Police Issued Enforcement Notification For GDPR Non-Compliance

The Metropolitan Police Service has been issued with two separate enforcement notices for breaching the maximum time limits imposed by the General Data Protection Regulations (GDPR).

Under the new regulations, all organisations holding consumer data are obliged to provide a free copy of a document detailing the data they hold on that person – known as a Subject Access Request (SAR) – within one calendar month of a request being made.

Following an investigation by the Information Commissioner’s Office (ICO), it became clear that the Metropolitan Police Service were experiencing a backlog of 1,100 SARs requests. Furthermore, 680 were over three months old.

As more people become aware of their rights regarding personal information that is held by others, the ICO have urged organisations to ensure they are prepared to comply with all deadlines for providing consumer data requests.

The two enforcement notifications have ordered the MPS to respond to all outstanding data requests by the end of September.

In response, the MPS have insisted that they have a plan in place to address the backlog within the next four months.

Official ICO guidelines suggest:

  • There is no requirement for a request to be in writing, so it is good practice for police forces to have a policy for recording details of all the requests received, including verbal requests.
  • Requests can be responded to electronically (as long as it is secure) and paper copies can be provided only if you are asked to do so and it is reasonable.
  • Requests need to be replied to within one calendar month. For practical purposes, we recommend that police forces adopt a 28-day period to ensure they respond to requests within the time limit.
  • Police forces can ask for further information to establish the identity of a requester, particularly where sensitive data is involved. Such requests should be reasonable and proportionate. The calendar month time limit will start once you have received the necessary information.
  • Although police forces must consider every request, you may limit the amount of information provided if, for example, it would prejudice an investigation or legal inquiry.
  • Police forces should make the public aware of any delays which may affect their requests. They also need to explain how the situation is being addressed.

Suzanne Gordon, Information Commissioner’s Office (ICO) Director of Data Protection Complaints and Compliance, commented:

“As people become more aware of their information rights, we recognise there has been a significant rise in SARs across all sectors, including to police forces and other law enforcement agencies. And we are also aware of the administrative impact of the increased workload on police forces in responding to these requests. But this should not come at a cost to people’s data rights.

“We have … asked the MPS to make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed.”

Is your law firm prepared to comply with SARs data regulations within the suggested 28-day time limit? Do you have policies in place to ensure all GDPR is adhered to?