The ICO exists to empower you through information.

The Information Commissioner’s Office (ICO) has reprimanded two councils that have failed to respond to the public when asked for personal information held about them – known as a Subject Access Request (SAR).

Both Plymouth City Council and Norfolk County Council repeatedly failed to meet the legal deadline of one to three months for responding to a SAR. The ICO has issued a reprimand to both councils, instructing them to take steps to ensure that the public receive their personal information within the statutory period.

Following enquiries, the ICO found that Norfolk County Council had only responded to 51% of SARs on time between April 2021 and April 2022, meaning that 251 residents did not receive a response within the legal timeframe.

Delays were also found at Plymouth City Council over the last three years, with 18 requests taking up to two years to complete and a further 18 requests taking between three months and one year. There were 20 outstanding requests up to a year old, and eight requests still outstanding up to two years later. The highest compliance rate for SARs completed on time was 77% in 2022-2023.

“Asking an organisation for the personal information they hold is a fundamental information right, helping people to understand how and why their data is being used. Delays to this process can cause anxiety or distress and have significant impact on people’s lives if they cannot receive copies of their data on time.

“With these backlogs of requests, both councils are undermining public confidence by failing to be transparent and accountable. They are also denying residents access to their other information rights, such as asking for the information to be changed or deleted. Other organisations should take note that we will act if they fail to meet their legal obligations when responding to SARs.”

- Stephen Eckersley, ICO Director of Investigations

While both councils invested in staff to tackle the requests, the reprimands outline further steps to improve compliance with data protection law. Both councils must ensure that they have adequate staff resources in place to respond to SARs on time, and continue to implement effective measures to address the outstanding requests.

The ICO has asked Norfolk County Council and Plymouth City Council to provide details of actions taken to address these recommendations within six months of the reprimand being issued.

A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK General Data Protection Regulation.

Notes to editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The  ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.