Current timestamp: 27/03/2025 06:44:00
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal ActivityLoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Subject Access Policy

Policy Statement

Summary

This policy provides the overarching Subject Access Policy for the Force and is applicable to personal data, including special category data, held and processed by Humberside Police.

Aims

The aim of this policy is to ensure compliance with the Data Protection Act (DPA) 2018, and the rights of the data subject, referred to in Part 2, Chapter 2 and Part 3, Chapter 3, Section 45 of DPA 2018 which covers the Right of Access by the data subject, and Articles 12 and 15 of the UK GDPR.

The College of Policing launched the Code of Ethics and Code of Practice in January 2024, which applies to everyone in policing. The Ethical Policing Principles which form the Code of Ethics are Courage, Respect and Empathy, and Public Service. These principles aim to help people in policing do the right things, in the right way, for the right reasons. The principles should be observed and adhered to at all times and in line with this policy”.

Scope

This policy applies to all personal data and special category data held by and/or processed by Humberside Police, any person who has access to Humberside Police information, including Police Officers, Police staff, Special Constables, contractors and volunteers, and includes all personnel who access information under a Regional Agreement or secondment.

Chapter 1 – Definitions

1. Definitions

Term

Description

Data subject/ Subject Access applicant

The identified or identifiable living individual to whom personal data relates.

Information

Data in both electronic and hard copy format.

Personal data

Any information relating to an identified or identifiable living individual.

Special category data

Race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for identification purposes); health; sex life; or sexual orientation.

Processing information

Any operation or set of operations which is performed on information such as:

  • collection, recording, organization, structuring or storage;
  • adaptation or alteration;
  • retrieval, consultation or use;
  • disclosure by transmission, dissemination or otherwise making available;
  • alignment or combination; or
  • restriction, erasure or destruction.

Chapter 2 – Roles & Responsibilities

2. Data Protection Officer

The Data Protection Officer is responsible for ensuring the Data Controller (Chief Constable) is registered with the Information Commissioner for all processing of personal data by Humberside Police and ensuring processing is fully compliant with the requirements of the DPA 2018 and UK GDPR.

3. Data Controller

The Data Controller (Chief Constable) has the right to refuse or restrict access to information where disclosure may have a prejudicial effect on the following policing purposes:

  1. the prevention and detection of crime, or
  2. the apprehension or prosecution of offenders;

or where there would be a detrimental effect on public or national security or the rights and freedom of others.

4. Subject Rights Manager

The Subject Rights Manager is responsible for ensuring Subject Access Requests are processed in accordance with Data Protection legislation and Humberside Police policy and guidelines.

5. Command Leads and Departmental Heads

Command Leads and Heads of Branch are responsible for the security and management of all information processes within their jurisdiction and will implement and administer the requirements of this policy.

6. Line Managers

Line Managers are responsible for ensuring compliance with the policy by the regular monitoring of their staff and information processes.

7. Personnel

All personnel have a responsibility to comply with the policy and are an integral part of providing a timely service to the public, ensuring Subject Access Requests are processed within the legislative timeframes.

Personnel must highlight to management/Information Governance Unit any relevant issues, improper practices, information breaches or misuse/inappropriate disclosure of personal information.

Chapter 3 – Subject Access Processing

Subject Access Requests

  • All personnel should be able to recognise a request for Subject Access as these can be made to any member of Humberside Police.
  • A request can be made in verbal or written format, including (but not limited to) via social media, telephone calls, face to face or tagged on as part of a conversation/interview when dealing with individuals.
  • When passed to the Information Governance Unit by any member of staff or officer, all requests will be logged and any actions taken or comments made will be recorded on the case management system to provide an auditable process record. The case management system is programmed to identify the 28 day timescales and marked with the relevant due date. Any amendments or delays will be recorded on the system.
  • Subject Access applicants can complete a DPA Subject Access Request form, however, the completion of these forms cannot be enforced. Personnel collating details from a verbal request may complete the form using the details provided from the individual, providing guidance as to what information is required (name, address, date of birth and information requested). Applicants can also complete the form via the Humberside Police external website (Ask for, delete or change information | Humberside Police).
  • Children have the same rights as adults regarding subject access as long as they are competent to exercise these rights. Where a child is not considered to be ‘competent’, an adult with parental responsibility may exercise the child’s data protection rights on their behalf.
  • The parent/guardian must provide proof of parental responsibility and valid identification for themselves. Identification and parental responsibility must be validated on all occasions before disclosure of any information. 

