Two Local Authorities issued with ICO reprimand for failure to respond to Subject Access Requests

Laura Rae
Laura Rae

Published: May 15th, 2023

7 min read

On 15 May 2023, the Information Commissioner's Office (ICO) issued two Local Authorities, Plymouth City Council and Norfolk County Council with reprimand notices, for failing to respond to subject access requests (SAR) received from members of the public.

The Law

Article 15 of the UK General Data Protection Regulation (UK GDPR) provides individuals, referred to in the legislation as 'data subjects', with the right to:

i) obtain information held about them from a data controller (i.e. any organisations that determines the purposes for which and the means by which personal information); and/or

ii) receive confirmation as to what information is being processed about them.

The Data Protection Act 2018 clarifies that SARs must be processed within one month of the date of receipt the request. This period can be extended by a data controller for a further two months (i.e. a total period of no more than three months), for requests that are sufficiently complex.

ICO investigation

Following investigation by the ICO, both Plymouth City Council and Norfolk County Council were found to have repeatedly failed to respond to SAR's within the maximum three-month timescale. In announcing its sanction, the ICO produced the following statistics:

"Norfolk County Council had only responded to 51% of SARs on time between April 2021 and April 2022, meaning that 251 residents did not receive a response within the legal timeframe.

Delays were also found at Plymouth City Council over the last three years, with 18 requests taking up to two years to complete and a further 18 requests taking between three months and one year. There were 20 outstanding requests up to a year old, and eight requests still outstanding up to two years later. The highest compliance rate for SARs completed on time was 77% in 2022-2023."

Given the above, the ICO has now issued both Local Authorities with reprimand notices, with an additional requirement to detail the actions taken to address the ICO's recommendations, within six months.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore, despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Lessons learned

In response to its reprimand, the ICO has requested further action be taken by the Local Authorities, including:

  1. Ongoing monitoring of SAR compliance;

  2. consideration of improvements that can be made to the SAR handling process;

  3. taking steps to ensure that SARs are responded to within statutory deadlines;

  4. ensuring adequate staff resources in place to process and respond to SARs;

  5. ensuring effective measures to address SAR backlog.

Alongside its recommendations, the ICO Director of Investigations, Stephen Eckersley, draws particular attention to the reputational impact of failures by public bodies to respond to "fundamental" data subject rights, by expressing that:

"[w]ith these backlogs of requests, both councils are undermining public confidence by failing to be transparent and accountable."

Conclusion

Moving forwards, all organisations, but particularly public bodies, should heed the warning of the ICO's commitment to enforcing the data rights of individuals, alongside noting that in some circumstances, it is without recourse to the sanction issued.

The above case highlights the importance of having a clear and proportionate SAR handling process that aligns with the timings set out in legislation, alongside sufficient resources to be able to meet the demands of such a process.

Organisations that fail to meet their SAR handling obligations and/or intentionally choose to ignore an individual's data protection rights, could become a focus of the ICO's investigatory powers moving forwards, which for most public bodies can have a devastating impact on public opinion and support.

A full copy of the reprimand is available to view here.

For more information contact Laura Rae in our Governance, Procurement & Information department via email or phone on 01772 220 221. Alternatively, send any question through to Forbes Solicitors via our online Contact Form.


For further information please contact Laura Rae

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back