ICO Takes Action Against GDPR Subject Access Delays

On 28th September 2022, the Information Commissioner’s Office announced it is taking action against seven organisations for delays in dealing with Subject Access Requests(SARs). This includes government departments, local authorities and a communications company. 

The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by these organisations, either within statutory timeframes or at all. 

An SAR must be responded to within one month, although this period can be extended by a further two months in the case of a manifestly unfounded or excessive request. The time starts from the date of receipt as per a ECJ court ruling and confirmed by the provisions of the forthcoming Data Protection and Digital Information Bill.

But an ICO investigation found the seven organisations, from across the public and private sector, repeatedly failed to meet this legal deadline. This resulted in reprimands under the UK GDPR and, in some cases, Practice Recommendations under the Freedom of Information Act 2000.

Information Commissioner John Edwards told the BBC naming and shaming organisations that fail to comply is a new proactive way for the ICO to work. 

“It’s going to become more common – it’s really important that people can have confidence in the administration of their information rights,” he said.

“That’s why we are publicly notifying these organisations that they have to bring themselves into compliance. 

“Being able to ask an organisation ‘what information do you hold on me’ and ‘how it is being used’ provides transparency and accountability.

“These are fundamental rights – these are not optional.” 

The seven organisations are:

Ministry of Defence (MoD)

The MoD has been issued with a reprimand following an identified SAR backlog dating back to March 2020. Despite setting up a recovery plan, this backlog has continued to grow, and currently stands at 9,000 SAR requests yet to be responded to. This has meant that, on average, people were typically waiting over 12 months for their information.

Home Office

reprimand has been issued to the Home Office following investigations that showed between March 2021 and November 2021, they had a significant back log of SARs, amounting to just under 21,000 not being responded to during the statutory timeframe. Complaints to the ICO showed requesters suffered significant distress as a result. As of July 2022, there are just over 3,000 unanswered SARs outside of the legal time limit.

London Borough of Croydon

The investigation revealed that from April 2020 to April 2021, the London Borough of Croydon Council had responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did not receive a response in accordance with the UKGDPR. Additionally, since June 2021, the ICO has issued 27 decisions notices under FOIA related to the Council’s failure to respond to information requests. They have been issued with a reprimand as well as a recommendation under our renewed approach to FOI regulation for failure to meet statutory response deadlines.

Kent Police

From October 2020 to February 2021, Kent Police received over 200 SARs, 60% were completed during the statutory deadline. However, some of the remaining SARs are reported to have taken over 18 months to issue a response. As of May 2022, over 200 SARs remain overdue. A reprimand has been issued.

London Borough of Hackney

For the period of April 2020 to February 2021, London Borough of Hackney did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The oldest SAR was over 23 months. They have since been issued with a reprimand as well as a FOI practice recommendation.

London Borough of Lambeth

London Borough of Lambeth has only responded to 74% of the SARs it has received within the statutory timescales from 1 August 2020 to 11 August 2021. This equates to 268 SARs. The council continues to have a backlog of SAR cases and, based on the updated figures, does not appear to be improving. They have been issued with a reprimand.

Virgin Media

Over a 6 month period in 2021, Virgin Media received over 9500 SARs. 14% of these were not responded to during the statutory timeframe. However, their compliance in 2022 has seen improvements. A reprimand has been issued.

These organisations have between three and six months to make improvements or further enforcement action could be taken by the ICO. This action is a reminder that all Data Controllers must have policies and procedures in place to deal with SARs in a timely manner. 

Our workshop, How to Handle a Subject Access Request, equips delegates with the skills and knowledge to handle complex SARs. For experienced GDPR Practitioners wanting to take your skills to the next level we have  our Advanced Certificate in GDPR Practice which starts on 25th October. 

The ICO’s New Subject Access Guidance

markus-winkler-afW1hht0NSs-unsplash

GDPR has introduced some new Data Subject rights including the right to erasure and data portability. The familiar right of Subject Access though still remains albeit with some additional obligations. Last week the Information Commissioner’s Office (ICO) published its long awaited right of access detailed guidance following a consultation exercise in December. The guidance provides some much needed clarification on key subject access issues Data Controllers have been grappling with since May 2018. 

Reasonable Searches 

Sometimes Data Subjects make subject access requests with the aim of creating maximum work for the recipient. “I want to see all the documents you hold which have my name in them, including e mails” is a common one. How much effort has to be made when searching for such information? The new guidance states that Controllers should make reasonable efforts to find and retrieve the requested information. However, they are “not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.” Factors to consider when determining whether searches may be unreasonable or disproportionate are:

  • the circumstances of the request; 
  • any difficulties involved in finding the information; and 
  • the fundamental nature of the right of access. 

Thus there is no obligation to make every possible effort to find all instances of personal data on the Data Controller’s systems. However, the burden of proof is on Controllers to be able to justify why a search is unreasonable or disproportionate. 

Stopping the Clock 

Data Controllers have one month to respond to a subject access request. Normally this period starts from the day the request is received. Previously the ICO guidance stated that the day after receipt counted as ‘day one’. They revised their position last year following a Court of Justice (CJEU) ruling

Data Controllers can ask the Data Subject to clarify their request, if it is unclear what they want, but this often leaves little time to meet the one month deadline. Having considered consultation responses, the ICO’s position now is that where a request requires clarification, in certain circumstances, the clock can be stopped whilst Controllers are waiting for clarification. 

Manifestly Unfounded and Excessive 

Article 12(5) of GDPR allows Data Controllers to refuse a Data Subject request or charge a fee where it is “manifestly unfounded or excessive.” The burden of proving this is on the Controllers whose staff often struggle with these concepts. The ICO has now provided additional guidance on these terms. 

