Subject Access Requests – what happens next?
What happens next?
You are entitled under the Data Protection Act to receive an answer within 40 calendar-days (not working days) but no-one ever receives a response in that time. The Metropolitan Police is so bad at responding to requests for information that in April 2013, it was one of three public authorities the Information Commissioner’s Office said it planned to monitor over concerns about its timeliness.
If you do not receive a response within 40 days, email the Public Access Office on email@example.com and ask for an explanation, using the following wording:
Subject: Non response to my subject access request
I am writing further to my letter of [date] in which I made a subject access request, because I have not received any response from your organisation.
As the statutory time limit for responding to my subject access request (40 days) has now expired, I would be grateful if you could provide a response as soon as possible.
If I do not receive a response from your organisation within 14 days, I will submit a ‘request for assessment’ to the Information Commissioner’s Office (ICO).
You may then receive a ‘delay letter’ from them. If you do, we urge you to immediately make a complaint to the Information Commissioner’s Office (ICO) – and to let us know.
Repeated failure to respond to Subject Access Requests is unlawful and makes a mockery of the idea of greater openness and transparency that the Data Protection Act is supposed to encourage.
We want to lobby the Information Commissioners Office to use its enforcement powers against the Metropolitan Police, by showing the number of times the 40 day deadline is routinely ignored. This is why it is important to keep Netpol informed at firstname.lastname@example.org so we can apply pressure to the ICO to take action.
Making a complaint about a failure to respond.
You need to return it by post or email with copies of your original Subject Access Request and any correspondence.
By email: If all your supporting evidence is available electronically, you can send the form by email.
- Save the Word version of the complaints form to your computer.
- Fill the form in and save it again.
- Open a new email, with ‘Report a concern’ in the subject line.
- Attach this form and any other documents you wish to send to the ICO. Please ensure your combined email attachments do not exceed 10 MB in a single email. You may send attachments over multiple emails, but please indicate this in the subject line.
- Send to email@example.com
Please note: email may not be secure.
By post: If your supporting evidence is in hard copy, you can print out the complaints form and post it (with your supporting evidence) to:
Information Commissioner’s Office
Please remember to also contact Netpol if you complain to the ICO and let us know what response you receive.
The ICO usually takes around two weeks just to allocate a case officer and, depending on the complexity of a complaint, can take several months to reach a decision. However, a failure to keep to the 40 calendar-day deadline is not a complicated complaint so if you haven’t heard anything within six weeks, once again let us know at firstname.lastname@example.org
What happens if the Subject Access request is rejected?
There are a number of ways that the police can resist providing personal data:
- By claiming that disclosure would be likely to “prejudice ongoing criminal, civil or disciplinary proceedings”
- By claiming disclosure would be likely to “prejudice the prevention or detection of crime”
- By claiming the Subject Access request is a “speculative search”
- By claiming that a request would reveal “third-party personal data”
- By claiming the request concerns unstructured personal data, which the costs of disclosing would exceed the relevant prescribed limit
If you receive a rejection, please contact Netpol at email@example.com so that we can seek legal advice.
Back to INTRODUCTION