Disclosure of communications data and subject access paras 7.3 to 7.10
Disclosure of communications data and subject access rights
7.3 This section of the Code provides guidance on the relationship between disclosure of communications data under the Act and the provisions for subject access requests under the DPA, and the balance between CSPs obligations to comply with a notice to disclose data and individuals’ right of access under section 7 of the DPA to personal data held about them.
7.4 There is no provision in the Act preventing CSPs from informing individuals about whom they have been required by notice to disclose communications data in response to a Subject Access Request made under section 7 of the DPA. However a CSP may exercise certain exemptions to the right of subject access under Part IV of the DPA.
7.5 Section 28 provides that data are always exempt from section 7 where such an exemption is required for the purposes of safeguarding national security.
7.6 Section 29 provides that personal data processed for the purposes of the prevention and detection of crime; the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or other imposition of a similar nature are exempt from section 7 to the extent to which the application of the provisions for rights of data subjects would be likely to prejudice any of those matters.
7.7 The exercise of the exemption to subject access rights possible under section 29 does not automatically apply to notices given under the Act. In the event that a CSP receives a subject access request where the fact of a disclosure under the Act might itself be disclosed the CSP concerned must carefully consider whether in the particular case disclosure of the fact of the notice would be likely to prejudice the prevention or detection of crime.
7.8 Where a CSP is uncertain whether disclosure of the fact of a notice would be likely to prejudice an investigation or operation, it should approach the SPoC of the public authority which gave the notice – and do so in good time to respond to the subject access request. The SPoC can make enquiries within the public authority to determine whether disclosure of the fact of the notice would likely be prejudicial to the matters in section 29.
-  The SPoC must provide a response which will enable the CSP to comply with its obligations to respond to the subject access request within 40 days.
7.9 Where a CSP withholds a piece of information in reliance on the exemption in section 28 or 29 of the DPA, it is not obliged to inform an individual that any information has been withheld. It can simply leave out that piece of information and make no reference to it when responding to the individual who has made the subject access request.
7.10 CSPs should keep a record of the steps they have taken in determining whether disclosure of the fact of a notice would prejudice the apprehension or detection of offenders. This might be useful in the event of the data controller having to respond to enquiries made subsequently by the Information Commissioner, the courts and, in the event of prejudice, the police.