ICO slams UK Met Police for failure to handle public data requests

Updated: With GDPR in full swing, the data watchdog wants to help consumers access the information the police have on them.
Written by Charlie Osborne, Contributing Writer

The UK's Information Commissioner's Office (ICO) has slammed the Metropolitan Police Service (MPS) over a backlog of information requests in which consumers are waiting far too long. 

On Tuesday, Suzanne Gordon, ICO Director of Data Protection Complaints and Compliance, said in a blog post that while everyone in the United Kingdom has the legal right to ask organizations for a copy of the information held on them, known as a subject access request (SAR), the police force is falling short of dealing with requests in a reasonable amount of time. 

The Met Police has a massive backlog of SARs, with over 1,100 open and active requests and close to 680 of these are over three months old. 

The ICO says that the age of pending data requests is a "cause for concern."

"In short, the MPS has failed in its data protection obligations by not responding to SARs within a calendar month and we have issued two enforcement notices ordering the MPS to respond to all requests by September 2019," the watchdog says. 

See also: GDPR: A boon for privacy or choking regulation? Businesses weigh in

The backlog is due, in part, to a lack of staff -- a constant problem for the UK's police force -- as well as the implementation of the General Data Protection Regulation (GDPR).

GDPR is the successor of the 1998 Data Protection Act. As former lackluster data protection controls have now been tightened up in a bid to control how much information about us is stored, used, and monetized by companies, the ICO says this has consequently resulted in an increased awareness relating to our data -- and so SARs requests have also risen in turn.

"We recognize there has been a significant rise in SARs across all sectors, including to police forces and other law enforcement agencies," Gordon says. "And we are also aware of the administrative impact of the increased workload on police forces in responding to these requests. But this should not come at a cost to people's data rights."

TechRepublic: Why half of enterprises struggle to keep pace with cloud security

The ICO and MPS are working together to try and clear the backlog. In addition, the police force has been asked to refresh its internal systems & policies to address any delays in completing information requests. 

"Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organizations that do not comply with their SAR obligations," the ICO added. 

CNET: US fires up X-ray tech to catch illegal drugs at the border

If you want to find out what information a police department holds on you, you do not need to make a request in writing -- but it is always good practice to do so. As long as an information request is considered "reasonable" and "proportionate," you have to be responded to within a month. 

There is a caveat, however. Data requests can be limited if releasing all of the information on file could potentially jeopardize an investigation or inquiry.

Update 14.45 BST: Darren Curtis, Head of Information Law and Security, told ZDNet: 

"We are taking the enforcement notices very seriously and regret failing to meet our obligations as we know it is frustrating for those requesting information from us which they have a right to access. 

We have already taken action to improve processes, including bringing in more staff to assist. This has helped us make good progress in reducing the oldest cases and managing more demand. In the longer-term we plan to invest in a new data office, which will help us deliver further improvements."

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards