COVID-19 - Criminal justice at the coalface
The Information Commissioner’s Office (ICO) has recently issued new guidance on the application of the exemption relating to regulatory activity under section 31 of the Data Protection Act 1998 (DPA) which relates to an individual’s right to make a subject access request and an organisation’s obligation to provide a privacy notice when collecting personal data.
The guidance warns against blanket reliance upon the exemption without careful consideration of both the function being exercised and the extent to which disclosure would prejudice that function. With reference to the uncertain reference within the section to “relevant function”, the ICO has clarified that the exemption is available to functions of a public nature exercised by a variety of watchdogs whose regulatory role is recognised by both the general public and sector which they oversee. Finally, the ICO has clarified that where a regulator receives documents from another organisation, commonly the outcome of an investigation into a complaint, it is possible for both the regulator and the organisation from whom it received the material to rely upon section 31 so that the exemption is not circumvented by an individual simply making the same request of the originating organisation.
Given the common difficulties encountered in applying the terms of the DPA to real life situations encountered by organisations, the ICO’s guidance and the working examples provided are welcome. However, as emphasised in the guidance itself, it must be read within the context of the law itself.
Skip to content Home About Us Insights Services Contact Accessibility