Info Gov

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.

The guidance, first published in February 2023 and revised on 7 July, is aimed at competent authorities processing personal information for the law enforcement purposes, in particular data protection officers and those with specific data protection responsibilities in a law enforcement context.

The most significant change for competent authorities is the ability to extend the response deadline. The guidance now states that the one-month time limit can be extended by up to a further two months where a request is complex or where the authority has received a number of requests from the same person, including other rights requests made at the same time. Part 3 previously provided a flat one-month applicable time period with no complexity extension, a flexibility that existed only under the UK GDPR. Any extension must be calculated from the original start date, and the requester must be told within one month of the request and given reasons.

The guidance lists factors that may make a part 3 request complex, including requests spanning information processed under both part 3 and the UK GDPR, the need to consult another organisation before disclosure, technical difficulties retrieving information, the application of restrictions involving large volumes of particularly sensitive information, and searches of large volumes of unstructured manual records. A request is not complex solely because it involves a large amount of information, nor because the authority relies on or must consult a processor.

The revised text also sets out the statutory "stop the clock" mechanism introduced by the DUAA. Where clarification is reasonably required to identify the personal information or processing activity a request relates to, the time limit is paused on the day clarification is requested and resumes the day after it is received. The guidance warns that clarification should not be sought on a blanket basis, that the clock only stops for clarification about the information requested rather than other matters such as the format of the response, and that authorities should request clarification as soon as possible, with a worked example of an organisation missing its deadline after leaving the request too late. Where a person does not respond, authorities should generally wait one month before treating the request as closed.

Authorities are not required to seek clarification and may instead choose to perform a reasonable and proportionate search, the standard the DUAA placed on a statutory footing after previously operating through ICO guidance and case law.

The update adds new law enforcement worked examples, including a mixed part 3 and UK GDPR request to the Land Registry, a subject access request from a member of police staff subject to both disciplinary action and a criminal investigation, and a Prison Service scenario illustrating that clarifying the format of a response does not pause the clock. The guidance has also been rewritten to reflect the ICO's style guide, with "part 3" now lower case and "personal information" used in place of "personal data".

The updated guidance is available on the ICO website: https://ico.org.uk/for-organisations/law-enforcement/the-right-of-access-part-3-of-the-dpa-2018/

Also in this section

Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…
Jun 24, 2026

ICO EdTech audit finds widespread compliance failures in children's data handling

A programme of consensual audits carried out by the Information Commissioner's Office has identified systemic data protection failings across the UK education technology sector, with nearly 70 per cent of providers found to be acting as controllers over children's personal data without recognising or fulfilling that role.

InfoGov Masthead Newsletter 800