The Metropolitan Police Service have failed to respond to Subject Access Requests (SAR’s) for personal data quick enough, the ICO has revealed.
The Information Commissioner’s Office has issued two enforcement notices to the Met Police after the regulator learned that backlog of over 1,700 requests for copies of data from UK citizens had been left unanswered.
Anyone in the UK now has the legal right to find out what information is held about them by organisations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018).
This includes the police force and other law enforcement agencies, though police forces can limit the amount of information provided if, for example, it would prejudice an investigation or legal inquiry.
You are now within your rights to ask for a copy free of charge for the police within one calendar month.
GDPR
Under the GDPR, SAR’s are a legal right and allow individuals to request access to their data and receive it within one month. However, it has emerged that as many as 1,169 requests to the police service are now beyond the statutory response deadline.
A further 689 requests are said to be more than three months old.
The ICO has criticised the backlog as a “cause for concern” by the UK data watchdog, and “evidence of a systemic failure to respond to subject access requests”.
And added that the Met Police has ultimately “failed in its data protection obligations“.
It has now ordered them to respond to all SARs and clear its backlog by September 2019, otherwise, it could face further sanctions, including a GDPR-scale financial penalty of €20 million.
The ICO has also told the Met Police to make changes to its internal systems and policies to ensure that data subjects are kept up to date on any delays to their SAR. They have also been told to provide information on how the backlog is being addressed.
Compliance
The data watchdog said that the implementation of GDPR has resulted in an “unprecedented rise in demand” by the public for access to data, placing strain on public services and organisations to respond in a timely manner.
However, the “fluctuating backlog” of requests, and because of several meetings and correspondence with the Met Police ultimately proved to be “ineffective“, they have decided that enforcement action is required to “encourage compliance“.
Recent data showed that most organisations had experienced a rise in SARs, the majority of which were from their own employees.
The ICO say that failure to respond to a SAR is considered a serious matter, because it not only prevents a data subject from understanding how their data is being processed by an organisation, but it also stops them from exercising additional rights based on that information.
The ICO has now encouraged all organisations to review their processes for handling SARs, and ensure they are able to respond within the statutory time limit.
In a recent blog, Suzanne Gordon, Director of Data Protection Complaints and Compliance for the ICO said: “[I]n a recent report to us the MPS indicated it had more than 1,100 open requests – with nearly 680 over three months old, this is a cause for concern,”
“In short, the MPS has failed in its data protection obligations by not responding to SARs [subject access requests] within a calendar month.”
The ICO has handed out two enforcement notices ordering the MPS to respond to all requests by September 2019.
Recovery plan
The MPS has since told the ICO that they have a recovery plan in place, with senior officers committed to addressing the backlog over the next four months.
“Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations,”
The ICO has handed out two enforcement notices ordering the MPS to respond to all requests by September 2019.
The MPS has since told the ICO that they have a recovery plan in place, with senior officers committed to addressing the backlog over the next four months.
“Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations,” Gordon continued.