What’s this about?
The UK’s data protection regulator the Information Commissioner’s Office (ICO) has acted against seven UK organisations who failed to respond to Subject Access Requests (SARs).This follows a trend across Europe of more enforcement action on SARs.
There are some data protection terms in this note which are explained at www.bit.ly/gdprwords
What is a Subject Access Request?
In the EU and UK GDPR (and the UK Data Protection Act 2018 in the UK) allows individuals to make SARs to organisations where they can seek to obtain information about the personal data held about them by organisations, subject to certain exceptions.
Once a SAR is received an organisation must usually provide the information requested without delay and at the latest within one month of receiving the request. If however a SAR is complex or the individual has made numerous requests, the organization may extend the period of compliance by a further two months and must inform the individual of the extension within one month of the receipt of the request, and explain why the extension is necessary.
Aggrieved individuals can make an official compliant to the ICO about an organisation’s handling of a SAR.
What has the ICO done?
After undertaking investigations, the ICO determined that seven UK organisations repeatedly failed to meet the relevant SAR response deadline. As a result, in many cases people making the SARs had suffered significant distress.
The seven organisations were identified following a series of complaints in relation to multiple failures to respond to SARs for copies of personal information collected and processed by these organisations, either within the legal deadlines timeframes or at all.
Against which organisations did the ICO take action and what were these about?
The ICO undertook regulatory action against the following organisations:
- Ministry of Defence (MoD) – according to the ICO, it issued a reprimand to the MoD following an identified SAR backlog dating back to March 2020. Despite the MoD setting up a recovery plan, the backlog had continued to grow, and stood at around 9,000 SAR requests waiting for a response, meaning that, on average, people have typically waited for over a year.
- Virgin Media – according to the ICO, over a 6-month period in 2021, Virgin Media received over 9,500 SARs, 19% of which were not responded to during the legal timeframe. The ICO accordingly issued a reprimand.
- Home Office (the UK’s equivalent to an Interior Ministry) – according to the ICO, it issued a reprimand to the Home Office because, between March 2021 and November 2021, the Home Office had a backlog of just under 21,000 SARs that had not be responded to within the legal timeframe, and, as of July 2022, there were just over 3,000 unanswered SARs outside the legal timeframe.
- London Borough of Croydon – according to the ICO, from April 2020 to April 2021, the London Borough of Croydon Council had responded to less than half of their SARs within the legal timeframe, meaning that 115 residents had not received a response. The ICO accordingly issued a reprimand;
- Kent Police – according to the ICO, from October 2020 to February 2021, Kent Police received over 200 SARs, 60% of which were completed within the legal timeframe. However, some of the remaining SARs were reported to have taken over 18 months to issue a response. As of May 2022, over 200 SARs were overdue. The ICO accordingly issued a reprimand.
- London Borough of Hackney – according to the ICO, for the period of April 2020 to February 2021, the London Borough of Hackney did not respond to over 60% of the SARs submitted to them within the legal timeframe. The oldest SAR was over 23 months. The ICO accordingly issued a reprimand.
- London Borough of Lambeth – according to the ICO, between August 2020 and August 2021, the London Borough of Lambeth Council received 815 SARs, only 53% of which were responded to within one month. The ICO accordingly issued a reprimand.
The ICO has ordered these organisations to make improvements between three and six months or face further possible enforcement action.
Whilst turning around a SAR within the legal timeframe may be a challenge, it is a compliance obligation that an organisation must nevertheless meet. Otherwise it may face regulatory investigation, which will take up resources, and it may face regulatory action. Individuals could also seek financial compensation from organisations where those individuals’ SARs have not been handled properly by the organisation and consequently affected those individuals such as causing them distress.
To aim for compliance, organisations should:
- Make a note of when a SAR was received and when the time limit will end;
- From the moment the SAR is received, not alter etc. personal data to prevent its disclosure to the individual – under UK data protection rules this constitutes a criminal offence;
- Design efficient policies and procedures to deal with SARs; and,
- Train staff on how to handle SARs.
We write about privacy/data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
We’ve written about data subject access requests including here: https://www.corderycompliance.com/sars-under-gdpr/, here: https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/, here: https://www.corderycompliance.com/ico-sars-enforcement-lewisham-council/
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|