Information Commissioner's Office
Action taken against SEVEN organisations who failed in their duty to respond to information access requests
The Information Commissioner’s Office (ICO) has taken action against seven organisations who have failed to respond to the public when asked for personal information held about them, known as a Subject Access Request (SAR).
A SAR must be responded to within one to three months. But an ICO investigation found seven organisations, across the public and private sector, repeatedly failed to meet this legal deadline. This resulted in regulatory action including reprimands as well as practice recommendations issued under the Freedom of Information Act 2000 (FOIA).
Information Commissioner John Edwards yesterday said:
“SARs and requests made under FOIA are fundamental rights and are an essential gateway to accessing other rights. Being able to ask an organisation “what information do you hold on me?” and “how it is being used?” provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted.”
The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by these organisations, either within statutory timeframes or at all. As well as information being withheld, breaching the UKGDPR and Data Protection Act.
Some of the complaints yesterday said:
“I applied for access to my adoption and care records, and no one seems to know where these are. I was referred to another organisation who just referred me back to the Council. I was told my request was complex, but they refused to give me a time frame for a response. I am upset and angry and just want my files.”
In relation to an asylum application involving a child, a complainant yesterday said
“All we need is the asylum transcript so we can submit a humanitarian application. However, we can do nothing without those transcripts. I have chased this matter for seven months and have received nothing. My client's child is constantly at risk so long as he stays in the home country.
“I was in care for many years and my file has been lost through a cyberattack. The original paper file was destroyed previously so I cannot access any of my personal data relating to my childhood. The file contained sensitive details of trauma I suffered, and I feel now this emotional abuse cannot be answered for.
“I requested a password reset and the email it was sent to was not mine. I highlighted this as soon as I could and was told I was wrong. I then had someone set up online gaming accounts in my name the following week. I eventually managed to get through to the right team and they changed it. It should not take a customer this much effort to change something so simple and as a customer I should not have to explain to an advisor what a SAR is, and then chase it several times.
“In January I made an SAR. In March I received written confirmation that stated the SAR was in progress. However, I still have not received the information.” Having been told that the delay could affect the complainants credit score, they continued “I feel powerless in this and have been adversely affected by the stress it has caused.
“The delay in providing this information in relation of the allegations made against me is jeopardising my ability to defend myself and risks my whole career.
As a result, the ICO has taken regulatory action against the following organisations:
Ministry of Defence (MoD)
The MoD has been issued with a reprimand following an identified SAR backlog dating back to March 2020. Despite setting up a recovery plan, this backlog has continued to grow, and currently stands at 9,000 SAR requests yet to be responded to. This has meant that, on average, people were typically waiting over 12 months for their information.
A reprimand has been issued to the Home Office following investigations that showed between March 2021 and November 2021, they had a significant back log of SARs, amounting to just under 21,000 not being responded to during the statutory timeframe. Complaints to the ICO showed requesters suffered significant distress as a result. As of July 2022, there are just over 3,000 unanswered SARs outside of the legal time limit.
London Borough of Croydon
The investigation revealed that from April 2020 to April 2021, the London Borough of Croydon Council had responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did not receive a response in accordance with the UKGDPR. Additionally, since June 2021, the ICO has issued 27 decisions notices under FOIA related to the Council’s failure to respond to information requests. They have been issued with a reprimand as well as a practice recommendation under our renewed approach to FOI regulation for failure to meet statutory response deadlines.
From October 2020 to February 2021, Kent Police received over 200 SARs, 60% were completed during the statutory deadline. However, some of the remaining SARs are reported to have taken over 18 months to issue a response. As of May 2022, over 200 SARs remain overdue. A reprimand has been issued.
London Borough of Hackney
For the period of April 2020 to February 2021, London Borough of Hackney did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The oldest SAR was over 23 months. They have since been issued with a reprimand as well as a FOI practice recommendation.
London Borough of Lambeth
Between August 2020 and August 2021, London Borough of Lambeth Council received 815 SARs. Only 53% of these were responded to within one month, again breaking data protection law. They have been issued with a reprimand.
Over a 6 month period in 2021, Virgin Media received over 9500 SARs. 14% of these were not responded to during the statutory timeframe. However, their compliance in 2022 has seen improvements. A reprimand has been issued.
These organisations have between three and six months to make improvements or further enforcement action could be taken.
John Edwards continued:
"We will continue to support organisations to meet their obligations to individuals. In addition to providing education to people about their rights. This includes developing a SAR generator to help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organisation regarding what is required from them.
“We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organisations stay on the right side of the law.”
A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.
Notes to Editors:
- For further information on your right to access, please click here or here.
- Organisations must comply with a SAR without undue delay, and at the latest within one month of receipt of the request or within one month of receipt of any information requested to confirm the requester’s identity or a fee.
- As part of our three-year strategic plan, ICO25, we have pledged to empower people through a better understanding of how their information is used and accessed. As a result, a SAR tool will be developed to help both requesters and organisations holding information.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- To report a concern to the ICO, go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
ICO and Ofcom strengthen partnership on online safety and data protection25/11/2022 15:20:00
The Information Commissioner’s Office (ICO) and Ofcom have today set out how we will work together to ensure coherence between the data protection and the new online safety regimes.
International transfers: empowering innovation and growth whilst protecting people’s personal information18/11/2022 12:25:00
Blog posted by: Emma Bate, 17 November 2022.
ICO launches consultation on how it prioritises FOI complaints09/11/2022 10:20:00
The Information Commissioner’s Office (ICO) has launched a consultation on how it prioritises the complaints it receives about public bodies’ handling of Freedom of Information (FOI) requests.
Department for Education warned after gambling companies benefit from learning records database08/11/2022 12:25:00
The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children.
ICO and Cabinet Office reach agreement on New Year Honours data breach fine03/11/2022 15:05:00
The UK Information Commissioner has agreed to reduce the £500,000 Monetary Penalty Notice (MPN) imposed on the Cabinet Office in 2021 in relation to the New Year Honours data breach to £50,000, which the Cabinet Office has agreed to pay, reflecting our new approach to working more effectively with public authorities.
Making our employment guidance work for you28/10/2022 09:05:00
A blog by Elanor McCombe, Group Manager - Policy
‘Immature biometric technologies could be discriminating against people’ says ICO in warning to organisations26/10/2022 09:10:00
The Information Commissioner’s Office (ICO) is warning organisations to assess the public risks of using emotion analysis technologies, before implementing these systems.
‘Biggest cyber risk is complacency, not hackers’ - UK Information Commissioner issues warning as construction company fined £4.4 million24/10/2022 12:25:00
The UK Information Commissioner has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff.