On 28th September 2022, the Information Commissioner’s Office announced it is taking action against seven organisations for delays in dealing with Subject Access Requests(SARs). This includes government departments, local authorities and a communications company.
The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by these organisations, either within statutory timeframes or at all.
An SAR must be responded to within one month, although this period can be extended by a further two months in the case of a manifestly unfounded or excessive request. The time starts from the date of receipt as per a ECJ court ruling and confirmed by the provisions of the forthcoming Data Protection and Digital Information Bill.
But an ICO investigation found the seven organisations, from across the public and private sector, repeatedly failed to meet this legal deadline. This resulted in reprimands under the UK GDPR and, in some cases, Practice Recommendations under the Freedom of Information Act 2000.
Information Commissioner John Edwards told the BBC naming and shaming organisations that fail to comply is a new proactive way for the ICO to work.
“It’s going to become more common – it’s really important that people can have confidence in the administration of their information rights,” he said.
“That’s why we are publicly notifying these organisations that they have to bring themselves into compliance.
“Being able to ask an organisation ‘what information do you hold on me’ and ‘how it is being used’ provides transparency and accountability.
“These are fundamental rights – these are not optional.”
The seven organisations are:
Ministry of Defence (MoD)
The MoD has been issued with a reprimand following an identified SAR backlog dating back to March 2020. Despite setting up a recovery plan, this backlog has continued to grow, and currently stands at 9,000 SAR requests yet to be responded to. This has meant that, on average, people were typically waiting over 12 months for their information.
A reprimand has been issued to the Home Office following investigations that showed between March 2021 and November 2021, they had a significant back log of SARs, amounting to just under 21,000 not being responded to during the statutory timeframe. Complaints to the ICO showed requesters suffered significant distress as a result. As of July 2022, there are just over 3,000 unanswered SARs outside of the legal time limit.
London Borough of Croydon
The investigation revealed that from April 2020 to April 2021, the London Borough of Croydon Council had responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did not receive a response in accordance with the UKGDPR. Additionally, since June 2021, the ICO has issued 27 decisions notices under FOIA related to the Council’s failure to respond to information requests. They have been issued with a reprimand as well as a recommendation under our renewed approach to FOI regulation for failure to meet statutory response deadlines.
From October 2020 to February 2021, Kent Police received over 200 SARs, 60% were completed during the statutory deadline. However, some of the remaining SARs are reported to have taken over 18 months to issue a response. As of May 2022, over 200 SARs remain overdue. A reprimand has been issued.
London Borough of Hackney
For the period of April 2020 to February 2021, London Borough of Hackney did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The oldest SAR was over 23 months. They have since been issued with a reprimand as well as a FOI practice recommendation.
London Borough of Lambeth
London Borough of Lambeth has only responded to 74% of the SARs it has received within the statutory timescales from 1 August 2020 to 11 August 2021. This equates to 268 SARs. The council continues to have a backlog of SAR cases and, based on the updated figures, does not appear to be improving. They have been issued with a reprimand.
Over a 6 month period in 2021, Virgin Media received over 9500 SARs. 14% of these were not responded to during the statutory timeframe. However, their compliance in 2022 has seen improvements. A reprimand has been issued.
These organisations have between three and six months to make improvements or further enforcement action could be taken by the ICO. This action is a reminder that all Data Controllers must have policies and procedures in place to deal with SARs in a timely manner.
Our workshop, How to Handle a Subject Access Request, equips delegates with the skills and knowledge to handle complex SARs. For experienced GDPR Practitioners wanting to take your skills to the next level we have our Advanced Certificate in GDPR Practice which starts on 25th October.