Met police hit with enforcement notice over data request backlog

ICO says it has evidence of a 'systemic failure' to handle SARs from the public

Met Police

The Information Commissioner's Office has issued two enforcement notices to the Metropolitan Police Service after the regulator learned that backlog of over 1,700 requests for copies of data from UK citizens had been left unanswered.

The subject access requests, which are a legal right under UK and EU data protection regulations, allow individuals to request access to their data and receive it within one month. However, it has emerged that as many as 1,169 requests to the police service are now beyond the statutory response deadline. What's more, a further 689 requests are said to be more than three months old.

Two enforcement notices have been required in this instance, according to the ICO, one covering both the Data Protection Act 2018 (and by extension GDPR) and another covering the older Data Protection Act 1998, as some of the requests were made prior to 25 May 2018.

The backlog has been described as a "cause for concern" by the UK data watchdog, and "evidence of a systemic failure to respond to subject access requests". The ICO added that the Met Police has ultimately "failed in its data protection obligations".

Advertisement
Advertisement - Article continues below

It has now ordered the Met Police to respond to all SARs and clear its backlog by September 2019, otherwise, it could face further sanctions, including a GDPR-scale financial penalty of 20 million.

It has also been ordered to make changes to its internal systems and policies to ensure that data subjects are kept up to date on any delays to their SAR, and to provide information on how the backlog is being addressed.

The ICO acknowledges that the introduction of the General Data Protection Regulations (GDPR) in May 2018 brought with it an "unprecedented rise in demand" by the public for access to data, placing strain on public services and organisations to respond in a timely manner.

Data released in May found that the majority of organisations had experienced a rise in SARs, the majority of which were from their own employees.

However, the ICO said that because of the "fluctuating backlog" of requests, and because of a number of meetings and correspondence with the Met Police that ultimately proved to be "ineffective", the ICO has decided that enforcement action is required to "encourage compliance".

The Met Police confirmed to the ICO that it has a recovery plan in place and that senior officers are committed to handling the backlog over the next few months.

A failure to respond to a subject access request is considered a serious matter by the ICO, as it not only prevents a data subject from understanding how their data is being processed by an organisation, but it also prevents them from exercising additional rights based on that information.

The ICO has encouraged all organisations to review their processes for handling SARs, and ensure they are able to respond within the statutory time limit.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019