The UK’s data protection regulator has taken action against seven public and private sector organizations for failing to meet their obligations under the GDPR and UK Data Protection Act.
UK organizations must respond to requests by members of the public for personal information held on them, known as Subject Access Requests (SARs), within one to three months. This is a central pillar of the GDPR, which aims to improve transparency in data processing and enhance data subjects’ rights.
However, after receiving multiple complaints about the erring organizations, the Information Commissioner’s Office (ICO) was forced to step in.
The seven organizations have all been issued with reprimands, which could be escalated to more serious regulatory action if conditions are not met. Several were also given a “practice recommendation” under the Freedom of Information Act 2000, which could lead to an enforcement notice if ignored.
These organizations are:
- The Ministry of Defence (MoD), which has a current SAR backlog of 9000, meaning individuals are waiting more than 12 months for their information
- The Home Office, which hasn’t responded to 21,000 SARs within the statutory timeframe
- The London Borough of Croydon, which responded to less than half of its SARs within statutory timeframes, between April 2020 and April 2021
- Kent Police, which responded to 60% of SARs on time between October 2020 and February 2021. However, some outstanding requests have taken over 18 months to process
- The London Borough of Hackney, which didn’t respond to over 60% of SARs within the statutory timeframe
- The London Borough of Lambeth, which responded to only 53% of SARs within one month, breaking data protection laws
- Virgin Media, which didn’t respond to 14% of SARs on time over a six-month period in 2021
Information commissioner, John Edwards, said the ICO would be providing citizens and organizations with support to streamline the SAR process.
“This includes developing a SAR generator to help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organization regarding what is required from them,” he added.
“We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organizations stay on the right side of the law.”
A Virgin Media spokesperson sent the following statement to Infosecurity: “We apologize that our handling of subject access requests last year was not to the standard it should have been. We have since put measures in place which have significantly improved our performance and will continue to carefully monitor this.”