Subject Access Request (SAR)

You are entitled to request information held about you from a third party. For example, you may wish to be provided a copy of your crime report to progress an insurance claim following the theft of a vehicle.

You could simply give the party holding the information, for example, a police constabulary, CONSENT to provide the information to another. Or you could provide your insurance company, or their representatives, CONSENT to obtain the information from the constabulary.

However, some police services are reluctant to make such disclosures and would prefer the insurer (or their agent) to use an ‘agreed’ process, a Memorandum of Understanding (MoU). But this comes with its own problems:

  1. The MoU does not apply to every insurer. Not all insurance companies are treated equally by the police
  2. The MoU does not guarantee the information will be disclosed within a set period
  3. There is a cost. For providing what is often a brief account, with scant information and would take little time to check, redact (if necessary) and disclose, a charge of about £150 can be made by the police

Conversely, a SAR request:

  1. applies to all constabularies, can be utilised by an insured/victim. An insurer can also be given authroity to make a ‘Third Party SAR’; an insured/victim can be authorised to make a SAR on the subject’s (insured’s) behalf
  2. The information is required to be disclsoed within a calendar month, subject to some exemptions
  3. There is no cost.

The issue of TP SAR’s is currently, as of early 2026, with the ICO as Essex constabulary, which charges over £150 per disclosure, has challenged the process.

I should be noted that disclosures can be subject to some difficulties.

For example, if a SAR is made, the constabulary may respond ‘investigation ongoing’. Whilst les slikley with a vehicle theft report as these are often quickly closed with little enquiry undertaken, should this be the response, a new SAR will need to be made, the process recommenced.

The ICO has advised, 05/2026, Case Reference IC-513402-Z3F0:

  • If a constabulary declines to disclose the information for a valid reason i.e. ‘the investigation is ongoing’, that SAR is effectively killed at this stage.
  • The data controller, the constabulary, would be considered to have complied with their obligations since a lawful response had been provided.
  • A new/fresh SAR would need to be submitted upon completion of the investigation in question.  There is no provision within the legislation to compel the data controller to partially comply with a request during an ongoing investigation. 
  • There is no way to avoid submitting a new SAR since the initial SAR, in the eyes of the legislation so to speak,  the initial SAR has received a lawful response and is complete/closed

However, aspects of the conduct do not sit comfortably and therefore the ICO was asked:

04/06/2026:

Thank you for your response. I remain concerned that the position stated may be too broad and risks being misunderstood by controllers as permitting a blanket refusal of Part 3 SARs whenever an investigation is ongoing.

I accept that, where a controller has lawfully applied a Part 3 restriction and responded to a SAR, the controller may not be required to keep that SAR open indefinitely.

I also accept that a further request may be required once the temporary reason for restriction has ceased.

However, my concern is with the lawfulness of the original response and, in particular, whether the controller was entitled to refuse disclosure in full.

Section 45(4) DPA 2018 permits restriction “wholly or partly” only “to the extent that and for so long as” the restriction is necessary and proportionate, having regard to the data subject’s fundamental rights and legitimate interests.

The ICO’s own guidance states that a controller should only apply a restriction to the extent necessary and “must provide the person with any information that does not come within the restriction”. It also states that, where the purpose can reasonably be achieved by another means, for example redaction, that should be done instead.

My approach appears to fit the ICO’s guidance; I understood there would be some withholding (the outstanding enquiry pertaining to the vehicle examination upon recovery) and I appreciated, as is common, that some data may be redacted (TP information, for example).

In the circumstances, I respectfully ask the ICO to clarify its statement that there is “no provision within the legislation to compel the data controller to partially comply with a request during an ongoing investigation”. That appears difficult to reconcile with section 45(4) and the ICO’s published guidance.

The issue I ask the ICO to address is therefore not whether police may restrict access during a live investigation. They plainly may, where the statutory test is met.

  • The issue is whether they may refuse the entire SAR without demonstrating that partial disclosure, redaction, or disclosure of non-sensitive material would still obstruct or prejudice the investigation.

In a vehicle theft matter, for example, it may be legitimate to restrict aspects forensic examination details, suspect intelligence, witness information, CCTV, ANPR material (that has bene undertaken or is held against the vehicle, within the crime report).  It may be legitimate to restrict live lines of enquiry – in this instance the police identified and disclosed this; a forensic vehicle examination was to occur. That does not necessarily explain why the controller could not disclose, or consider disclosing, basic crime report information (Day/Date/Time/Place – DDTP), chronology, recovery information, data already generally known to the victim, or other material not capable of prejudicing the investigation.

Please therefore confirm whether the ICO’s position is that:

  1. an ongoing investigation may justify a restriction only where disclosure would create a real, non-speculative risk falling within section 45(4);
  2. the controller must consider whether partial disclosure or redaction would avoid that risk;
  3. the controller must provide personal data that does not fall within the restriction; and
  4. the controller must record its reasons for any full or partial restriction and provide those reasons to the ICO if requested.

The police have treated the case as though “ongoing investigation” is a complete exemption, when the law requires a targeted, necessary and proportionate restriction.

I would be grateful if this could be treated as a request for clarification, because the present wording could otherwise encourage police forces to treat an ongoing investigation as an automatic basis to close SARs in full, requiring victims to start again later, even where some information could properly have been disclosed at the outset.