Met police face enforcement order over data request handling

The ICO has given Met officials until September to implement appropriate measures

The Information Commissioner's Office has slapped the Metropolitan Police with two enforcement orders over its handling of data requests.

After launching an investigation, the ICO discovered a backlog of more than 1,100 open data requests from UK citizens. Describing this as a 'cause for concern', the ICO said nearly 680 of them were over three months old.

By UK and EU data protection law, subject matter requests are a fundamental right for citizens and must be answered within 30 days.

"In short, the MPS has failed in its data protection obligations by not responding to SARs within a calendar month and we have issued two enforcement notices ordering the MPS to respond to all requests by September 2019," explained Suzanne Gordon, director of data protection complaints and compliance.

In its enforcement orders, the ICO cites the Data Protection Act 2018 and the previous Data Protection Act 1998, due to the fact some of the requests were issued ahead of May 25th 2018 (the date that the GDPR came into effect).

The ICO has asked Met officials to overhaul its internal systems, procedures or policies so that 'people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed'.

"The MPS has reported to us that they have a recovery plan in place, with senior officers committed to addressing the backlog over the next four months," explained Gordon.

"Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations."

The data watchdog has outlined a number of practical steps that the police can implement to ensure SARs comply with current data protection laws.

Some of these include a policy for recording details of all the requests received; responding to requests electronically and providing paper copies if asked to do so; replying to requests within one calendar month and adopting a 28-day period; asking further information to establish a requestor's identity; and limiting the amount of information provided if it impacts an investigation.

If the Met fails to address this problem by September 2019, it could face further action and a potential fine of €20 million under the General Data Protection Regulation.