ICO issues reprimands against councils and other public sector bodies over failures in responding to subject access requests
The Information Commissioner’s Office (ICO) has taken action against seven bodies – six of them public – that it deemed failed to respond on time when asked by the public for personal information held about them in subject access requests (SAR).
A body must normally respond to a SAR within one month. But an ICO investigation found the seven repeatedly failed to meet this legal deadline.
This led to it issuing them with reprimands and practice recommendations under the Freedom of Information Act 2000.
The public bodies criticised were the Ministry of Defence, the Home Office, the London Borough of Croydon, Kent Police, the London Borough of Hackney and London Borough of Lambeth. Virgin Media was also reprimanded.
Information Commissioner John Edwards said: “SARs and requests made under [the Freedom of Information Act] are fundamental rights and are an essential gateway to accessing other rights.
'Being able to ask an organisation ‘what information do you hold on me?’ and ‘how it is being used?’ provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted.”
The seven were named after what the ICO called “multiple failures to respond to requests”.
The MoD has been issued with a reprimand after accumulating a SAR backlog dating from March 2020, which has continued to grow and now stands at 9,000.
A reprimand has also gone to the Home Office over a 21,000 cases backlog about which complaints expressed “significant distress” to the ICO. As of July just over 3,000 unanswered SARs remained outside the legal time limit.
The three London boroughs concerned were all reprimanded and Croydon and Hackney saw practice recommendations made.
In the case of Croydon the council in 2020-21 responded to fewer than half of SARs within the statutory timescales, leaving 115 residents without a timely response and the ICO to issue 27 decision notices.
Hackney did not respond to 60% of SARs in time and in one case for 23 months, while Lambeth received 815 SARs but responded to only 53% within time limits and “does not appear to be improving”.
Kent Police were reprimanded, despite having completed on time 60% of 200 SARs received, because some of the remainder took more than 18 months for a response.
Virgin Media’s reprimand came because over six months in 2021 it received more than 9,500 SARs and 19% were not responded to on time, although the ICO said compliance improved in 2022.
Mr Edwards said he intended to develop a ‘SAR generator’ to help people identify where their personal information is likely to be held and how to request it.
This would also provide information to the organisation about what it should do.