The Data Protection Act gives you the right to find out what personal information the UK criminal justice system, including police forces, might hold about you. A request for your personal information is called a ‘subject access request’.
The Freedom of Information Act gives you the right to ask for official information held by public authorities such as police and criminal justice organisations.
Your right to find out what personal information the police keep about you
You can find out how to access personal information held about you by the police by reading our ‘Your rights to police information’ factsheet. It explains how you can find out whether the police hold information about you and, if so, how you can obtain a copy of. Requests should be made in writing to your local police force. A fee of £10 may be charged and you will need to prove your identity. The factsheet also identifies the instances in which police do not have to release information.
Should the police fail to respond to a request within 40 days of receiving it (with any required fee and identification) you can make a complaint to us.
You can also request your personal information held by other organisations such as:
- HM Prison Service
- HM Court Service
- The Crown Prosecution Service (CPS)
Your right to find out official criminal justice information
You have a right to request official information about the criminal justice system held by public authorities, including UK police forces and prisons. You might not be supplied with the information you requested if it is exempt under the Freedom of Information Act.
You can find out how to make a request by visiting our ‘Access to official information’ webpage.
The public authority has 20 working days to respond. If the public authority fails to respond to your request within 20 working days, you should ask them for an internal review. If you are still not satisfied, you can make a complaint to us.
Police forces, prisons and other criminal justice organisations have already released some information under the Freedom of Information Act either in the normal course of business or in response to specific requests. Before making a request, check the appropriate website to see if they have already published the information you require. You can find police force websites by using the UK Police Service website. This provides links to all geographic and non-geographic police forces in the UK.
Releasing information to prevent or detect crime
The Data Protection Act 1998 does not stop organisations from releasing personal information. Any organisation may be asked to release personal information because it is needed to prevent or detect a crime, or to catch and prosecute a suspect: information needed for these purposes will be exempt from parts of the Act. Organisations are most likely to get requests like this from the police, but they may get requests from other organisations that have a crime prevention or law enforcement function - for example, the Department for Work and Pensions Benefit Fraud Section.
Organisations may release personal information on a case by case basis, for the purposes of preventing or detecting a crime, or catching and prosecuting an offender. In these circumstances they don't have to let an individual know their information has been shared, or provide them with access to it, if it would be likely to prejudice (that is, significantly harm) an ongoing investigation.
ICO’s enforcement powers under the Data Protection Act and Freedom of Information Act
A data controller who persistently breaches the Data Protection Act and has been served with an enforcement notice can be prosecuted for failing to comply with the notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates’ court and an unlimited fine in the Crown Court.
Organisations which process personal information must notify with the Information Commissioner’s Office. Notification is a statutory requirement and every organisation that processes personal information must notify the ICO, unless they are exempt. Failure to notify is a criminal offence.
Examples
- In October 2005, two debt collection companies, trading from the same location, were each fined £5,000 (the maximum amount) and ordered to pay £300 towards prosecution costs, by Manchester city magistrates, for failing to notify;
- In April 2005, a recruitment company pleaded guilty to an offence of not being notified under S17 (1) of the Data Protection Act 1998. They were fined £100 and ordered to pay prosecution costs of £700.
Unlawful obtaining or disclosing of personal information: it is a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information, without the consent of the data controller.
Examples:
- Private detectives who obtain information for their customers by deception commit this kind of offence.
- An individual who works for a bank commits an offence if they knowingly or recklessly pass on the account details of someone other than for legitimate purposes.
If a person has obtained personal data illegally, it is an offence to sell it or to offer to sell it.
Data Protection Act scams: there have been many complaints about companies claiming to be Data Protection Act or CCTV ‘notification agencies’ and encouraging firms to pay them exaggerated sums to notify with the ICO or risk large fines. This is not necessary and such organisations have no association with the ICO. Organisations should notify direct with the ICO at a cost of £35.
Examples:
- Two people were sentenced to a total of six-and-a-half years imprisonment in December 2004 after pleading guilty to conning businesses across the UK out of nearly £700,000 in data protection scams.