UK Watchdog Slams City Council for Subject Access Request Failures
Bristol City Council breached its legal duty to respond to subject access requests, the U.K. Information Commissioner's Office announced Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
People have a fundamental right to know what information organizations hold about them and how it's being used, said ICO Investigations Head Sally-Ann Poole. Despite the DPA's "repeated engagement" with the council, "limited progress has been made to clear a backlog of requests." The council's approach to compliance "demonstrates a poor organisational attitude toward data rights and compliance with the law."
The DPA ordered the council to contact everyone with overdue subject access requests to notify them of delays, and to provide overdue responses by set deadlines, with the oldest cases (from 2022) to be resolved within 30 days.
The council must also update the ICO weekly until all other requests have been handled, and create an action plan within 90 days to address the backlog. Additionally, the watchdog said, the council must, within 12 months, make system and procedural changes to ensure it completes future requests on time.