Metropolitan Police failing to respond to subject access requests
Subject access requests (SARs) should be promptly addressed by organisations that hold your data. Legal Director Richard Forrest discusses the major backlog of SARs facing the metropolitan police and the issues this is causing.
What has happened in this case?
The ICO has issued two enforcement notices ordering the Metropolitan Police Service to respond to all SARs by September 2019. The regulator has also asked the MPS to "make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed."
The ICO added, "Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations".
What do you need to know about making a subject access request?
Find out how to make a Subject Access Request on the ICO website.
Crucially, when it comes to making a subject access request,the ICO has stated that there is "no requirement for a request to be in writing".
What can you use a SAR for?
You can use a SAR to find out:
- What personal data an organisation holds about you
- Whether an organisation is processing your personal data
- How the organisation got hold of your data
- The types of personal data being processed
- Why your data is being processed
- Any third parties that your data is being shared with
- How long your data will be kept for
- How you can have your data amended or deleted
- Whether they use any automated decision-making processes
- Any other supplementary information.
Of course, it could take longer for an organisation to supply everything they have about you. So, if you only need certain data and you want to speed things up, it makes sense to be specific.
The ICO has provided a handy template to help you to do this.
What else do you need to know about making a subject access request?
- Organisations should provide contact information for making a SAR. Under the GDPR, this information should be available on an organisation's website (check the privacy policy usually found in the footer)
- Requests can be responded to electronically (as long as it is secure)
- You can ask for a paper copy of the data held about you, but a company only has to provide this if it is reasonable to do so
- SARs need to be replied to within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this
- Organisations must make you aware of any delays which may affect their requests. They should also explain how the situation is being addressed
- Organisations can ask for further information to establish your identity, particularly where sensitive data is involved. However, such requests must be "reasonable and proportionate"
- A copy of your personal data should be provided at no cost to you. Although "reasonable" fees can be charged for manifestly unfounded or excessive requests
- An organisation can refuse a SAR if they believe it to be 'manifestly unfounded or excessive'. They may also deny a SAR if your data includes information about another individual. However, they can't just ignore you. They must still write to you and explain why your SAR is being refused
- You have a legal right to 'rectification' of your records. So, if something in your data is wrong, you can ask to have it corrected. Organisations have one month to respond to your request
- If you are worried about the way an organisation is handling your information, the ICO has provided a handy letter template to help you to raise your concerns.
What can you do if you don't believe your SAR has been taken seriously?
If you believe any fees to be unfair, you can complain to the organisation in question. However, if the matter is not resolved, you should report your concerns to the ICO.
If more than a month has passed since you made your SAR, and you have not heard anything back, you should write to the organisation reminding them of your request and their obligations under the GDPR. And, if you still don't hear back, you should complain to them using their complaints process. And, if you are not happy with their response, you can complain to the ICO.
If you think your request has been rejected unjustly, you can raise a complaint with the organisation in question. And if you remain dissatisfied, the ICO.
If the organisation refuses to change their records, you can complain to the ICO. However, there's a difference between information that is incorrect and information that you disagree with. For example, if you have a dispute with your doctor over a diagnosis, you can't change your health records. However, you might be able to add a note to this record stating that you disagree with the medical opinion.
If you believe that an organisation is not handling your data properly, you can also complain to the ICO.
Find out more about Subject Access Requests.
Data protection solicitors
At Hayes Connor Solicitors, we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.
Alternatively, if you have been the victim of a data breach or cyber fraud, contact us to find out how we can help you to recover any losses.