Action taken by the ICO for failures relating to Subject Access Requests (SARs) and top tips to avoid caseload backlogs

Reading Time: 4 minutes
Personal Data

Authors:  

Alannah Carey Bates | Senior Data Protection Advisor

Date: 24 October 2022

In response to multiple complaints, the Information Commissioner’s Office in the United Kingdom has issued reprimands against a number of organisations for failing to meet statutory obligations under the right of access set out in the UK GDPR. These organisations, including government departments, local authorities and a high profile communications company, have been publicly named and shamed by the Commissioner and given between three and six months to make improvements. This article discusses the background to the cases and explains what organisations need to know to avoid falling foul of their responsibilities in this area.  

Details of the reprimands 

This section analyses the issues raised by the ICO in the published reprimand letters. The Ministry of Defence (MoD) has been reprimanded for failing to respond to a large number of SARs. Despite having put in place two SAR recovery plans since 2020, the MoD still had a backlog of 9,000 SARs at the end of April 2022 according to the published reprimand. The MoD is planning to address the issue with external support from 40 contractors. This is a serious non-compliance issue and the ICO is requiring the MoD to update them on a monthly basis for the next six months to outline the progress that has been made to clear the backlog or further sanctions may be applied.  

Five other public authorities and a private company have also been reprimanded for late responses. The table below outlines the statistics for responses within statutory timelines, discussed within each reprimand letter. The London Borough’s of Croydon and Hackney were also issued with practice recommendations on their handling of Freedom of Information requests.  

Organisation Period reviewed by ICO Response rate within
statutory timelines in that period
Home Office 1st April 2020 – 9th December 2021 45.73% 
London Borough of Croydon 1st April 2020 – 15th April 2021 49.85% 
Kent Police 1st April 2020 – 29th April 2021 60% 
London Borough of Hackney 1st April 2020 – 15th February 2021 37.66% 
London Borough of Lambeth 1st April 2020 – 11th August 2021 74% 
Virgin Media 1st July 2021 – 31st December 2021 86% 

The statistics illustrate that even where responses met within the timeframe are not drastically low, complaints to the Commissioner can still trigger an investigation, exposing an organisation to scrutiny and potential sanctions, as well as reputational damage. In the case of Virgin Media, the reprimand letter states for the year 2021, the ICO received 125 complaints relating to SAR compliance. In the case of the London Borough of Lambeth, the trigger for the reprimand is unclear but the letter mentions a lack of improvement in response times over an additional period monitored in 2022 as well as a lack of responsiveness from the DPO to the ICO’s correspondence.  

The appointment of the new Commissioner, John Edwards led many to speculate that a light touch regulatory approach was on the horizon. However, these recent reprimands would seem to counter this notion, although the Commissioner appears to be in favour of using non punitive sanctions in the first instance. Published reprimand letters can be damaging, severely impacting the confidence and trust placed by the public in an affected organisation. In a recent blog post, Andy Laing, Head of Data Protection Complaints at the ICO explained ‘as the UK data regulator the ICO deals with over 35,000 complaints from individuals every year, the vast majority of those complaints are to do with the rules and obligations around accessing personal data.’ However, Trilateral’s analysis of the IAPP / EY 2021 annual Privacy Governance Report indicates that many of the issues underlying these reprimands relate to a lack of resources. So how can organisations foresee such issues and what can they do to better manage large caseloads of requests? 

How to avoid these issues 

Based on our experience in managing information requests across a number of different organisations, we can offer the following tips:  

Tip 1 – Monitor your requests and your compliance rates. This sounds simple to do – and it is! The key is to log your requests. Record received dates, response dates, extensions etc. A simple excel is all you need. You can easily pull data and evaluate trends. If you can’t see a problem, you can’t respond to it! 

Tip 2 – Ensure you are using the data effectively. Data is great but you need to ensure the right people are being made aware of trends. If you can see there is a resourcing issue and you can evidence this with data, then ensure decision-makers on resources and budgets are aware of the trends.  

Tip 3 – Know what is happening in the business. Ask to be informed of changes on the horizon that could impact your caseload. For example, if a department in your organisation is facing redundancies, this could impact your SAR caseload. If you know about expected peaks you can plan for them. Equally, if other areas of the business, such as Customer Service or Complaints Departments are under resourced, it is conceivable that this will have an impact on SAR caseloads. Customers will often try to resolve issues through SARs when a complaint has not been responded to. 

Tip 4 – This leads on from the previous point. Are your SARs really SARs? If you find you are receiving a lot of SARs relating to a specific record, investigate this. For example, annual tax statements may not have been issued on time. Go to the source of the problem to get it resolved there. It will likely be more expensive and a higher risk for the business to try to resolve the issue through the Privacy or Data Protection Department. A SAR can be challenged through the ICO so this could lead to regulatory issues. It is also likely the SAR will bring into scope more information than is actually wanted by a requestor. If the issue is resolved at source, ensure you follow up the initial request to ensure the data subject does not want to proceed with the SAR. This brings us nicely to the next point…. 

Tip 5 – Communicate with the requestor. In the first instance it can be helpful to discuss the scope of the SAR with an individual, particularly if the request is broad in nature. Of course, if a data subject wants ‘all their personal data’ this is a legitimate request. However, the requestor can benefit from being specific about what they really want, it will be less time consuming for the organisation and the requestor will be satisfied more quickly – it’s a win-win. And, if there are going to be delays, keep the requestor updated on when they can expect to receive a response. This may avoid complaints to the ICO as no one likes to be ignored.  

Tip 6 – When contacted by a supervisory authority, ensure you respond promptly! Engage and cooperate with the regulator, this will show you take concerns raised seriously and give confidence that you intend to rectify issues raised. 

Finally… 

If your business is experiencing issues with responding to SARs, Trilateral Research can help in a number of ways. Whether it’s providing advice on streamlining your processes or managing and responding to your caseload, our Data Protection and Cyber-risk Service can increase your response rates and help your organisation avoid public shaming!  

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career