4. Third party subject access Requests

  • Requests may be made via a third party such as a solicitor or family member where there may be legal action involved or the person does not feel capable of dealing with the request on their own.
  • Applications should be recorded and progressed in the same manner; however, confirmation the third party has the legal authority to act on behalf of the data subject or written authority from the data subject must be evidenced and checked.
  • Identification of both the third party and the data subject will be required for verification prior to disclosure. Acceptable forms of identity documents are listed in this policy. 

5. Enforced Subject Access Requests

  • Enforced subject access will typically occur where a person wishes to see another individual’s criminal record but chooses not to use the established legal system. This often occurs when an employer or organisation requires individuals to obtain their criminal convictions (or evidence that there is nothing held) as part of recruitment or continuing employment processes.
  • It is an offence under Section 184 of the Data Protection Act 2018 for a Person A to require Person B to provide or give access to Person B's personal data in connection with:
    1. the recruitment of an employee by Person A,
    2. the continued employment of Person B by Person A, or
    3. a contract for the provision of services to Person A.
  • Where a Subject Access Request is made and the applicant clearly states that the information is for employment purposes, the request will be rejected, and the data subject redirected to the appropriate agency.

5. Identification

  • The Chief Constable has the right to ask the data subject to provide documentation to verify their identity.
  • Subject Access applicants must provide two forms of identification to confirm their identity: these must verify name, address and date of birth. If the request is for video or photographic records, the applicant must provide a form of valid photographic identification to confirm appearance.

Proof of Identification Examples

Birth / Adoption Certificate

Utility Bill

Marriage Licence

Telephone/Mobile Statement

Driving Licence

Bank Statement

Medical Card

Credit/Debit Card Statement

Passport

Council Tax Bill

Pension Book / Statement

Rent Book

Insurance Certificate (not schedule)

Hire Purchase Agreement

 

Photographic Proof Identification Examples

Passport

Photo Driving Licence

Bus Passes/Membership Cards (an additional proof of identity will also be required)

Identity Cards
  • The identity of the data subject must be validated on all occasions before the disclosure of any information is made to them.
  • Third party requesters will be required to provide both their identification and the data subject’s identification before any disclosure is made.

6. Timescales

  • Personnel must record the date the request was received and forward to the Information Governance Unit as soon as possible. Legislation states that all requests must be processed within one month (28 calendar days) from receipt as per Article 12 s(3)(1).
  • The 28 day ‘clock’ will not start until all information required to process the request has been received. This includes clarification of the request and the verification of the identification of the applicant.
  • Where further information or identification documents are required, the Information Governance Unit will notify the applicant in writing. The 28 day ‘clock’ will be suspended until the information is received.
  • If the further information or clarification is not received within 28 days of being requested, the request will be closed and the applicant informed in writing. The request can be reopened upon receipt of the requested information from the data subject.
  • Where a request is overly complex or involves a large number of records to be reviewed, the deadline for processing may be extended by up to two months (56 calendar days) in line with Article 12 s(3)(2). Data subjects will be notified in writing within the initial 28 calendar day timeframe.
  • Data subjects will be notified in writing of any delays that may impact on the ability to adhere to timescales which are stipulated (28 days and 56 days). Updates will be provided to data subjects in writing to inform them of progress.

7. Consent for Information Release to Third Parties

  • An individual can ask for information disclosure to be made to a third parting acting on their behalf (e.g. solicitor) but must meet the following definition of consent:
  • Any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, dignifies agreement to the processing of personal data relating to him or her.
  • The data subject must provide explicit and specific consent at the time of making their request.

8. Request Details and Information Sourcing

  • The data subject should identify the information they require access to by providing a description. If the request is too broad, the Information Governance Unit will request further details in line with Recital 63 UK GDPR:
  • Where a controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
  • The 28 day ‘clock’ will not start until all information required to process the request has been received.
  • All validated requests will be acknowledged by the Information Governance Unit in writing. All details will be held for the purposes of facilitating disclosure in line with the data subject’s Right of Access.
  • Information to respond to the request will be collated from Humberside Police systems, departments and Officers as required by the Information Governance Unit.

 All information requested must be disclosed to the Information Governance Unit. The information will then be considered for disclosure or exemption. No information should be withheld.

