Anonymising Criminal-Records DSAR Responses – UK GDPR-compliant anonymisation per DPA 2018
A data subject access request (DSAR) made to a law-enforcement authority under DPA 2018 Part 3 may yield police records, custody records, intelligence logs, and criminal history data that collectively constitute the subject's full criminal-records profile. anonym.legal pseudonymises third-party personal data within the DSAR response before sharing with the data subject's legal adviser, satisfying third-party redaction obligations without losing substantive content relevant to the data subject.
When this applies
This task applies when a DSAR response received from a law-enforcement authority under DPA 2018 Part 3 is reviewed by a solicitor acting for the data subject, and the response contains third-party personal data that must be redacted before the full response can be shared with the client.
How anonym.legal handles it
- Upload the DSAR response package (all documents disclosed by the law-enforcement authority).
- The engine distinguishes the data subject's own identifiers from third-party personal data appearing in the disclosed records.
- Third-party personal identifiers — named officers, co-suspects, informants, or witnesses — are pseudonymised; the data subject's own data is preserved as the subject of the DSAR.
- The substantive content of each record — dates, events, and disposal outcomes — is preserved in clear text.
- A reversible mapping table covering third-party identifiers is produced with UK data residency.
- The pseudonymised response is provided to the data subject or their legal adviser; the mapping table is retained by the controller for regulatory purposes.
What you provide
- DSAR response package (all disclosed documents)
- Controller's covering letter or schedule of disclosed records
- Any third-party redaction schedule already applied by the disclosing authority
Limitations & cautions
- DPA 2018 Part 3 allows law-enforcement controllers to withhold third-party data on specified grounds; the tool pseudonymises third-party data rather than redacting it, which is a distinct approach — confirm the appropriate standard with specialist data-protection counsel.
- Intelligence records may contain third-party data whose pseudonymisation itself could be operationally sensitive — consult the disclosing authority's data-protection officer before sharing even pseudonymised intelligence content.
FAQ
Does DPA 2018 Part 3 give individuals the right to access their criminal records held by police?
DPA 2018 Part 3 provides a right of access to personal data processed by competent authorities for law-enforcement purposes, subject to exemptions. The scope of any particular DSAR response depends on the exemptions applied by the disclosing authority.
Can a solicitor share the full DSAR response with their client before third-party data is redacted?
Sharing third-party personal data from a DSAR response with the data subject may breach UK GDPR obligations to third parties. Pseudonymising or redacting third-party identifiers before sharing is standard practice — this workflow automates the pseudonymisation step.
Is the pseudonymisation of third-party data in a DSAR response reversible?
Yes. The mapping table allows full re-identification of third-party pseudonyms if required for regulatory purposes or legal proceedings. Access to the mapping table should be strictly controlled.