Unanswered subject access requests have lead to reprimands for seven organisations from the ICO. 

The UK’s Information Commissioner’s Office (ICO) has taken action against seven organisations which have failed to respond to members of the public when presented with a Subject Access Request (SAR). Under the UKGDPR, individuals should be able to request from an organisation details on their personal information which is in the organisation’s possession. These requests must be fulfilled within one to three months. A recent ICO investigation has revealed seven organisations which have repeatedly failed to meet the deadline required by the UKGDPR. This group includes organisations across both the public and private sector. 

Seven organisations were identified as having a series of complaints filed against them for failing to respond to subject access requests. 

After a series of complaints relating to multiple failures to respond to subject access requests were lodged with the ICO, seven organisations were identified as being out of compliance. These organisations were found unable to provide copies of their personal information to individuals either within the statutory timeframe of one to three months, or at all in some cases. These organisations spanned both the private and public sector and include the Ministry of Defence, Home Office, the London Borough of Croydon, London Borough of Hackney, London Borough of Lambeth, Kent Police, and Virgin Media. These seven organisations were found to have breached the UKGDPR and Data Protection Act.

Reprimands and practice recommendations were issued to the organisations under the Freedom of Information Act. 

The seven organisations which were found to be out of compliance were met with regulatory action including the issue of reprimands as well as practice recommendations, under the Freedom of Information Act 2000 (FOIA). Information Commissioner John Edwards, said in a recent statement from the ICO “SARs and requests made under FOIA are fundamental rights and are an essential gateway to accessing other rights. Being able to ask an organisation “what information do you hold on me?” and “how it is being used?” provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted.”

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.