2023 update about enforced subject access requests and the police response – registered users, read more here.
21/12/2018 – ICO – Case Reference IC-02622-G8Q7 from the ICO to CMA:
‘I have carefully reviewed the points you make and have come to the view that my previous advice was mistaken and that you are correct. It does indeed seem that the relevant records only relate to health or criminal conviction data, or to information obtained through such a request in relation to statutory functions.
Please accept my apologies and I am now of the view that the type of data you wish to advise your customer to obtain would not constitute a ‘relevant record’ under Section 184 of the Data Protection Act 2018.
I hope this information is helpful to you. If you would like to discuss this further, please contact me on my direct number 0330 414 6659. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website ico.org.uk.’
The e-mail exchange history:
To the ICO:
Dear Sirs,
I understand requiring someone to obtain a ‘relevant record’ is a criminal offence: http://www.legislation.gov.uk/ukpga/2018/12/section/184/enacted
Please can you confirm whether ‘forcing’, the criminal act, extends to categories of information other than criminal records.
I wish a person to make a SAR, it is the easiest, quickest way for them to corroborate a statement they have made. I have no interest in their criminal records, I do not wish this, I want the subject to obtain their mobile phone record for a very small period of time – an hour.
The circumstances are as follows:
• The insured (data subject) purchased a car
• The insured admits he then drove the car without insurance when returning 100’s of miles to his home
• When driving, the insured apparently contacted his sister and asked her to obtain a policy of insurance
• The policy was obtained at 3pm … 5 minutes later …
• At 3:05pm a collision occurred
It is suspected, on the balance of probabilities, the insured had the collision and then arranged the policy. The insured states otherwise.
A mobile phone record will display the times of calls, the numbers called but importantly, the location at which the call was made. To corroborate his account I wish to ask the insured to obtain the record from his air-time supplier and send it to us – or for them to send it to us. The airtime supplier will not send to us even if confronted with the facts (which satisfy the DPA 2018 disclosure enabling sections) rather, we will be directed to obtain a court order or to the police – who are disinterested.
1. If I ‘instruct’ the data subject to approach his airtime supplier using SAR, do I commit a criminal offence?
I would be ‘forcing’ him to use SAR (it could be argued, no SAR, no settlement) but I am NOT seeking criminal records. It could also be argued that I am assisting him – the records may support his account – I could be criticised for not directing him to a process available to him that would secure the records within a month.
2. Does enforcement extend to other (all?) records, such as the data I am seeking (above)? i.e.
3. Does relevant record extend beyond criminal convictions / cautions (information)?
4. Can I simply (less formally) advise the means by which he can obtain the record is by using SAR,w ithout saying ‘you must … or else’ (words to that effect), possibly adding … there’s no obligation?
The following appears to relate to the DPA 1998:
https://ico.org.uk/media/for-organisations/documents/1042608/enforced-subject-access-s56.pdf
29. Subsection 56(6A) DPA explains that where a subject access
request is made for information which is purely information
that is category ‘(e)’ data (as defined under section 1 DPA),
this is not a request for a relevant record. Category ‘(e)’ data
does not constitute a relevant record under section 56 DPA. It
follows that this could not be considered as an enforced
request.
However, ‘category ‘e’ data’ appears to relate to processing recorded information held by a public authority
The ABI guidance (attached) suggests the offence relates to criminal convictions and the 1998 Act (superseded) refers to convictions/cautions – http://www.legislation.gov.uk/ukpga/1998/29/section/56/2004-04-26 and what appears to be the replacement, section 184 http://www.legislation.gov.uk/ukpga/2018/12/section/184/enacted and this refers me to schedule 18 for ‘relevant records.
http://www.legislation.gov.uk/ukpga/2018/12/schedule/18/enacted 1(1)In section 184, “relevant record” explains this means:
(a)a relevant health record (see paragraph 2),
(b)a relevant record relating to a conviction or caution (see paragraph 3), or
(c)a relevant record relating to statutory functions (see paragraph 4).
