Posted on June 25, 2019 by staff

Police failing data protection obligations says ICO


The Metropolitan Police Service has failed its duty of data protection obligations, the ICO has warned.

It reports that the Metropolitan Police Service (MPS) is not processing requests for personal data fast enough.

Anyone in the UK now has the legal right to find out what information is held about them by organisations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018).

This includes the police force and other law enforcement agencies, though police forces are allowed to limit the amount of information provided if, for example, it would prejudice an investigation or legal inquiry.

Anyone can ask for a copy free of charge for the police within one calendar month, which is known as a subject access request (SAR).

The ICO has been working with the MPS to address a backlog of subject access requests it has received.

“[I]n a recent report to us the MPS indicated it had more than 1,100 open requests – with nearly 680 over three months old, this is a cause for concern,” wrote Suzanne Gordon, Director of Data Protection Complaints and Compliance for the ICO.

“In short, the MPS has failed in its data protection obligations by not responding to SARs [subject access requests] within a calendar month.”

The ICO has handed out two enforcement notices ordering the MPS to respond to all requests by September 2019.

The MPS has reported to the ICO that they have a recovery plan in place, with senior officers committed to addressing the backlog over the next four months.

“Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations,” Gordon continued.