What is this about?
Data protection rules (including the GDPR and the UK Data Protection Act 2018) allow for individuals to make so-called “Subject Access Requests” (SARs) where they can seek to obtain copies of the personal data held about them by organisations and certain other related information about how that data is stored and processed – tight response deadlines apply. The UK’s data protection regulator, the Information Commissioner’s Office (ICO) has competence to act with regard to SARs including enforcement. We recently wrote about SARs here: http://www.corderycompliance.com/uk-appeal-court-ruling-on-balancing-test-in-sars-2/
What is the background to the case?
In this case the London Borough of Lewisham (the council) had a backlog of 113 SARs from individuals the oldest dating back to 2013. The ICO had received complaints from individuals making the SARs about the council’s delay in responding to the SARs, which the ICO and the council had been in contact about. The council’s plan was to eliminate that backlog by 31 July 2018, which some progress had been made on, but the council provided an update to the ICO on 25 July 2018 explaining that the 31 July 2018 deadline would not be met.
What did the ICO decide?
Prior to the 31 July 2018 deadline the ICO told the council that failure to clear the backlog in time could lead to formal enforcement action. The council submitted an updated plan but this did not allay the ICO’s concerns about the backlog and the council’s systems to deal with SARs. The ICO therefore concluded that the council had contravened the then existing UK data protection regime in that it had failed to inform individuals without undue delay whether their personal data was being processed by the council and where that was the case the council had failed to communicate this to the individuals. The ICO also determined that the council’s systems, procedures and policies for dealing with SARs were inadequate and therefore contributed to the council’s contravention of the rules.
The ICO therefore decided to serve an official enforcement notice requiring the council to inform nineteen individuals who had submitted SARs prior to 25 May 2018 (which is when GDPR came into full force and replaced the previous data protection regime) whether those individuals’ personal data was being processed and if so to supply them with copies of that personal data. Failure to comply with the terms of the enforcement notice constitutes a criminal offence.
What are the takeaways?
The main takeaway is that SARs deadlines cannot be ignored otherwise this can be met with enforcement action by the regulator – bear in mind too that the response deadline under the EU General Data Protection Regulation is shorter than under the old regime (in effect a month). Therefore review your policy and procedure for dealing with SARs so that you can respond to them in time (and effectively).
The ICO’s decision can be found here: https://ico.org.uk/action-weve-taken/enforcement/london-borough-of-lewisham-en-sep/
We report about data protection issues including SARs here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
- For more on Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |