The Metropolitan Police Service (MPS) has been hit with two enforcement notices by the Information Commissioner for failing to comply with its GDPR data provision obligations.
The MPS is struggling to keep up with a growing flood of data requests made by the public. The Met Police have over 1,100 open data requests and more than half of these are three months old.
In April it told the ICO it has provided a mere 6 percent within the statutory 30 day deadline.
“Systematic” Failure Relates to Subject Access Requests
Anyone living in the UK is legally entitled to be informed about what personal data an organisation is storing related to them. These rights have been recently strengthened by the adoption of the GDPR.
Any person can request that organisations send them a copy of all processed data pertaining to them free of charge. The data holder then has one month to respond to the information request. These request are known as subject access requests (SARs).
Suzanne Gordon, Director of Data Protection Complaints and Compliance at the ICO wrote: “The MPS has failed in its data protection obligations by not responding to SARs within a calendar month and we have issued two enforcement notices ordering the MPS to respond to all requests by September 2019.”
A Metropolitan Police spokesman told Computer Business Review: “We are taking the enforcement notices very seriously and regret failing to meet our obligations.”
Backlog Must be Cleared by September 30
The force has till the 30 of September to clear its SAR backlog and inform all individuals who have made subject access requests as to whether or not they are processing personal data concerning them. If they fail to do so the ICO can potentially issue a monetary fine under the GDPR framework of up to €10 million (£8.9 million).
In an emailed statement to Computer Business Review, Darren Curtis Head of Information Law and Security at the Metropolitan Police Service said: “We are taking the enforcement notices very seriously and regret failing to meet our obligations as we know it is frustrating for those requesting information from us which they have a right to access.”
He added: “Demand on the Met has increased considerably over the years, particularly since the General Data Protection Regulation came into force in May 2018, and this has impacted how quickly we deal with requests.”
“We have already taken action to improve processes, including bringing in more staff to assist. This has helped us make good progress in reducing the oldest cases and managing more demand.”
Metropolitan Police Must Make “Systematic Changes”
Also included in the enforcement notices is the requirement that the MPS make systematic changes to its internal processes that handle these type of data requests.
As the notice states: “The controller is to carry out such changes to its internal systems, procedures and policies as are necessary to ensure that future subject access request received by the controller… are identified and complied with in accordance with the requirement of article 15 GDPR.”
The MPS informed us that it on average receives 500 requests of this nature every month, all of which are required by law to be responded to within 30 days.
The service commented that this creates a significant workload as each request has to be collated, examined, in some cases redacted before it can be released to the individual seeking the data.
The Met told the ICO this April that it was currently processing 1,535 requests and that over 94 percent were over the statutory deadline.
Speaking to Computer Business Review Solicitor Peter Wright MD of Digital Law and Chair of the Law Society GDPR working group commented that: “Clearly the Met do not have adequate resources available to adequately deal with their SARs in the deadline that GDPR imposes.”
He noted that the MPS could have got around this under GDPR’s predecessor the Data Protection Act, as they gave the data controller a bit more time to process these types of requests and under the old (1998) data protection act and a fee could be charged for the processing of requests.
“Clearly the current system is not fit for purpose and has been inundated with requests”, he added. “What we have now is great awareness of [data rights] because of the publicity around the introduction of GDPR and as people become more aware of their rights there has been a significant uplift in the number of requests.”
“It is increasingly used as a tactic by those who wish to embark on either a dispute or a claim in the court. It is increasingly used as a tool by claims management firms who might seek to subsequently make a claim against the Metropolitan Police itself after making a subject access request; they shake the tree to see if any juicy bits of evidence fall out in the process of them replying.”
“Subject access requests are been used in a manner that is not consistent with how those who came up with the right to be able see your data didn’t originally envisage.”