ICO clamps down on Councils for failing to respond to subject access requests
The Information Commissioner's Office (ICO) has recently shown its determination to hold public authorities to account for failing to respect the data protection rights of individuals. Two local Councils, Plymouth City Council and Norfolk County Council, have been reprimanded by the ICO for failing to properly address subject access requests (SARs).
A SAR can be made by anyone, either verbally or in writing, requesting to be provided with all personal data that an organisation holds on them. Organisations must respond to a SAR as soon as possible and (usually) within one month of the request, confirming, amongst other things, whether any personal data of the individual is being processed, providing a copy of all data held as well as giving details of why the data is use dand to whom it is disclosed.
Both Councils repeatedly failed to meet their statutory obligation to respond to SARs and it was found, following investigation, that 49% of requests made by the public between April 2021 to 2022 to Norfolk County Council had not been dealt with within the required time frame.
Plymouth City Council was also a repeat offender over the last three years: 18 requests took up to two years to complete and a further 18 requests took between three months and one year. Some 20 requests remained outstanding for up to one year and eight were outstanding for up to two years. Between 2022-2023, the highest level of compliance for SARs completed in the legal time limit was 77%.
The ICO's Director of Investigations, Stephen Eckersley, noted the concerning nature and repercussions of failing to respond to a SAR in a timely and legal manner: it is “undermining public confidence by failing to be transparent and accountable” and delays to the process can cause anxiety and distress. Delays also impact upon other rights such as the right to have data rectified or deleted.
As such, both Councils have been reprimanded and ordered by the ICO to ensure they have appropriate staffing resources to respond to SARs within one to three months and to implement measures to respond to the remaining requests. The Councils have six months from the issue of the reprimands to address the ICO’s concerns and provide details of the actions they have taken to resolve matters and improve compliance with data protection laws.
The action taken by the ICO is a salutary reminder of the need to ensure that the rights of individuals are respected.
Please contact a member of the Data Protection & Cyber Security team if your organisation has been subject to a SAR and you would like advice on how to proceed.
This article was co-written by Arina Yazdi, Trainee Solicitor.