ICO hands Enforcement Notice to the Metropolitan Police Service

11th July 2019 Media Law

Last month the Information Commissioner’s Office (“ICO„) served an enforcement notice on the Metropolitan Police Service (“MPS„) for failing to respond to Subject Access Requests (“SAR„) on time.

Before we discuss what has happened to the MPS in any detail, it may be helpful to explain some of the terminology.

What is the ICO?

The Information Commissioner is the UK’s independent regulator of data protection.

What is a SAR?

Individuals have the right to find out if an organisation is using or holding their personal data. Individuals can request a copy of the data. The request for that information is known as a “Subject Access Request„ or “SAR„.

The Law

The relevant legislation under which a SAR is brought depends on when the SAR was made. The General Data Protection Regulation (“GDPR„) came into force on 25 May 2018, so for SARs made after that date the relevant law is Article 15 of the GDPR.

Prior to 25 May 2018, SARs were made under section 7 of the Data Protection Act 1998 (“DPA 1998„).

A data controller determines the purpose and means of processing data.

How Long Does a Data Controller Have to Respond?

A data controller must act on the SAR without undue delay, but an individual should be waiting no longer than one calendar month. In some limited circumstances such as a complex request the data controller may be allowed more time but even then, the data controller should explain the delay within a month.

The MPS Enforcement Notice What happened?

In this case, the MPS held personal data.

Individuals made SARs to the MPS.

According to the enforcement notice issued by the ICO to the MPS, the MPS failed to respond to SARs in time both prior to and after 25 May 2018.

In the enforcement notice, the ICO noted that there had been a “sustained failure„ by the MPS to respond to SARs made before 25 May 2018. The ICO did acknowledge that the MPS had taken some steps to respond, including recruiting staff. Despite this, the ICO had concerns and noted that at the time of the enforcement notice there were 8 outstanding data requests from before 25 May 2018.

The ICO took the view that the 8 individuals concerned are likely to suffer damage and distress as a result of being denied the opportunity to properly understand what personal data may be being processed about them.

The ICO gave the MPS until 30 September 2019 at the latest to respond to the individuals who submitted SARs before 25 May 2018, they also noted that as of 13 June 2019, there were 1,727 open subject access requests, 1,169 overdue and 689 over 100 days old.

The ICO took the view that damage or distress is likely to have been caused to the individuals as a result of the 1,169 individuals being denied the opportunity to properly understand what personal data may be being processed about them and are unable to exercise various other statutory rights.

The ICO has asked the MPS to make changes to its internal systems, procedures and policies and the MPS was given 28 days to appeal both enforcement notices.

If you have made a SAR to the MPS, or any other data controller (e.g. a Company, local authority, utility company or Government department) and not received a response, you may be entitled to compensation and have other relevant rights of action. For more information contact the Data Law team at JMW Solicitors on 0345 872 6666.

We're Social

Dominic Walker is a Solicitor located in Manchesterin our Media Law department

View other posts by Dominic Walker

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest