DPA 2018: Common Scenarios
Common Scenarios
Practical guidance for applying the DPA 2018 to real-world situations.
Scenario 1: Which Law Applies — Police or Business?
Question: We’re a business receiving a police data request. Which law applies to us?
Answer:
- Your processing: UK GDPR + DPA 2018 Part 2 (you’re a business)
- Police processing: DPA 2018 Part 3 (they’re law enforcement)
You can share data with police under UK GDPR Art 6(1)(c) (legal obligation) or Art 6(1)(e) (public task). The police then process it under Part 3.
Citation: Part 2, Part 3
Scenario 2: Crime Prevention Exemption
Question: A customer makes a subject access request. We suspect they’re committing fraud. Can we withhold information?
Answer: Possibly. Schedule 2, Para 2 allows exemption from access rights if disclosure would prejudice:
- Prevention or detection of crime
- Apprehension or prosecution of offenders
Requirements:
- Must actually prejudice (not just theoretical)
- Consider partial disclosure (redact only prejudicial parts)
- Document your reasoning
Citation: Schedule 2, Para 2
Scenario 3: Employee References
Question: A former employee requests access to the reference we provided to their new employer. Must we provide it?
Answer: No. Confidential references given for employment purposes are exempt from access rights under Schedule 2, Para 24.
However: The recipient of the reference (new employer) may have to disclose it as part of their SAR response.
Citation: Schedule 2, Para 24
Scenario 4: Journalist Exemption
Question: We’re a newspaper. Do data subject rights apply to our journalism?
Answer: Limited application. Schedule 2, Para 26 provides a broad exemption for journalism if:
- Processing is for publication
- You reasonably believe publication is in the public interest
- Compliance would be incompatible with journalism
This can exempt you from access rights, some principles, and automated decision-making rules.
Citation: Schedule 2, Para 26
Scenario 5: Employee Caught Stealing Data
Question: An employee downloaded customer data to their personal email before resigning. Is this criminal?
Answer: Yes. Under s.170, it’s an offense to knowingly obtain personal data without the controller’s consent. The employee:
- Obtained personal data (customer records)
- Without consent (company didn’t authorize personal copies)
- Knowingly (deliberate action)
Penalty: Unlimited fine. Report to the ICO who may prosecute.
Citation: s.170
Scenario 6: Data Scientist Re-identifies Anonymous Data
Question: Our data scientist successfully re-identified individuals from an “anonymous” public dataset. Is this illegal?
Answer: Potentially. Under s.171, re-identification of de-identified data is an offense unless:
- You had consent from the controller
- You’re testing de-identification effectiveness and will inform the controller
- It’s necessary for crime prevention
If they did it as research to demonstrate vulnerability, the “testing effectiveness” defense may apply if they inform the data controller.
Citation: s.171
Scenario 7: Police Body-Worn Camera Footage
Question: What rules apply when police use body-worn cameras?
Answer: DPA 2018 Part 3 applies because:
- Police are a competent authority (Schedule 7)
- Recording is for law enforcement purposes
Key requirements:
- Must have lawful basis under s.35
- Must be necessary for law enforcement
- Data minimization applies
- Retention limited to necessity
- Security measures required
Citation: Part 3, s.34-40
Scenario 8: Refusing SAR During Investigation
Question: We’re under regulatory investigation. An employee makes a subject access request for all communications about them. Can we refuse?
Answer: Possibly partial refusal. Consider:
- Crime/taxation exemption (Para 2) — if disclosure would prejudice investigation
- Legal proceedings exemption (Para 19) — if legally privileged
- Management planning (Para 22) — for forecasts/planning
You likely cannot refuse entirely, but may redact exempt portions. Document reasoning.
Citation: Schedule 2, Paras 2, 19, 22
Scenario 9: Destroying Documents Before SAR Response
Question: We received a subject access request. Can we delete embarrassing emails before responding?
Answer: No — this is a criminal offense. Section 173 makes it an offense to alter, destroy, or conceal information with intent to prevent disclosure under data subject access rights.
Penalty: Unlimited fine.
Citation: s.173
Scenario 10: Health Data Exemption
Question: A patient requests their medical records. Can we withhold information about their mental health diagnosis?
Answer: Only if disclosure would cause serious harm. Schedule 2, Para 3 allows exemption from access rights for health data where disclosure would be likely to cause serious harm to:
- Physical or mental health of the data subject, OR
- Physical or mental health of another individual
Requires case-by-case assessment. Simply being “upsetting” is not enough — must be serious harm.
Citation: Schedule 2, Para 3
Quick Reference Table
| Scenario | Exemption/Provision | Citation |
|---|---|---|
| Police data request | Part 3 for police, UK GDPR for business | Part 2-3 |
| Crime prevention | Schedule 2, Para 2 | Sch 2 |
| Employment references | Schedule 2, Para 24 | Sch 2 |
| Journalism | Schedule 2, Para 26 | Sch 2 |
| Data theft by employee | Criminal offense | s.170 |
| Re-identification | Criminal offense | s.171 |
| Destroying SAR documents | Criminal offense | s.173 |
| Health data harm | Schedule 2, Para 3 | Sch 2 |