.