Subject Access Requests – what happens next?

What happens next?

You are entitled under the Data Protection Act to receive an answer within 40 calendar-days (not working days) but no-one ever receives a response in that time. The Metropolitan Police is so bad at responding to requests for information that in April 2013, it was one of three public authorities the Information Commissioner’s Office said it planned to monitor over concerns about its timeliness.

If you do not receive a response within 40 days, email the Public Access Office on and ask for an explanation (see our sample letters for wording).

You may then receive a ‘delay letter’ from them. If you do, we urge you to immediately make a complaint to the Information Commissioner’s Office (ICO) – and to let us know.

Repeated failure to respond to Subject Access Requests is unlawful and makes a mockery of the idea of greater openness and transparency that the Data Protection Act is supposed to encourage.

We want to lobby the Information Commissioners Office to use its enforcement powers against the Metropolitan Police, by showing the number of times the 40 day deadline is routinely ignored. This is why it is important to keep Netpol informed at so we can apply pressure to the ICO to take action.

Making a complaint about a failure to respond.

The Information Commissioner’s Office has a complaints form that you can download from

You need to return it by post or email with copies of your original Subject Access Request and any correspondence.

Please remember to also contact us if you complain to the ICO and let us know what response you receive.

 The ICO usually takes around two weeks just to allocate a case officer and, depending on the complexity of a complaint, can take several months to reach a decision. However, a failure to keep to the 40 calendar-day deadline is not a complicated complaint so if you haven’t heard anything within six weeks, once again let us know at

What happens if the Subject Access request is rejected?

There are a number of ways that the police can resist providing personal data:

  •  By claiming that disclosure would be likely to “prejudice ongoing criminal, civil or disciplinary proceedings”
  •  By claiming disclosure would be likely to “prejudice the prevention or detection of crime”
  • By claiming the Subject Access request is a “speculative search”
  • By claiming that a request would reveal “third-party personal data”
  • By claiming the request concerns unstructured personal data, which the costs of disclosing would exceed the relevant prescribed limit

If you receive a rejection, please contact Netpol at so that we can seek legal advice.


%d bloggers like this: