The Article 15 Right of Subject Access is a fundamental right under the UK GDPR.
It allows data subjects to see what personal data is held about them, how it is being processed and precisely who it is being shared with. In 2023, Dame Alison Rose, the then CEO of NatWest, resigned after Nigel Farage made a subject access request which disclosed information that contradicted the bank’s justification for downgrading his account.
A recent report by openDemocracy, an independent international media platform, claims that basic legal rights are being undermined by public authorities in the UK who are failing to properly deal with subject access requests (SARs). The report states that people requesting copies of their data, such as police or immigration records, have faced long delays or had their requests ignored entirely. Others have been given folders with key documents missing. Apparently this is having a knock-on effect on the justice system, with lawyers telling openDemocracy that asylum applications and claims for false imprisonment have been put on hold due to the delays. Victims of the Windrush Scandal have also struggled to obtain copies of their immigration papers in order to claim compensation.
According to the report, the Foreign, Commonwealth & Development Office (FCDO) stands out for its poor record of handling SARs. Last year, it responded to just one in five SARs within the standard one-month deadline. Lawyers and campaigners also singled out the Metropolitan Police for criticism. At the beginning of the year, almost 2,000 SARs being dealt with by the force were more than 60 days old. In one case, lawyers needed to see the records of a human trafficking victim and asylum seeker, whom the Home Office had wrongfully accused of absconding. The Home Office later admitted it was wrong to withdraw the individual’s asylum application, and accepted they were a victim of trafficking and modern slavery. But the lawyers still needed to understand why the claim had been withdrawn in order to reinstate it. Lengthy delays to the SAR meant they had no choice but to progress the asylum case without these important documents, though the asylum claim was not reinstated until the day after the Home Office released them months later.
The Information Commissioner’s Office (ICO) is taking action against tardy Data Controllers although some say it needs to do more. In September 2022, the ICO announce it is taking action against seven organisations for delays in dealing with Subject Access Requests(SARs). This includes government departments, local authorities and a communications company. The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests SARs, either within statutory timeframes or at all.
Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.
