The UK's Information Commissioner's Office (ICO) has slammed the Metropolitan Police Service (MPS) over a backlog of information requests in which consumers are waiting far too long.
On Tuesday, Suzanne Gordon, ICO Director of Data Protection Complaints and Compliance, said in a blog post that while everyone in the United Kingdom has the legal right to ask organizations for a copy of the information held on them, known as a subject access request (SAR), the police force is falling short of dealing with requests in a reasonable amount of time.
The Met Police has a massive backlog of SARs, with over 1,100 open and active requests and close to 680 of these are over three months old.
The ICO says that the age of pending data requests is a "cause for concern."
"In short, the MPS has failed in its data protection obligations by not responding to SARs within a calendar month and we have issued two enforcement notices ordering the MPS to respond to all requests by September 2019," the watchdog says.
GDPR is the successor of the 1998 Data Protection Act. As former lackluster data protection controls have now been tightened up in a bid to control how much information about us is stored, used, and monetized by companies, the ICO says this has consequently resulted in an increased awareness relating to our data -- and so SARs requests have also risen in turn.
"We recognize there has been a significant rise in SARs across all sectors, including to police forces and other law enforcement agencies," Gordon says. "And we are also aware of the administrative impact of the increased workload on police forces in responding to these requests. But this should not come at a cost to people's data rights."
The ICO and MPS are working together to try and clear the backlog. In addition, the police force has been asked to refresh its internal systems & policies to address any delays in completing information requests.
"Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organizations that do not comply with their SAR obligations," the ICO added.
If you want to find out what information a police department holds on you, you do not need to make a request in writing -- but it is always good practice to do so. As long as an information request is considered "reasonable" and "proportionate," you have to be responded to within a month.
There is a caveat, however. Data requests can be limited if releasing all of the information on file could potentially jeopardize an investigation or inquiry.
Update 14.45 BST: Darren Curtis, Head of Information Law and Security, told ZDNet:
"We are taking the enforcement notices very seriously and regret failing to meet our obligations as we know it is frustrating for those requesting information from us which they have a right to access.
We have already taken action to improve processes, including bringing in more staff to assist. This has helped us make good progress in reducing the oldest cases and managing more demand. In the longer-term we plan to invest in a new data office, which will help us deliver further improvements."
Previous and related coverage
- What is GDPR? Everything you need to know about the new general data protection regulations
- GDPR: How Europe's digital privacy rules have changed everything
- GDPR, USA? Microsoft says US should match the EU's digital privacy law
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0