The UK’s privacy watchdog has been forced to issue the Metropolitan Police (MPS) with two enforcement notices after it failed in its obligations under the GDPR and the previous data protection regime.
The Met has not been responding promptly to citizens’ subject access requests (SARs) within the required calendar month, according to Information Commissioner’s Office (ICO) director of data protection complaints and compliance, Suzanne Gordon.
In fact, the police force was found to have more than 1100 open requests, with almost 680 of them over three months old.
“As people become more aware of their information rights, we recognise there has been a significant rise in SARs across all sectors, including to police forces and other law enforcement agencies. And we are also aware of the administrative impact of the increased workload on police forces in responding to these requests. But this should not come at a cost to people’s data rights,” she explained.
“We have … asked the MPS to make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed.”
The Met claims to have a recovery plan in place and assured the ICO that the backlog of open SARs would be cleared within four months.
Police forces should log all requests, verbal and in writing, and make the public aware of any potential delays, Gordon explained. However, the 28-day clock only starts once all necessary information has been collected to establish the identity of the requester.
The police can also limit the amount of info they provide if it may prejudice an investigation or similar, she added.
The enforcement notices were served under the Data Protection Act 1998 and the Data Protection Act 2018, the latter of which is the UK’s version of the GDPR.