9. Disclosure

  • The data subject is only entitled to their own personal information held by the Data Controller. Information Governance will remove any information which relates to a third party, is tactically sensitive or falls within an exemption under the legislation.
  • Information will be redacted in line with the Redaction Policy. Third party data will be removed unless it is reasonable to disclose.
  • The considerations when deciding whether it would be ‘reasonable in all circumstances’ to disclose third party information are:
  1. any duty of confidentiality owed to the other individual;
  2. any steps taken by the data controller with a view to seeking the consent of the other individual
  • The considerations when deciding whether it would be ‘reasonable in all circumstances’ to disclose third party information are:
  1. whether the other individual is capable of giving consent; or
  2. any express refusal of consent by the other individual.
  • Redaction will be applied using electronic redaction software and be represented by a black panel over the removed information. Redactions will be burned into the document to ensure that any electronically disclosed material cannot be un-redacted by the recipient.
  • Redacted material will be marked with a ‘stamp’ informing the applicant as to the reason the material has been removed – ‘DPA third party rules apply' and 'DPA not personal to the subject'. All redactions will be quality checked by a second member of the Information Governance Unit prior to release to the applicant.
  • Reconstitution of redacted material in order to identify a third party is an offence under Section 171 of the Data Protection Act 2018.
  • Data subject responses can be provided in hard copy or electronic format. Hard copy disclosures should be sent via special delivery to ensure safe receipt of the requested delivery or alternatively should be made available for collection from a specified staffed Police Station.
  • Electronic disclosures may be emailed to an email address as specified by the data subject. All disclosures are sent via secure email or through the post depending on the requester’s preferred mode of receiving the information. On some occasions disclosures are assessed to determine if the document should be password protected to protect the data subject against unauthorised access their disclosure. Discs containing body worn video footage are always password protected.
  • All information for disclosure is recorded as received/collated on the case management system. Copies of all information sent to the applicant, including correspondence, is stored for audit purposes.

10. Unreasonable, Excessive or Unfounded Requests

  • If the request is deemed ‘manifestly unreasonable, excessive or unfounded’, the Chief Constable has the right to:
  • Charge a reasonable fee taking into account the administrative costs of providing the information; or refuse to respond.
  • This is in line with the limits specified by Part 2, Chapter 2 s(12)(1) and subject to Part 3, Chapter 3 s(53)(1).
  • ‘Excessive Request’ can refer to those which would involve a disproportionate effort to provide a response.
  • ‘Unfounded requests’ are those which are clearly without basis or where the requester is malicious in intent and/or is using the request to harass an organisation with no real purpose other than to cause disruption.
  • In the event a request is refused, the data subject will be informed in writing within 28 days of receipt of the request and provided details on their right of appeal. All actions/correspondence regarding the refusal will be recorded on the case management system.

11. Fees

  • Information will be provided free of charge to any individual making a Subject Access Request unless: The request is manifestly unreasonable, excessive or unfounded, or the request asks for a further copy of information which has already been disclosed.
  • Considerations for the charging of fees will be assessed in line with the limits specified by Part 2, Chapter 2 s(12)(1) and subject to Part 3, Chapter 3 s(53)(1).
  • In the event a fee is deemed to be chargeable, the data subject will be advised in writing by the Information Governance Unit within 28 days of receipt of the request. The request will not be progressed until such time as the required fee is received by Humberside Police.
  • A repeated request made by the same applicant for the same information within a 56 day period may also attract an administration fee.

Chapter 4 - Conviction Information – Police National Computer

11. ACRO/PNC

  • Requests for copies of conviction records or copies of any information held on the Police National Computer (PNC) are dealt with by ACRO (ACPO Criminal Records Office). Humberside Police does not provide this information.
  • Requests for information from PNC will be rejected and the applicant advised to redirect their request to ACRO.

Chapter 5 – Other Means of Disclosure

12. Disclosure and Baring Service

  • The Disclosure and Baring Services helps employers make safer recruitment decisions, preventing unsuitable people from working with vulnerable people including children.

  • They provide three different checks, Basic, Standard and Enhanced. These are normally requested on an individual’s behalf by a Responsible Organisation or Registered Body.

13. Victim Updates

  • Victim updates in relation to on-going criminal investigations should be facilitated in line with the Victims Code of Practice.

14. Custody Records and Interview Recordings

  • Requests for copies of custody records and interview recordings under PACE must be facilitated as per usual practice.

15. Calls for Log Numbers

  • Incident or crime numbers can be provided if the member of staff is satisfied that the applicant is entitled to the information. Verification may be done through confirming basic details such as those recorded on the incident.

Chapter 6 – Complaints & Appeals

16. Complaints

  • If the data subject has concerns over the response, the initial complaint should be made to the Information Governance Unit to request an internal review of the original request.
  • Information Governance will review the original request and subsequent response by an independent Subject Rights Officer to review whether procedures were followed appropriately and whether there should be any further disclosure to the requester.
  • A response will be sent to the data subject confirming the actions taken and the outcome including any changes (if any).

17. Appeals

  • If the data subject still has concerns over the reviewed response, the individual has a right to make a complaint to the Information Commissioner’s Office (ICO). The applicant will be informed of the ICO contact details for the ability to appeal in the response.