260708 ICO Outcome re TP SAR

Improving the claims journey for people who have suffered a loss.

8 July 2026

From the ICO – Case Reference: IC-356699-W0G6

Contents

I am writing to you in relation to a request for a review we received from you (CMA) on 4 December 2025 in response to the revised outcome we issued on 4 December 2025. I would like to thank you for your continued patience on this matter. Further background to this case is set out below.

Background

We received a complaint from CMA on 7 January 2025 concerning a subject access request (SAR) you made to Essex Police (EP) on behalf of an individual you represent. EP refused the SAR on the basis that they considered it was an enforced SAR within the meaning of section 184 of the Data Protection Act 2018 (DPA18).

We issued our outcome on this matter on 16 July 2025. The outcome was that we were not satisfied that CMA’s request was an enforced SAR for the purposes of section 184, particularly because the request specifically excluded “relevant records”.

EP disagreed with the outcome and sought a case review.

The reviewing case officer overturned the original decision in their case review outcome of 4 December 2025. This was because the reviewing officer agreed with EP that, as a party acting for an insurer, CMA was not the appropriate party to make a SAR to EP, and that SARs are not designed to support insurance claims and are not appropriate where the third party’s interests are not aligned with those of the individual.

Following the revised outcome, CMA requested a further review of the complaint. This letter summarises our further review of the complaint and sets out our final outcome.

Final outcome

We have reviewed the information provided by both CMA and EP and have engaged with relevant teams across the ICO to ensure that our outcome aligns with current guidance. Our final outcome is set out below.

In summary, our view is that, based on the information provided, EP should not have refused to respond to the SAR on the basis that it was an enforced SAR. Additionally, our guidance is clear that controllers should respond to third party SARs where they are satisfied that the requester has appropriate authority to make the SAR. If EP had concerns about the SAR being made by a third party, they could have raised these concerns with CMA or contacted the data subject (DS) directly.

Reasoning

Potential Section 184 offence

It is our view that EP cannot refuse to comply with the SAR on the grounds that it may constitute an enforced SAR under section 184 of the DPA18. This is because the request does not appear to seek information that would fall within the definition of a ‘relevant record’ as defined by Schedule 18 of the DPA18.

In any event, our view is that it’s not EP’s role to determine if a section 184 offence has been committed. Where a controller considers that such an offence may have occurred, it may notify the ICO, which can then consider whether to investigate. However, section 184 does not provide an exemption from the obligation for a controller to comply with a SAR.

Third-Party SARs

Our guidance is clear that a SAR can be made by someone acting on behalf of another person, provided they have the appropriate authority to do so.

Our guidance, How do we recognise a Part 3 subject access request (SAR) | ICO, states:

A Part 3 SAR is a request made by or on behalf of someone for the information they are entitled to ask for under section 45(1).”

However, we recognise that it is important that a controller is satisfied that a third party is entitled to act on behalf of the person whose personal information is being requested in order to protect that information against potential unauthorised access. The above guidance also states:

“Can someone ask a third party to make a SAR on their behalf?

..you need to be satisfied that the third party making the request is entitled to act on behalf of the person. Follow the recommendations in our UK GDPR detailed right of access guidance.

If a third party makes a SAR on behalf of someone else, you should respond to the requester as if you were responding directly to the person the information is about.”

Our UK GDPR guidance, How do we recognise a subject access request (SAR)? | ICO, makes clear that the third party is responsible for providing evidence that they are entitled to act on the DS’s behalf. This can be, for example, by providing a written authority, signed by the person the information is about, stating that they give the third party permission to make a SAR on their behalf.

The above guidance also states that controllers should clearly explain in their privacy information what authority they require from a third party acting on someone’s behalf. We note that EP’s website indicates that they make available a consent form for data subjects to sign when authorising a third party to make a SAR or other information rights request on their behalf: Information rights third party consent form. This form requires the name and signature of the DS. The website also makes clear that the requester needs to upload two documents proving the DS’s identity and address.

In this case, CMA provided an up to date, signed consent form from the DS. They also uploaded two identity documents to prove the DS’s identity and address. Whilst CMA did not use EP’s consent form, the form they provided contained the same information as EP’s consent form, including specific details of the data being requested.

It is our view that the appropriate authority appears to have been provided in this case. However, if EP had concerns about this, they could have raised their concerns with CMA, or contacted the DS directly to discuss this. This is explained in our guidance, How do we recognise a subject access request (SAR)? | ICO, which states:

“In most cases, provided you are satisfied that the third party has the appropriate authority, you should respond directly to them. If you have reasonable grounds to believe that a person may not understand the nature of the information you are disclosing, and you are concerned about revealing excessive information to the third party, you could contact the person first to make them aware of your concerns. For example, this may be appropriate if the information is particularly sensitive or the person may not know the extent of the information that is likely to be disclosed. 

If the person agrees with your concerns and is happy to receive the information from you directly instead, you must send the response directly to them rather than to the third party. The person may then choose to share the information with the third party after reviewing it. However, if the person responds and asks you to send the information to their third-party representative, you must do so.

If you do not receive a response from the person, you should provide the requested information to the third party. If the person has specifically asked you not to contact them directly, then you should only correspond with the authorised third party.”

In addition to the above, our guidance makes clear that the purpose of a SAR is not relevant when assessing its validity and our guidance regarding Part 3 SARs, How do we recognise a Part 3 subject access request (SAR) | ICO, also states:

“Do we have to respond to the SAR if the person has an alternative means of accessing their information?

Yes. A SAR is still valid even if the person has the option of using another statutory disclosure or legal route to obtain their information…you must not refuse to comply with a SAR just because someone has an alternative means of accessing their personal information.”

In light of the above, while other routes for obtaining information in relation to insurance claims may be available, it is our view that EP cannot refuse to comply with a request solely on this basis.

We have previously published guidance which acknowledges that in some cases, SARs aren’t the most appropriate route for third parties to access information they need, such as our guidance on requests for health data by third parties. This reflects that the SAR route may not provide all the information necessary for certain third party purposes, and that in some cases it could result in the provision of more personal information than is necessary for those purposes.

We would take this opportunity to remind CMA that when processing personal data for insurance purposes, it has a duty to ensure that the personal data is adequate, relevant and limited to what is necessary in relation to those purposes (Principle (c): Data minimisation | ICO). It must also ensure that its processing is fair, including ensuring that data subjects are not misled when their data is collected and that it is only processed in ways which they would reasonably expect (Principle (a): Lawfulness, fairness and transparency | ICO).

Conclusion

In summary, it is our view that EP should not have refused to respond to the SAR on the grounds they have provided in this case, specifically that it was an enforced SAR, or because the request was made by a third party which is not appropriate.

Our current guidance is clear: we expect controllers to respond to third party SARs where they are satisfied that the requester has appropriate authority. If EP had genuine concerns about CMA’s authority, they had the option to raise these concerns with CMA, or to contact the DS directly. In this case, it does not appear that EP raised their concerns about the third party authority of CMA with CMA themselves, or directly with the DS.

Next steps

In light of the above, we have contacted EP to explain our view. We expect them to take account of the information above and provide an appropriate response to CMA.

I trust that this resolves the matter and we do not intend to pursue this further.

Group Manager

Information Commissioner’s Office


Original ICO document


Essex police ‘appropriate response’ is awaited.