ICO reprimands seven organisations for mishandling Data Subject Access Requests

Failing to respond Data Subject Access Requests

The ICO has taken action against seven organisations for failing to respond to Data Subject Access Requests (DSARs) in accordance with their legal obligations. These organisations include the Home Office, the London Borough of Hackney, Kent Police and Virgin Media.

Data subject access requests

Under data protection legislation, individuals are entitled to make a subject access request to find out whether an organisation is processing their personal data and to obtain a copy.  Organisations must also provide other information when responding, such as why the data is being processed, who it is being given to and how long it will be kept for. Organisations must respond to DSARs without undue delay and in any event within one month of receiving the request (plus any time taken to clarify a request).  This can be extended by a further two months where necessary, taking into account the complexity and number of requests.

The subject access right is a vital instrument for customers, employees and members of the public to access the data an organisation holds about them and understand how it has been processed. The latest ICO action emphasises organisations need to treat these requests with due care and attention.

The Failures

Examples of failures leading to reprimands from the ICO include:

Home Office – according to the ICO, between March 2021 and November 2021, the Home Office had a significant backlog of DSARs. During this period, just under 21,000 DSARs had not been responded to within the statutory timeframe. Complaints to the ICO showed requesters suffered significant distress as a result. As of July 2022, there were just over 3,000 unanswered DSARs outside of the legal time limit.

London Borough of Hackney - between April 2020 and February 2021, the London Borough of Hackney failed to respond to 60% of the DSARs it received within the statutory timeframe. The oldest DSAR was over 23 months old.

Kent Police – ICO investigations revealed that 60% of the force’s 200+ DSARs received between October 2020 and February 2021 were completed during the statutory timeframe. However, it is reported to have taken over 18 months to issue a response to some of the remaining DSARs. As of May 2022, over 200 DSARs remain overdue.

Virgin Media – Within a six month period in 2021, 14% of the 9,500 DSARs received were not responded to during the statutory timeframe. However, Virgin Media’s compliance in 2022 has seen improvements.

These organisations have been given between three and six months to demonstrate improvements or risk facing further ICO enforcement action.

What is a Reprimand? 

 A reprimand is a form of written notice, usually by letter, issued by the ICO after an investigation into an organisation’s data practices. The reprimand will provide details of the key issues with compliance that the ICO has found and set out the provisions of the legislation that have been breached. It will then set out recommended steps for improving compliance and require the organisation to provide it with updates. Where an offending organisation does not action a reprimand, the ICO can consider using further enforcement powers, including imposing fines of up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

How can organisations handle data requests better?

The ICO, in its capacity as the UK’s supervisory authority, has found that the most common issues with responses to DSARs are:

• Delay – information right requests taking too long
• Relationship break down – no one to contact, questions not being answered, incomplete or unsatisfactory responses
• Trust – lack of trust on the part of the requester in what they are being told
• Understanding – lack of understanding leading to information being perceived as unclear or unhelpful

Delay

As detailed above, an organisation has one month to respond requests, which can be extended to three months if it is a complex request. Where the standard time limit of one month cannot be adhered to, the individual making the request needs to be informed.

Relationship Break Down and Trust

If a request is taking longer than expected to deal with, or the focus of the request needs to be narrowed, this must be communicated to the requesting individual. Open dialogue with data subjects allows trust to be built and gives them confidence that their request is being dealt with effectively.

Understanding

Complaints often arise out of a lack of understanding of how an individual’s data is being used and/or how a request is being handled. Transparency is key. This begins in your data policies and notices. It is important that potential data subjects consulting your policies will know how their data will be handled by your organisation.

Exemptions

Where exemptions apply, it is vital that you communicate these accurately to the requestor, including why you believe they apply. When doing so, and in all your dealings with the data subject, use plain English.

In addition to the above, good practices to help ensure compliance include:

• Create a system to handle requests effectively: depending on the size of the organisation, and the nature of the processing activities carried out, you may be required to have a Data Protection Officer. However, it is good practice, irrespective of the scale of your processing, to have a designated employee within the organisation who handles DSARs and other privacy requests
• Train all employees: it is likely that all employees will come into contact with personal data, and it is therefore vital that they understand their obligations when handling personal data
• Try to clarify the scope of the request: often a request will be a general one and the data subject will not ask for specific information. Where an organisation processes a large amount of information about the data subject, it is prudent to seek to clarify the request which can in turn lead to it  being narrowed 
• Create an audit trail:  this will ensure compliance at all stages and, in the event of a complaint, demonstrate the systems you have in place.

Looking ahead

These recent reprimands by the ICO show the increasing role the regulator is having in the UK’s data market. While the actions are not as eye catching as the recent fines handed to Tuckers Solicitors and Clearview, it is a warning to organisations that the ICO is keeping a watchful eye on data protection practices.