City of London Police issued ICO reprimand over prolonged SAR delays

Details: Published: 20 February 2026

The Information Commissioner’s Office (ICO) has issued a formal reprimand to the City of London Police (CoLP) after finding that the force repeatedly failed to meet statutory deadlines for responding to subject access requests (SARs) over a two‑year period.

The reprimand, dated 20 February 2026, concludes that CoLP infringed Article 12(3) UK GDPR and section 45(3) of the Data Protection Act 2018, with the ICO determining that the force did not provide information to data subjects “without undue delay and in any event within one month” as required.

This story in a nutshell

The ICO has issued a formal reprimand to the City of London Police for failing to meet statutory deadlines for subject access requests under Article 12(3) UK GDPR and s45(3) DPA 2018.
Between April 2023 and July 2025, more than one‑third of SARs were not answered on time; compliance was as low as 30% in 2023–24.
The force held a backlog of 45 overdue SARs at its peak and provided the ICO with inaccurate compliance statistics during the investigation.
The ICO received 24 complaints, with some data subjects reporting emotional distress caused by prolonged delays.
City of London Police blamed resourcing pressures within its Information Access Team; action plans have since been implemented and the backlog cleared.
The ICO warns that repeat failings may lead to stronger enforcement action in future.

The ICO’s investigation found that between April 2023 and July 2025, CoLP failed to respond to more than one‑third of SARs within the statutory timeframe. Compliance was particularly poor in 2023–24, when only 30% of requests were answered on time.

Although performance improved to 64% in 2024–25 and 93% in the first quarter of 2025–26, the Commissioner noted that the force had maintained a backlog of overdue SARs for much of the period, peaking at 45 outstanding requests in July 2024.

CoLP acknowledged in its representations that it “did not consistently meet its statutory obligations” during the relevant period.

The ICO received 24 complaints from data subjects between April 2023 and July 2025. Several complainants reported emotional distress caused by prolonged delays, with one individual telling the regulator they had been “worrying about not receiving any response” from the force.

CoLP attributed its failings to significant resourcing pressures within its central Information Access Team, which handles SARs alongside FOI and EIR requests. The force reported increased FOI volumes, staff absences, and reliance on temporary personnel.

The ICO also criticised CoLP for providing inaccurate SAR statistics during the investigation, citing mis‑categorisation of third‑party enquiries and errors in extracting data from internal systems. Revised figures had to be requested on multiple occasions.

CoLP submitted a SAR Action Plan in August 2024, including recruitment of a temporary data protection specialist, process improvements, and new KPIs. The force later pointed to its Freedom of Information Act (FOIA) Action Plan - implemented following a separate enforcement notice- as also covering SAR‑related improvements, though the ICO noted that the FOIA plan initially lacked SAR‑specific detail.

By November 2025, CoLP reported that it had cleared its SAR backlog.

While the reprimand itself carries no financial penalty, the ICO recommended that CoLP continues to strengthen its internal systems for identifying, logging and responding to SARs. The Commissioner warned that any future repeat of the failings could be treated as an aggravating factor when considering further enforcement action.