The Information Commissioner's Office has issued two enforcement notices to the Metropolitan Police Service after the regulator learned that backlog of over 1,700 requests for copies of data from UK citizens had been left unanswered.
The subject access requests, which are a legal right under UK and EU data protection regulations, allow individuals to request access to their data and receive it within one month. However, it has emerged that as many as 1,169 requests to the police service are now beyond the statutory response deadline. What's more, a further 689 requests are said to be more than three months old.
Two enforcement notices have been required in this instance, according to the ICO, one covering both the Data Protection Act 2018 (and by extension GDPR) and another covering the older Data Protection Act 1998, as some of the requests were made prior to 25 May 2018.
The backlog has been described as a "cause for concern" by the UK data watchdog, and "evidence of a systemic failure to respond to subject access requests". The ICO added that the Met Police has ultimately "failed in its data protection obligations".
It has now ordered the Met Police to respond to all SARs and clear its backlog by September 2019, otherwise, it could face further sanctions, including a GDPR-scale financial penalty of 20 million.
It has also been ordered to make changes to its internal systems and policies to ensure that data subjects are kept up to date on any delays to their SAR, and to provide information on how the backlog is being addressed.
The ICO acknowledges that the introduction of the General Data Protection Regulations (GDPR) in May 2018 brought with it an "unprecedented rise in demand" by the public for access to data, placing strain on public services and organisations to respond in a timely manner.
Data released in May found that the majority of organisations had experienced a rise in SARs, the majority of which were from their own employees.
However, the ICO said that because of the "fluctuating backlog" of requests, and because of a number of meetings and correspondence with the Met Police that ultimately proved to be "ineffective", the ICO has decided that enforcement action is required to "encourage compliance".
The Met Police confirmed to the ICO that it has a recovery plan in place and that senior officers are committed to handling the backlog over the next few months.
A failure to respond to a subject access request is considered a serious matter by the ICO, as it not only prevents a data subject from understanding how their data is being processed by an organisation, but it also prevents them from exercising additional rights based on that information.
The ICO has encouraged all organisations to review their processes for handling SARs, and ensure they are able to respond within the statutory time limit.
