UK data protection watchdog takes action against organizations failing to comply with GDPR personal data access requests

The UK’s data protection watchdog - the Information Commissioner’s Office (ICO) - has taken action against seven organizations that have failed to comply with their legal obligations under GDPR, specifically relating to providing individuals with information that they hold relating to their personal data. 

The move comes two days after the ICO issued guidance entitled ‘Subject Access Requests: Getting the basics right’, which outlined how getting access to personal data is a fundamental data protection right and provided guidance on how organizations need to be proactive to build trust. 

The action is being taken because organizations in the UK have failed to comply with the terms of Subject Access Requests (SAR), which was a key part of the GDPR legislation that was brought in in 2018. The UK has indicated that it plans to diverge away from the EU-born data protection rules over the coming months and years, but at present complying with SARs is still mandatory. 

An SAR is essentially when a member of the public asks an organization to hand over any personal data that it holds on them. The organization then has one to three months to respond to the request. 

Recently appointed Information Commissioner, John Edwards, said: 

SARs and requests made under Freedom of Information Act are fundamental rights and are an essential gateway to accessing other rights. 

Being able to ask an organization “what information do you hold on me?” and “how it is being used?” provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted.

Seven organizations have been identified following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by these organizations, either within the statutory timeframes or at all. The ICO notes that this is a clear breach of GDPR and the Data Protection Act. 

The ICO has quoted one of the complainants, who needed some personal data for an asylum application involving a child. The complainant said: 

“All we need is the asylum transcript so we can submit a humanitarian application. However, we can do nothing without those transcripts. I have chased this matter for seven months and have received nothing. My client's child is constantly at risk so long as he stays in the home country.

Another complainant said that they couldn’t get access to their own adoption records, and said: 

I applied for access to my adoption and care records, and no one seems to know where these are. I was referred to another organization who just referred me back to the Council. I was told my request was complex, but they refused to give me a time frame for a response. I am upset and angry and just want my files.

Reprimanded 

The organizations that have been reprimanded include: 

• Ministry of Defence - the central government department had a backlog of SARs dating back to March 2020. Despite a recovery plan, the backlog has continued to grow and currently stands at 9,000 SARs yet to be responded to. This means people are typically waiting over 12 months for their information. 

• Home Office - investigations showed that between March 2021 and November 2021, the department had a significant backlog of SARs, amounting to just under 21,000 not being responded to during the statutory timeframe. Complaints to the ICO showed requesters suffered significant distress as a result. As of July 2022, there are just over 3,000 unanswered SARs outside of the legal time limit.

• London Borough of Croydon - from April 2020 to April 2021, the London Borough of Croydon Council had responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did not receive a response in accordance with the UK GDPR. Additionally, since June 2021, the ICO has issued 27 decision notices under FOIA related to the Council’s failure to respond to information requests.

• Kent Police - between October 2020 to February 2021, Kent Police received over 200 SARs, where 60% were completed during the statutory deadline. However, some of the remaining SARs are reported to have taken over 18 months to issue a response. As of May 2022, over 200 SARs remain overdue.

• London Borough of Hackney - from April 2020 to February 2021, London Borough of Hackney did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The oldest SAR was over 23 months.

• London Borough of Lambeth - only responded to 74% of the SARs it has received within the statutory timescales from 1 August 2020 to 11 August 2021. This equates to 268 SARs. The council continues to have a backlog of SAR cases and, based on the updated figures, does not appear to be improving.

• Virgin Media - Over a 6 month period in 2021, Virgin Media received over 9500 SARs. 14% of these were not responded to during the statutory timeframe. However, their compliance in 2022 has seen improvements.

Information Commissioner John Edwards added: 

We will continue to support organisations to meet their obligations to individuals. In addition to providing education to people about their rights. This includes developing a SAR generator to help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organisation regarding what is required from them.

We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organisations stay on the right side of the law.