The Information Commissioner's Office (ICO) has recently issued the Labour Party with a rather embarrassing "slap across the wrist" for its failure to handle requests for personal information on time (see here). The reprimand is a timely reminder for organisations of the importance of having appropriate policies and procedures in place to deal with such requests.
Under the UK’s data protection regime, individuals have a number of rights in relation to their personal information. A key right is the “subject access request” where someone can ask an organisation for copies of personal information they hold about them. Organisations must usually respond to these requests within one month. There are both legal and reputational ramifications for a failure to respond to requests in a timely and compliant manner.
The Labour Party reprimand: a case in point
The Labour Party has been reprimanded by the ICO for the way it handled hundreds of subject access requests which increased as a result of a cyber-attack in October 2021. Towards the end of 2022, the ICO found that there were 352 requests requiring a response, of which 78% (274) had not received a response in over three months, and 56% (198) were over a year old. The ICO received 154 complaints during this time regarding the Labour Party's handling of requests. During the ICO's investigation, the ICO also found an unmonitored privacy inbox containing around 650 additional subject access requests and around 600 requests for the deletion of personal information. Some of these may have been duplicate requests, but none had been responded to.
In issuing the reprimand the ICO did acknowledge the efforts made by the Labour Party to reduce the backlog, including designating additional staff to manage requests, senior level engagement with the ICO, hiring a data protection consultant pending the hire of a new Data Protection Officer, creating a detailed action plan, contacting all those that had sent subject access requests to the unmonitored privacy inbox and actioning all erasure requests identified within the unmonitored inbox. The Labour Party also updated their data protection notices and data subject access request process to ensure future compliance and a prompt response rate. As of April 2024, the Labour Party had cleared its backlog.
The ICO made a number of recommendations to the Labour Party, recommendations which other organisations would do well to remember, namely:
- have adequate staff resources to process and respond to subject access requests;
- ensure subject access requests are responded to within statutory deadlines; and
- ensure that any inboxes no longer in use are deleted.
Best Practices for Data Subject Access Request Compliance
Following the ICO’s reprimand, we have outlined below best practices to assist organisations and avoid the pitfalls experienced by the Labour Party when handling subject access requests.
- Implement clearly defined procedures and conduct regular reviews
A clear process for managing requests should allocate responsibility for their handling and detail how and where requests are to be logged, tracked, and managed. A regular review of handling processes should include an audit of response times and the quality of communication. In the Labour Party's case, such a review would have revealed the need to delete any unmonitored inboxes.
- Allocate staff resource and provide training
There should be an adequate number of properly trained staff to handle requests - taking into account that staff take annual leave and that a data breach or cyber-attack can cause an influx in requests. Staff should be trained to recognise subject access requests and know who to report to, keeping in mind the importance of applicable deadlines.
- Know your timeframes
Subject access requests must be fulfilled "without undue delay". It is crucial that organisations respond as quickly and as transparently as possible. This includes acknowledging requests. Make a 28-day roadmap or checklist to stay within the one calendar month deadline.
Remember too that the time for responding can be paused should it be necessary to clarify the information being sought. For complex requests, or where multiple requests are received from the same person, organisations can extend the time for responding by a further two months - so long as the person making the request is informed of the delay, given reasons, and the new date for the response. Organisations can also refuse to comply with a 'manifestly excessive' request, or charge a reasonable administrative fee related to the cost of complying with the request, but there is a high threshold to meet to do so.
Key takeaway
As Stephen Bonnar, the ICO's Deputy Commissioner said: “being able to ask an organisation 'what information do you hold on me?' and 'how it is being used?' is a fundamental right, which provides both transparency and accountability. It is vital that organisations do not underestimate the importance of responding to these requests on time."
Handling subject access requests is not just about avoiding penalties - it is about upholding the trust and rights of individuals. Through timely compliance with access requests and by adhering to best practices, organisations can ensure that they meet their legal obligations and maintain positive stakeholder relationships.
Are you a data controller and wish to discuss your compliance with data subject access requests, or data protection laws more generally? If so, please get in touch with David Gourlay or another member of the Commercial Team at Morton Fraser MacRoberts LLP.