Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations hold about them, but organizations aren’t always timely in answering subject access requests. Cordery’s Jonathan Armstrong and André Bywater discuss recent UK actions and explore methods for ensuring companies remain compliant with consumer data requests.
The EU and UK GDPR (and the UK Data Protection Act 2018 in the UK) allow individuals to make subject access requests (SARs) to organizations in order to obtain information about the personal data held about them by organizations, subject to certain exceptions.
Once an SAR is received, an organization must usually provide the information requested without delay — and at the latest within one month of receiving the request. If, however, an SAR is complex or the individual has made numerous requests, the organization may extend the period of compliance by a further two months but must inform the individual of the extension within one month of receipt of the request and explain why the extension is necessary.
Aggrieved individuals can make an official complaint to the Information Commissioner’s Office (ICO) about an organization’s handling of an SAR, and the ICO will make a determination as to whether the organization is in violation of the law, as well as what actions will be taken against the organization.
Recent ICO actions
After undertaking investigations, the ICO determined that seven UK organizations repeatedly failed to meet the relevant SAR response deadline. As a result, in many cases, people making the SARs had suffered significant distress.
The seven organizations were identified following a series of complaints in relation to multiple failures to respond to SARs for copies of personal information collected and processed by these organizations, either within the legal deadlines timeframes or at all.
The ICO undertook regulatory action against the following organizations:
- Ministry of Defense (MoD): The ICO issued a reprimand to the MoD following an identified SAR backlog dating back March 2020. Despite the MoD setting up a recovery plan, the backlog had continued to grow and stood at around 9,000 SAR requests waiting for a response, meaning that, on average, people have typically waited for over a year.
- Virgin Media: Over a 6-month period in 2021, Virgin Media received over 9,500 SARs, 19% of which were not responded to during the legal timeframe. The ICO accordingly issued a reprimand.
- Home Office: The ICO issued a reprimand to the Home Office because, between March 2021 and November 2021, the Home Office had a backlog of just under 21,000 SARs that had not be responded to within the legal timeframe, and, as of July 2022, there were just over 3,000 unanswered SARs outside the legal timeframe.
- London borough of Croydon: From April 2020 to April 2021, the Croydon Council had responded to less than half of SARs within the legal timeframe, meaning that 115 residents had not received a response. The ICO accordingly issued a reprimand.
- Kent Police: From October 2020 to February 2021, Kent Police received over 200 SARs, 60% of which were completed within the legal timeframe. However, some of the remaining SARs were reported to have taken over 18 months. As of May 2022, more than 200 SARs were overdue. The ICO accordingly issued a reprimand.
- London borough of Hackney: For the period of April 2020 to February 2021, the Hackney Council did not respond to over 60% of the SARs submitted within the legal timeframe. The oldest SAR was over 23 months. The ICO accordingly issued a reprimand.
- London borough of Lambeth: Between August 2020 and August 2021, the Lambeth Council received 815 SARs, only 53% of which were responded to within one month. The ICO accordingly issued a reprimand.
The ICO has ordered these organizations to make improvements between three and six months or face further possible enforcement action.
Turning around a SAR within the legal timeframe may be a challenge, but it is a compliance obligation that an organization must nevertheless meet. Otherwise it may face regulatory investigation, which will take up resources, and it may face regulatory action, depending on the outcome of investigations. Individuals could also seek financial compensation from organizations where those individuals’ SARs have not been handled properly and they consequently experienced distress.
To aim for compliance, organizations should:
- Make a note of when a SAR was received and when the time limit will end.
- From the moment the SAR is received, not alter personal data to prevent its disclosure to the individual (under UK data protection rules, this constitutes a criminal offense).
- Design efficient policies and procedures to deal with SARs.
- Train staff on how to handle SARs.