It, therefore, appears a mobile phone supplier falls outside of the enforced subject access provision, that the mobile phone data sis NOT a ‘relevant record’ and in turn, I may direct the insured (data subject) to make the request.
This is an ongoing (current) enquiry and my being concerned to remain on the correct side of the law, I would appreciate your earliest response.
From the ICO:
Section 184 of the Data Protection Act 2018 (DPA 18) makes it an offence to require any person to produce a relevant record for a number of purposes, including the provision of goods, facilities or services to that person. This is not limited to a record of criminal matters but would also apply to information of the type you describe.
It seems likely, therefore, that requiring your client to make a Subject Access Request, and provide you with the resulting information for the purposes of determining whether to approve an insurance claim made by him, would be an offence under Section 184 of the DPA 18.
I hope this information is helpful to you. If you would like to discuss this further, please contact me on my direct number 0330 414 6659. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website ico.org.uk.
To the ICO:
Whilst I thank you for your response, can you clarify some aspects:
1. Where is a ‘relevant record’ defined. I can only find reference to this applying to criminal convictions or cautions.
You say it ‘seems likely’, therefore, that requiring your client to make a Subject Access Request, and provide you with the resulting information for the purposes of determining whether to approve an insurance claim made by him, would be an offence under Section 184 of the DPA 18.
I am a layman, I have asked the ICO to ensure I do not fall foul of the law, that I abide by it. The use of ‘seems’ and ‘likely’ are less than certain; I had expect a ‘black or white’ response i.e. it is or it is not.
2. Can you be more certain and if not, why not?
The situation I have described arises because I am suspicious of the events. There may be an explanation for the events hence, in the first instance, I am not accusatory when returning to him but have set out my concerns. I could have ‘suggested’ he make an SAR of his phone company to support is claim
3. Can I raise the ‘option’ without (for example) saying ‘you must …’ i.e. can I explain to him that should he wish to obtain records to corroborate his account, that set out the date / time of calls and his location when doing so, he can make a SAR to the mobile phone supplier, that it will cost him nothing and the response must be sent within 1 calendar month?
4. At what point does my seeking to help him cause me to commit a crime?
This is not a rare occurrence, there are often occasions when we have concerns and will raise these with an insured. Often records will be held by someone the insured has a contract with, for example, a bank that identifies a withdrawal of monies for a purchase. An insured will say ‘I have no access to records’ or will not know how to go about obtaining them.
It is frustrating at times to be between insured (claimant) and insurer and be unable to assist the latter to obtain information for fear of assistance constituting a criminal offence.
Yours sincerely
From: ICO Casework icocasework@ico.org.uk
Sent: 21 December 2018 11:50
To: Philip Swift <pswift@cmaclaims.co.uk>
Subject: Your email to the ICO – Case Reference IC-02622-G8Q7
21 December 2018
Our reference: IC-02622-G8Q7
Dear Sir,
Thank you for your email of 30 November 2018.
I have carefully reviewed the points you make and have come to the view that my previous advice was mistaken and that you are correct. It does indeed seem that the relevant records only relate to health or criminal conviction data, or to information obtained through such a request in relation to statutory functions.
Please accept my apologies and I am now of the view that the type of data you wish to advise your customer to obtain would not constitute a ‘relevant record’ under Section 184 of the Data Protection Act 2018.
I hope this information is helpful to you. If you would like to discuss this further, please contact me on my direct number 0330 414 6659. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website ico.org.uk.
Yours sincerely
[redacted]
Case Officer
Information Commissioner’s Office
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
T. 0330 414 6659 ico.org.uk twitter.com/iconews
Please consider the environment before printing this email
08/2022 – ‘Enforced SAR’ applying to criminal convictions only is reinforced in the ‘National Guidance on Data Sharing for National Police Chiefs’ Council in Respect of Association of British Insurers’ :
2.4 It is an offence under Section 184 of the Data Protection Act 2018 to use the right of subject access to require an individual to make a subject access request for information related to their criminal past. The Information Commissioner’s Office (ICO) has powers to prosecute organisations who use it. The ABI & NPCC agree and understand that this method of access is incompatible with the current legislation and will not therefore be used.