The ICO exists to empower you through information.

Update - December 2023

Six of the organisations that were reprimanded for failing to respond to Subject Access Requests within legally required timeframes have now taken appropriate steps and improved their compliance. We are continuing to monitor the performance of London Borough of Hackney.

The Information Commissioner’s Office (ICO) has taken action against seven organisations who have failed to respond to the public when asked for personal information held about them, known as a Subject Access Request (SAR).

A SAR must be responded to within one to three months. But an ICO investigation found seven organisations, across the public and private sector, repeatedly failed to meet this legal deadline. This resulted in regulatory action including reprimands as well as practice recommendations issued under the Freedom of Information Act 2000 (FOIA).

Information Commissioner John Edwards said:

“SARs and requests made under FOIA are fundamental rights and are an essential gateway to accessing other rights. Being able to ask an organisation “what information do you hold on me?” and “how it is being used?” provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted.”

The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by these organisations, either within statutory timeframes or at all. As well as information being withheld, breaching the UKGDPR and Data Protection Act.

Some of the complaints said:

“I applied for access to my adoption and care records, and no one seems to know where these are. I was referred to another organisation who just referred me back to the Council. I was told my request was complex, but they refused to give me a time frame for a response. I am upset and angry and just want my files.”

In relation to an asylum application involving a child, a complainant said

“All we need is the asylum transcript so we can submit a humanitarian application. However, we can do nothing without those transcripts. I have chased this matter for seven months and have received nothing. My client's child is constantly at risk so long as he stays in the home country.”

“I was in care for many years and my file has been lost through a cyberattack. The original paper file was destroyed previously so I cannot access any of my personal data relating to my childhood. The file contained sensitive details of trauma I suffered, and I feel now this emotional abuse cannot be answered for.”

“I requested a password reset and the email it was sent to was not mine. I highlighted this as soon as I could and was told I was wrong. I then had someone set up online gaming accounts in my name the following week. I eventually managed to get through to the right team and they changed it. It should not take a customer this much effort to change something so simple and as a customer I should not have to explain to an advisor what a SAR is, and then chase it several times.”

“In January I made an SAR. In March I received written confirmation that stated the SAR was in progress. However, I still have not received the information.” Having been told that the delay could affect the complainants credit score, they continued “I feel powerless in this and have been adversely affected by the stress it has caused.”

“The delay in providing this information in relation of the allegations made against me is jeopardising my ability to defend myself and risks my whole career.”

As a result, the ICO has taken regulatory action against the following organisations:

Ministry of Defence (MoD)

The MoD has been issued with a reprimand following an identified SAR backlog dating back to March 2020. Despite setting up a recovery plan, this backlog has continued to grow, and currently stands at 9,000 SAR requests yet to be responded to. This has meant that, on average, people were typically waiting over 12 months for their information.

Home Office

A reprimand has been issued to the Home Office following investigations that showed between March 2021 and November 2021, they had a significant back log of SARs, amounting to just under 21,000 not being responded to during the statutory timeframe. Complaints to the ICO showed requesters suffered significant distress as a result. As of July 2022, there are just over 3,000 unanswered SARs outside of the legal time limit.

London Borough of Croydon

The investigation revealed that from April 2020 to April 2021, the London Borough of Croydon Council had responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did not receive a response in accordance with the UKGDPR. Additionally, since June 2021, the ICO has issued 27 decisions notices under FOIA related to the Council’s failure to respond to information requests. They have been issued with a reprimand as well as a practice recommendation under our renewed approach to FOI regulation for failure to meet statutory response deadlines.

Kent Police

From October 2020 to February 2021, Kent Police received over 200 SARs, 60% were completed during the statutory deadline. However, some of the remaining SARs are reported to have taken over 18 months to issue a response. As of May 2022, over 200 SARs remain overdue. A reprimand has been issued.

London Borough of Hackney

For the period of April 2020 to February 2021, London Borough of Hackney did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The oldest SAR was over 23 months. They have since been issued with a reprimand as well as a FOI practice recommendation.

London Borough of Lambeth

London Borough of Lambeth has only responded to 74% of the SARs it has received within the statutory timescales from 1 August 2020 to 11 August 2021. This equates to 268 SARs. The council continues to have a backlog of SAR cases and, based on the updated figures, does not appear to be improving. They have been issued with a reprimand.

Virgin Media

Over a 6 month period in 2021, Virgin Media received over 9500 SARs. 14% of these were not responded to during the statutory timeframe. However, their compliance in 2022 has seen improvements. A reprimand has been issued.

These organisations have between three and six months to make improvements or further enforcement action could be taken.

John Edwards continued:

"We will continue to support organisations to meet their obligations to individuals. In addition to providing education to people about their rights. This includes developing a SAR generator to help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organisation regarding what is required from them.

“We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organisations stay on the right side of the law.”

A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.

If you’d like to know more about SARs and how to best deal with them, visit our website or read our latest blog.

Notes to editors:

  1. For further information on your right to access, please click here or here.
  2. Organisations must comply with a SAR without undue delay, and at the latest within one month of receipt of the request or within one month of receipt of any information requested to confirm the requester’s identity or a fee.
  3. As part of our three-year strategic plan, ICO25, we have pledged to empower people through a better understanding of how their information is used and accessed. As a result, a SAR tool will be developed to help both requesters and organisations holding information.
  4. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  5. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
  6. To report a concern to the ICO, go to ico.org.uk/concerns.