ICO tells MPS to comply with GDPR by September
The Metropolitan Police Service (MPS) has been issued with two enforcement notices after it failed to sufficiently address failings in its response to subject access requests (SARs).
The Information Commissioner issued the first notice last week after it emerged the MPS is still unable to deal with all the SARs submitted to the force before the General Data Protection Regulations (GDPR) came into force in May 2018.
The second notice refers to the surge in demand for access to information since then.
The Information Commissioner’s Office (ICO) said: “As people become more aware of their information rights, we recognise there has been a significant rise in SARs across all sectors, including to police forces and other law enforcement agencies. And we are also aware of the administrative impact of the increased workload on police forces in responding to these requests. But this should not come at a cost to people’s data rights.”
The ICO has been working with the MPS to address its large SARs backlog. However, in a recent report the MPS indicated it had more than 1,100 open requests – with nearly 680 over three months old.
“This is a cause for concern,” the ICO added. “In short, the MPS has failed in its data protection obligations by not responding to SARs within a calendar month.”
The notices order the MPS to respond to all requests by September 2019. Failing to comply is a criminal offence.
The MPS said it has implemented an action plan to address the failings and is providing the ICO with a fortnightly update.
Darren Curtis, MPS Head of Information Law and Security, said: “We are taking the enforcement notices very seriously and regret failing to meet our obligations as we know it is frustrating for those requesting information from us which they have a right to access.”
Demand on the MPS has increased considerably over the years, particularly since the GDPR came into force and it currently receives on average 500 a month.
With each case potentially requiring collating, examining and, as appropriate, redacting information before it is released, sometimes involving thousands of documents, there has been an impact on how quickly requests are dealt with.
“We have already taken action to improve processes, including bringing in more staff to assist,” Mr Curtis said. “This has helped us make good progress in reducing the oldest cases and managing more demand.
“In the longer-term we plan to invest in a new data office, which will help us deliver further improvements.”
The ICO has requested the MPS make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed.
In a blog post on its website, the ICO said: “The MPS has reported to us that they have a recovery plan in place, with senior officers committed to addressing the backlog over the next four months.
“Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations.”
It issued the following advice and proposed a series of practical steps police forces should take to respond to SARs as set out in legislation:
- There is no requirement for a request to be in writing, so it is good practice for police forces to have a policy for recording details of all the requests received, including verbal requests;
- Requests can be responded to electronically (as long as it is secure) and paper copies can be provided only if you are asked to do so and it is reasonable;
- Requests need to be replied to within one calendar month. For practical purposes, we recommend that police forces adopt a 28-day period to ensure they respond to requests within the time limit;
- Police forces can ask for further information to establish the identity of a requester, particularly where sensitive data is involved. Such requests should be reasonable and proportionate. The calendar month time limit will start once you have received the necessary information;
- Although police forces must consider every request, you may limit the amount of information provided if, for example, it would prejudice an investigation or legal inquiry; and
- Police forces should make the public aware of any delays that may affect their requests. They also need to explain how the situation is being addressed.