A request may be manifestly unfounded if: 

  • The individual clearly has no intention to exercise their right of access; or 
  • The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual: 
  • explicitly states, in the request itself or in other communications, that they intend to cause disruption; 
  • makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice; 
  • targets a particular employee against whom they have some personal grudge; or 
  • systematically sends different requests to the Controller as part of a campaign, e.g. once a week, with the intention of causing disruption. 

To determine whether a request is manifestly excessive Data Controllers need to consider whether it is clearly or obviously unreasonable. They should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request, including: 

  • the nature of the requested information; 
  • the context of the request, and the relationship between the Controller and the individual; 
  • whether a refusal to provide the information or even acknowledge if the Controller holds it may cause substantive damage to the individual; 
  • the Controller’s available resources; 
  • whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or 
  • whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).  

The Fee 

What can be included when charging a fee for manifestly unfounded or excessive requests? The new guidance says Data Controllers can take into account the administrative costs of: 

  • assessing whether or not they are processing the information; 
  • locating, retrieving and extracting the information; 
  • providing a copy of the information; and 
  • communicating the response to the individual 

A reasonable fee may include the costs of: 

  • photocopying, printing, postage and any other costs involved in transferring the information to the individual; 
  • equipment and supplies (e.g. discs, envelopes or USB devices) 

Staff time can also be included in the above based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. In the absence of relevant regulations under the Data Protection Act 2018, the ICO encourages Data Controllers to publish their criteria for charging a  fee and how they calculate it.  

Finally, the new ICO guidance emphasises the importance of preparation particularity the need to have: 

  • Training for employees to enable them to recognise subject access requests;  
  • Specific people appointed to deal with requests; 
  • Policies and procedures; and  
  • Technical systems in place to assist with the retrieval of requested information. 

Our Handling Subject Access Requests workshop is now available online. It covers all aspects of dealing with SARs including identifying and applying exemptionsLooking for a GDPR Qualification? Final places left on our online GDPR Practitioner Certificate

GDPR Subject Access Time Limits Reconsidered

Keeping paper records on the shelves.

Just like its predecessor (DPA 2018), the General Data Protection Regulation (GDPR) gives Data Subjects a right to make a Subject Access Request (SAR) to a Data Controller. This means that they can obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information

The supplementary information mentioned above is the same as under section 7 of the DPA (e.g. information about the source and recipients of the data) but now also includes, amongst other things, details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.

Time Limit

The DPA allowed Data Controllers 40 calendar days to respond to a SAR. Under GDPR Article 12, the requested information must be provided “without undue delay and in any event within one month of receipt of the request”. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request with an explanation of why the extension is necessary.

When does the one month to respond start from?

Previously the ICO guidance stated that the day after receipt counted as ‘day one’. This has now been revised following a Court of Justice of the European Union (CJEU) ruling.
It says that Data Controllers should calculate the time limit from the day they receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. For example, a Data Controller receives a request on 3rd September. The time limit will start from the same day. This gives the Data Controller until 3rd October to comply with the request.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, Data Controllers have until the next working day to respond.

This means that the exact number of days Data Controllers have to comply with a request varies, depending on the month in which the request was made. For example, an organisation receives a request on 31st March. The time limit starts from the same day.
As there is no equivalent date in April, the Data Controller has until 30th April to comply with the request. If 30th April falls on a weekend, or is a public holiday, the Data Controller has until the end of the next working day to comply.

The ICO says that, for practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

Data Controllers need to consider the implications of the revised ICO guidance on their SAR procedures and standard response letters.

You may also be interested in Susan’s Wolf’s blog on the latest case on subject access for paper records.

 

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

Act Now launches GDPR Policy Pack

ACT NOW NEWS

The first fine was issued recently under the General Data Protection Regulation (GDPR) by the Austrian data protection regulator. Whilst relatively modest at 4,800 Euros, it shows that regulators are ready and willing to exercise their GDPR enforcement powers.

Article 24 of GDPR emphasises the need for Data Controllers to demonstrate compliance through measures to “be reviewed and updated where necessary”. This includes the implementation of “appropriate data protection policies by the controller.” This can be daunting especially for those beginning their GDPR compliance journey.

Act Now has applied its information governance knowledge and experience to create a GDPR policy pack containing essential documentation templates to help you meet the requirements of GDPR as well as the Data Protection Act 2018. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent £500,000 fine levied on Equifax by the Information Commissioner under the Data Protection Act 1998.

We have also included template letters to deal with Data Subjects’ rights requests, including subject access. The detailed contents are set out below:

  • User guide
  • Policies
    • Data Protection Policy
    • Special Category Data Processing (DPA 2018)
    • CCTV
    • Information Security
  • Procedures
    • Data breach reporting
    • Data Protection Impact Assessment template
    • Data Subject rights request templates
  • Privacy Notices
    • Business clients and contacts
    • Customers
    • Employees and volunteers
    • Public authority services users
    • Website users
    • Members
  • Records and Tracking logs
    • Information Asset Register
    • Record of Processing Activity (Article 30)
    • Record of Special Category Data processing
    • Data Subject Rights request tracker
    • Information security incident log
    • Personal data breach log
    • Data protection advice log

The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format). Sequential files and names make locating each document very easy.

Click here to read sample documents.

The policy pack gives a useful starting point for organisations of all sizes both in the public and private sector. For only £149 plus VAT (special introductory price) it will save you hours of drafting time. Click here to buy now or visit or our website to find out more.

Act Now provides a full GDPR Course programme including one day workshops, e learning, healthchecks and our GDPR Practitioner Certificate. 

%d bloggers like this: