Info Gov

The Information Commissioner’s Office (ICO) has issued a formal reprimand to the City of London Police (CoLP) after finding that the force repeatedly failed to meet statutory deadlines for responding to subject access requests (SARs) over a twoyear period.

The reprimand, dated 20 February 2026, concludes that CoLP infringed Article 12(3) UK GDPR and section 45(3) of the Data Protection Act 2018, with the ICO determining that the force did not provide information to data subjects “without undue delay and in any event within one month” as required.

This story in a nutshell

  • The ICO has issued a formal reprimand to the City of London Police for failing to meet statutory deadlines for subject access requests under Article 12(3) UK GDPR and s45(3) DPA 2018.
  • Between April 2023 and July 2025, more than one‑third of SARs were not answered on time; compliance was as low as 30% in 2023–24.
  • The force held a backlog of 45 overdue SARs at its peak and provided the ICO with inaccurate compliance statistics during the investigation.
  • The ICO received 24 complaints, with some data subjects reporting emotional distress caused by prolonged delays.
  • City of London Police blamed resourcing pressures within its Information Access Team; action plans have since been implemented and the backlog cleared.
  • The ICO warns that repeat failings may lead to stronger enforcement action in future.

The ICO’s investigation found that between April 2023 and July 2025, CoLP failed to respond to more than onethird of SARs within the statutory timeframe. Compliance was particularly poor in 2023–24, when only 30% of requests were answered on time.

Although performance improved to 64% in 2024–25 and 93% in the first quarter of 2025–26, the Commissioner noted that the force had maintained a backlog of overdue SARs for much of the period, peaking at 45 outstanding requests in July 2024.

CoLP acknowledged in its representations that it “did not consistently meet its statutory obligations” during the relevant period.

The ICO received 24 complaints from data subjects between April 2023 and July 2025. Several complainants reported emotional distress caused by prolonged delays, with one individual telling the regulator they had been “worrying about not receiving any response” from the force.

CoLP attributed its failings to significant resourcing pressures within its central Information Access Team, which handles SARs alongside FOI and EIR requests. The force reported increased FOI volumes, staff absences, and reliance on temporary personnel.

The ICO also criticised CoLP for providing inaccurate SAR statistics during the investigation, citing miscategorisation of thirdparty enquiries and errors in extracting data from internal systems. Revised figures had to be requested on multiple occasions.

CoLP submitted a SAR Action Plan in August 2024, including recruitment of a temporary data protection specialist, process improvements, and new KPIs. The force later pointed to its Freedom of Information Act (FOIA) Action Plan - implemented following a separate enforcement notice- as also covering SARrelated improvements, though the ICO noted that the FOIA plan initially lacked SARspecific detail.

By November 2025, CoLP reported that it had cleared its SAR backlog.

While the reprimand itself carries no financial penalty, the ICO recommended that CoLP continues to strengthen its internal systems for identifying, logging and responding to SARs. The Commissioner warned that any future repeat of the failings could be treated as an aggravating factor when considering further enforcement action.

Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…

InfoGov Masthead Newsletter 800