As a business owner or manager, it's important to respond promptly to information requests, especially when it comes to Subject Access Requests (SARs). The recent reprimand issued to the Labour Party by the Information Commissioner’s Office (ICO) serves as a reminder of the legal obligations and potential consequences of failing to meet these requirements.
What happened?
The Labour Party was reprimanded by the Information Commissioner’s Office (ICO) for repeatedly failing to respond to SARs in a timely manner. SARs are requests from individuals asking an organisation to provide any personal information it holds about them and details on how it is being used.
Under data protection law, organizations must respond to these requests within one month, with a possible extension of up to two months for complex cases.
However, an investigation by the ICO found that the Labour Party had a significant backlog of SARs following a cyber-attack in October 2021. By November 2022, they had 352 outstanding SARs, 78% of which had not been responded to within the mandatory three-month timeframe. Alarmingly, over half of these requests were delayed by more than a year.
Moreover, a previously unmonitored ‘privacy inbox’ was discovered, containing approximately 646 additional SARs and 597 requests for personal information to be deleted. None of these requests had been addressed.
What can you do?
While the number of information requests received by most businesses are likely to be much less than the Labour Party, you still need to be careful about responding to requests in a timely way.
To do that you could consider:
- Writing down clear processes for handling SARs and making all staff aware of these procedures and the importance of timely responses.
- Deciding whose responsibility it is to monitor and handle SARs, and making sure they have the resources available to handle the task.
- Regularly monitoring all communication channels, such as designated email addresses, to your business where a SAR might be submitted.
- Regularly reviewing the ICO’s guidance on SARs so that your business stays informed about legal requirements and best practices.
The reprimand issued to the Labour Party by the ICO serves as a good reminder of the importance of responding to SARs in a timely manner. As a business, failing to comply with these requirements can result in legal consequences, damage to your reputation, and a loss of trust among your customers and the public.
By making sure you implement procedures to deal with SARs, you can avoid these risks and demonstrate your commitment to data protection and individuals’ rights.
For more ingo, see: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/08/action-taken-against-labour-party-for-failing-to-respond-to-requests-for-personal-information-on-time/