Ian - stock.adobe.com
Met Police failed to clear backlog of subject access requests
Metropolitan Police failed to comply fully with an enforcement notice issued by the Information Commissioner, and despite hundreds of overdue subject access requests the regulator did not take further action
The Metropolitan Police Service (MPS) had a backlog of 662 subject access requests, 280 of which were overdue, over a year on from being issued an official enforcement notice by the information commissioner for its “sustained failures” in dealing with people seeking to identify what personal information the force holds on them.
On 25 June 2019, the Information Commissioner’s Office (ICO) served the MPS with two separate enforcement notices – one for its failure to fulfil subject access requests (SARs) under the Data Protection Act 1998, and one for its failure to fulfil them under the Data Protection Act 2018, which was introduced in May 2018.
These notices required the MPS to meet the terms of its recovery plan and to clear the backlog by 30 September 2019, alongside making sufficient changes to its processes and systems to deal with new requests on time.
In the latter notice, the ICO said that as of 13 June 2019, the MPS had 1,727 open SARs, 1,169 of which were overdue.
According to internal ICO email correspondence disclosed through a Freedom of Information (FOI) request seen by Computer Weekly, although the notice under the 1998 legislation was met by October 2019, the MPS has been unable to close the backlog of SARs submitted since the 2018 version came into effect.
It also shows the ICO granted the MPS a three-month extension to the deadline, giving the force until the end of December 2019 to comply, after which the ICO decided not to take any further regulatory or enforcement action.
This was done on the grounds that, with the number of overdue cases lowering to 500 by December, “there is a significant level of senior commitment and investment in the MPS’s information access rights services, which should not only help tackle this current backlog of cases but should have the potential to ensure ongoing sustained delivery of information access rights in the longer term”.
The ICO added while it was “it is also clear that the situation is not yet fully resolved”, the commissioner had decided there would be “no need for further regulatory action, in terms of financial penalty, at this point”, although “dialogue and ongoing monitoring will continue”.
“Should further issues come to light, or the service begin to deteriorate, then the commissioner reserves the right to revisit this decision,” it said.
However, while the ICO decided not to take further action, emails sent on 24 December 2019 show that, despite legally being obliged to respond within one month, it took the MPS an average of almost six months to respond to each individual SAR throughout 2019.
In the ICO’s external correspondence with the MPS about the notices, which was also disclosed in the FOI request, a senior member of police staff told the deputy information commissioner, James Dipple-Johnstone, in early January 2020 the MPS was “confident that these overdue cases will be dispatched within the early part of 2020”.
Although the number of open and overdue SARs continued to decline, in the most recent internal correspondence disclosed (dated 14 July 2020) one ICO staff member said the service had “662 open SARs and of these 280 are overdue”.
The number of overdue cases has also increased slightly since February 2020, although an exact figure is not clear. This is because, in a “snapshot” document provided by the MPS to the ICO, it gives two different figures for the number of overdue cases that month – 272 and 238.
The Network for Police Monitoring (Netpol), which regularly helps individuals to submit subject access requests to the MPS concerning data retention on their political and campaigning activities, said the problem is nothing new and the force has been failing to deliver on information access rights for a number of years.
"We always advise people we work with that they are unlikely to receive their personal data within the time limit, or even a reasonable time, and can expect long delays,” it said.
“There have been concerns in some instances, too, about the quality of the released data and how comprehensive it really is when the police are hurrying to close a request. This matters because campaigners deserve to know whether the police are keeping records on something as important as profiling them as potential "extremists" and they need to know whether the data is accurate, or instead simply speculation and rumour.”
‘Comms and press enquiries nuances’
The internal correspondence shows the ICO was concerned about how to explain the initial extension of the enforcement notice deadline to the public.
For example, one staff member suggested it would “useful to agree a possible press line about this as I’m not sure what our official messaging will be if we agree to an extension to the EN deadline”, adding that “we will need to make sure we provide a consistent (and appropriate) message”.
The staff member added in a separate email: “It’s a difficult one, as they have made good progress but still not met the terms of the EN, and ordinarily there would be consequences of not doing so.”
Another ICO employee laid out the options, positing it could either issue a variation on the original notice, which would then be published, or write to the MPS to give it the extension before considering whether to take further next steps for non-compliance.
“Either option is are fine under the Data Protection Act 2018, but obviously both come with their own comms and press enquiries nuances,” the employee said.
Despite the consideration given to public communications, the ICO never publicly announced the deadline extension, or its subsequent decision not to take further regulatory action in the face of the MPS’s failure to fully comply.
When asked why it did not make any public announcements regarding its MPS enforcement decisions, the ICO did not directly answer the question, instead stating “we continue to work closely with the MPS as it makes further improvements to its service and are carefully monitoring their ongoing performance”.
ICO report
The ICO also did not respond to further questions about the MPS’s current SAR backlog, or when it is now expected to be fully cleared.
In its updated Regulatory approach in response to the coronavirus pandemic document from September 2020, which added to previous versions from April and July, the ICO said it would “recommence our formal regulatory action in connection with outstanding information request backlogs held by organisations that pre-date the pandemic”.
In a report published by the ICO on 10 November 2020 about the Timeliness of responses to information access requests by police forces in England, Wales and Northern Ireland, it said the regulator had taken formal action against the MPS “for failing in its data protection obligations by not”, but failed to mention it did not actually pursue the action when the MPS failed to meet its requirements.
The same report also highlighted a much wider problem with the public trying to access data from law enforcement bodies, finding that a quarter of all requests for information (including both FOIs and SARs) from the police were not completed on time.
“Whilst performance rates vary widely amongst police forces, it is clear that some forces are failing to respond to a large quantity of requests within statutory deadlines. It is important to remember that behind every request is an individual or group seeking to assert their legal rights and obtain information that is significant to them,” it said.
“Ultimately, it is unacceptable that approximately 25% of all requesters do not receive a timely response to their requests.”
Netpol added that the MPS’ failure to close its backlog was also “a failure of transparency and accountability. “
“The Met's repeated inability to comply with its legal obligations will never change if the ICO refuses to pursue further action when its enforcement notices are disregarded,” it said.
Read more about data protection rules
- Credit reference agency Experian must make significant changes to how it handles people’s personal data within its direct marketing practice – or face sanctions under a new enforcement notice issued by the UK Information Commissioner’s Office.
- The Information Commissioner’s Office has fined the London Borough of Newham £145,000 for “the unfair and excessive” disclosure of personal data belonging to 203 individuals featured on the Metropolitan Police Service’s controversial Gang’s Matrix database.
- Investigation into the Gangs Matrix, a police intelligence database used to identify and monitor individuals considered to be linked to gangs, finds that the Metropolitan Police Service’s use of the tool has led to serious breaches of data protection laws.