An employee deletes data from their tablet

Action taken against organisations who failed to respond to information access requests

05 Oct 2022

The Information Commissioner’s Office (ICO) has taken action against seven organisations that have failed to respond to the public when asked for personal information held about them, known as a Subject Access Request (SAR).

A SAR must be responded to within one to three months, but an ICO investigation found seven organisations, across the public and private sector, repeatedly failed to meet this legal deadline. This resulted in regulatory action including reprimands as well as practice recommendations issued under the Freedom of Information Act 2000 (FOIA).

Information Commissioner John Edwards said:

“SARs and requests made under FOIA are fundamental rights and are an essential gateway to accessing other rights. Being able to ask an organisation ‘What information do you hold on me?’ and ‘How it is being used?’ provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted.”

The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by these organisations, either within statutory timeframes or at all. As well as information being withheld, they also breached the UK GDPR and Data Protection Act.

As a result, the ICO has taken regulatory action against seven organisations.

The MoD has been issued with a reprimand following an identified SAR backlog dating back to March 2020. Despite setting up a recovery plan, this backlog has continued to grow, and currently stands at 9,000 SAR requests yet to be responded to. This has meant that, on average, people are typically waiting over 12 months for their information.
A reprimand has been issued to the Home Office following investigations that showed between March 2021 and November 2021, they had a significant backlog of SARs, amounting to just under 21,000 not being responded to during the statutory timeframe. Complaints to the ICO showed requesters suffered significant distress as a result. As of July 2022, there are just over 3,000 unanswered SARs outside of the legal time limit.
The investigation revealed that from April 2020 to April 2021, the London Borough of Croydon Council had responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did not receive a response in accordance with the UKGDPR. Additionally, since June 2021, the ICO has issued 27 decisions notices under FOIA related to the Council’s failure to respond to information requests. They have been issued with a reprimand as well as a practice recommendation under our renewed approach to FOI regulation for failure to meet statutory response deadlines.
From October 2020 to February 2021, Kent Police received over 200 SARs, 60% of which were completed during the statutory deadline. However, some of the remaining SARs are reported to have taken over 18 months to issue a response. As of May 2022, over 200 SARs remain overdue. A reprimand has been issued.
For the period of April 2020 to February 2021, London Borough of Hackney did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The oldest SAR was over 23 months. They have since been issued with a reprimand as well as a FOI practice recommendation.
London Borough of Lambeth has only responded to 74% of the SARs it has received within the statutory timescales from 1 August 2020 to 11 August 2021. This equates to 268 SARs. The council continues to have a backlog of SAR cases and, based on the updated figures, does not appear to be improving. They have been issued with a reprimand.
Over a six-month period in 2021, Virgin Media received over 9,500 SARs. 14% of these were not responded to during the statutory timeframe. However, their compliance in 2022 has seen improvements. A reprimand has been issued.

These organisations have between three and six months to make improvements or further enforcement action could be taken.

Some of the complaints included:

“I applied for access to my adoption and care records, and no one seems to know where these are. I was referred to another organisation who just referred me back to the Council. I was told my request was complex, but they refused to give me a time frame for a response. I am upset and angry and just want my files.”

“All we need is the asylum transcript so we can submit a humanitarian application. However, we can do nothing without those transcripts. I have chased this matter for seven months and have received nothing. My client's child is constantly at risk so long as he stays in the home country.”

“I was in care for many years and my file has been lost through a cyberattack. The original paper file was destroyed previously so I cannot access any of my personal data relating to my childhood. The file contained sensitive details of trauma I suffered, and I feel now this emotional abuse cannot be answered for.”

“I requested a password reset and the email it was sent to was not mine. I highlighted this as soon as I could and was told I was wrong. I then had someone set up online gaming accounts in my name the following week. I eventually managed to get through to the right team and they changed it. It should not take a customer this much effort to change something so simple and as a customer I should not have to explain to an advisor what a SAR is, and then chase it several times.”

“In January I made an SAR. In March I received written confirmation that stated the SAR was in progress. However, I still have not received the information. I feel powerless in this and have been adversely affected by the stress it has caused.”

“The delay in providing this information in relation of the allegations made against me is jeopardising my ability to defend myself and risks my whole career.”

John Edwards continued:

"We will continue to support organisations to meet their obligations to individuals, in addition to providing education to people about their rights. This includes developing a SAR generator to help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organisation regarding what is required from them. We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organisations stay on the right side of the law.”

A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR. Data subjects have the right to find out whether their personal data is being processed, where and why. The right to be forgotten allows the data subject to tell the data controller to delete their personal data, stop their data being distributed further, and potentially have third parties stop processing the data.

Organisations must comply with a SAR without undue delay, and at the latest within one month of receipt of the request or within one month of receipt of any information requested to confirm the requester’s identity or a fee.