The institution must consider a number of steps if it chooses not to disclose the information to the individual concerned following a subject access request. You should ask why you would refuse the request. It is likely that data surrounding the police investigation of an individual held by an institution is in fact 'sensitive personal data'.
The institution has disclosed the personal data of the individual to the police claiming the exemption contained in s.29(3) Data Protection Act 1998. The institution considered that there was a substantial chance rather than a mere risk that the prevention or detection of a particular crime, or the apprehension or prosecution of particular offenders would be noticeably damaged if the data was not disclosed to the police.
It is possible that disclosure to the data subject could prejudice a criminal prosecution and it may be appropriate to consult with the police concerned to examine if that is a likely outcome of disclosing the data surrounding the original application by the police. So a decision must be made whether or not disclosing the data will prejudice a criminal investigation.
It is arguable that the information/documents provided by the police who enabled the institution to apply the s.29(3) exemption is just that. It is data which relates to the process that the institution goes through to determine whether or not to disclose the requested personal data. In that sense not all of it may be the personal data of the individual and therefore not accessible by subject access at all
Whether or not that is the case it is likely that in the event of criminal proceedings taking place that an order to deliver up such documentation could be made by the court and would then be made available to the data subject.
Legal Guidance provided by the Information Commissioner in terms of s.29 indicates that:
If challenged, the data controller must be prepared to defend the decision to rely upon the (s.29) exemption either to the Commissioner or to the Court. It would, therefore, be advisable for the data controller to ensure that each such decision is taken at an appropriately senior level within the data controllers organisation and for the reasons to be documented.
http://www.ico.gov.uk/
So if you are withholding the data from the data subject then the same tests must be met. You must be able to establish that there is a substantial chance rather than a mere risk that disclosure would prejudice a criminal prosecution.As these details are likely to be made available to the person concerned by the police