The Information Commissioner’s Office (ICO) has reprimanded two councils that have failed to respond to subject access requests (SARs) from the public.
It said Plymouth City Council and Norfolk County Council both repeatedly failed to meet the legal deadline of one to three months for responding to a SAR.
It has instructed them to take steps to ensure that the public receive their personal information within the statutory period outlined in the UK General Data Protection Regulation.
The ICO’s enquires found that Norfolk had only responded to 51% of SARs on time between April 2021 and April 2022, meaning that 251 residents did not receive a response within the legal timeframe.
Delays were also identified at Plymouth over the past three years, with 18 requests taking up to two years to complete and a further 18 taking between three months and one year. There were 20 outstanding requests up to a year old, and eight requests still outstanding up to two years later. The highest compliance rate for SARs completed on time was 77% in 2022-23.
Putting things right
While both councils invested in staff to tackle the requests, the reprimands outline further steps to improve compliance with data protection law. Both councils must ensure that they have adequate staff resources in place to respond to SARs on time, and continue to implement effective measures to address the outstanding requests.
They have also been asked to provide details of actions taken to address these recommendations within six months of the reprimand being issued.
Stephen Eckersley, ICO director of investigations, said: “Delays to this process can cause anxiety or distress and have significant impact on people’s lives if they cannot receive copies of their data on time.
“With these backlogs of requests, both councils are undermining public confidence by failing to be transparent and accountable. They are also denying residents access to their other information rights, such as asking for the information to be changed or deleted.”