Happy International Day for Universal Access to Information 2022 (IDUAI)! UNESCO has recognised 28 September as an opportunity to raise awareness about the ‘right to know’, fundamental to democracy. Although this appears aimed more at the ‘right to know’ what data public bodies are processing (and which can be accessed via a Freedom of Information request), data subjects are also granted the right to know which personal data of theirs data controllers are processing by Article 15 of the UK GDPR. Such right is fundamental to ensure that the right to privacy is respected.

Article 15 of the UK GDPR sets out that data subjects: ‘have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.’ Such data, according to Article 12 UK GDPR, shall be provided ‘to the data subject without undue delay and in any event within one month of receipt of the request’, although ‘that period may be extended by two further months where necessary, taking into account the complexity and number of the requests’.

With the celebrations for IDUAI lasting long into the night, and John Edwards, the Information Commissioner, also encouraging data subjects to submit data subject access requests (DSARs), we are seeing an increase in such requests being made.

Data controllers need to be aware of the potential repercussions of failing to comply with such requests. A conveniently timed IDUAI ICO press release gives details of ‘SEVEN’ organisations who failed in their duty to respond to DSARs:

  1. The Ministry of Defence was issued with a reprimand for having a backlog of 9,000 DSARs with a typical 12 month waiting time;
  2. The Home Office was issued with a reprimand for having 3,000 unanswered DSARs (down from 21,000 between March and November 2021);
  3. The London Borough of Croydon was issued with a reprimand and a freedom of information practice recommendation for responding to less than half of their DSARs within the statutory timescales;
  4. Kent Police was issued with a reprimand for having over 200 overdue DSARs;
  5. The London Borough of Hackney received a reprimand and a freedom of information practice recommendation for failing to respond to over 60% of DSARs in the statutory timeframe (with the oldest DSAR being over 23 months);
  6. The London Borough of Lambeth received a reprimand for only responding to 74% of the SARs it had received within the statutory timescales from 1 August 2020 to 11 August 2021, and for having a backlog that did not appear to be improving; and
  7. Virgin Media received a reprimand for not responding to 14% of the 9,500 DSARs they received over a 6 month period in 2021. They were also given recommendations for improvement, being required to provide the ICO with an update after three and six months respectively.

On the importance of DSARs, John Edwards said: ‘SARs and requests made under FOIA are fundamental rights and are an essential gateway to accessing other rights. Being able to ask an organisation “what information do you hold on me?” and “how it is being used?” provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted… We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organisations stay on the right side of the law’. This ICO action makes clear that they will not hesitate to reprimand organisations that fail to comply.

But what is a reprimand? Article 58(2)(b) of the UK GDPR states that the ICO can ‘issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation’. A reprimand sets out how the case has been considered, the evidence assessed, and then states that the reprimand has been given.

We are often asked by clients if they are likely to face a monetary penalty for failing to respond to a DSAR within the statutory deadline. This recent enforcement action would suggest that data controllers may avoid a monetary penalty, even if they fail to respond to thousands of DSARs, if it is a first time offence (in the UK at least – our European sibling organisations can be less reticent in doling out the fines). However, it is worth bearing in mind these reprimands will be taken into account in case of any future failure on the parts of these data controllers. This is in keeping with the ICO’s collaborative approach, working with organisations to ensure compliance, as well as, in the case of public sector organisations, the revised approach to public sector enforcement, relying more on “the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases”.