ICO takes action against two councils for failing to respond to subject access requests

The Information Commissioner’s Office (ICO) has reprimanded two councils that have failed to respond to the public when asked for personal information held about them – known as a Subject Access Request (SAR).

A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK General Data Protection Regulation.

According to the ICO, Plymouth City Council and Norfolk County Council have repeatedly failed to meet the legal deadline of one to three months for responding to a SAR.

The ICO has issued a reprimand to both local authorities, instructing them to take steps to ensure that the public receive their personal information within the statutory period.

Following enquiries, the ICO found that Norfolk had only responded to 51% of SARs on time between April 2021 and April 2022, meaning that 251 residents did not receive a response within the legal timeframe.

Delays were also found at Plymouth over the last three years, with 18 requests taking up to two years to complete and a further 18 requests taking between three months and one year. There were 20 outstanding requests up to a year old, and eight requests still outstanding up to two years later. The highest compliance rate for SARs completed on time was 77% in 2022-2023. 

Stephen Eckersley, ICO Director of Investigations, said: “Asking an organisation for the personal information they hold is a fundamental information right, helping people to understand how and why their data is being used.”

Delays to this process can cause anxiety or distress and have significant impact on people’s lives if they cannot receive copies of their data on time, he said.

Eckersley claimed that both councils were undermining public confidence by failing to be transparent and accountable.

He added: “They are also denying residents access to their other information rights, such as asking for the information to be changed or deleted. Other organisations should take note that we will act if they fail to meet their legal obligations when responding to SARs.” 

While both councils have invested in staff to tackle the requests, the reprimands outline further steps to improve compliance with data protection law. Both councils must ensure that they have adequate staff resources in place to respond to SARs on time, and continue to implement effective measures to address the outstanding requests, the ICO said. 

The watchdog has asked Norfolk and Plymouth to provide details of actions taken to address these recommendations within six months of the reprimand being issued.

A spokesperson for Norfolk County Council said: “We fully accept the Information Commissioner’s Office findings and are working hard to ensure the backlog of Subject Access Requests is dealt with swiftly.

“As of the date of the reprimand, less than 12% of the SARs submitted during the period in question remain outstanding, and in line with the Information Commissioner’s Office recommendations we had already increased the number of staff dealing with these requests and are grateful to the ICO for recognising and commending the progress we have made.”

Norfolk said that the past five years had seen close to a doubling in the number of SARs submitted to the county council, and that as a result it had implemented a number of measures to better manage the requests. These measures had recently been shared as best practice by the Information Commissioner’s Office when dealing with a SAR backlog, the council added.

A spokesman for Plymouth said it accepted the findings of the ICO report and had already taken steps to address its concerns.

The council reported that the backlog was caused by a large increase in court orders due to the Covid lockdown – from an average of 46 a year prior to 2019/20 to 269 in 2021/22 – which at the time it did not have the resource to complete.

The spokesman said the backlog had reduced considerably in the last year after the council applied the recommendations made by the ICO by increasing staff with the skills to process the requests.

He added: “We are confident that these changes will ensure that a backlog like this does not occur again.”

Harry Rodd