A SAR must be responded to within one to three months, but an ICO investigation found seven organisations, across the public and private sector, repeatedly failed to meet this legal deadline. This resulted in regulatory action including reprimands as well as practice recommendations issued under the Freedom of Information Act 2000 (FOIA).

The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by these organisations, either within statutory timeframes or at all, as well as information being withheld, breaching the UK GDPR and Data Protection Act 2018.

The Information Commissioner, John Edwards, said that the ICO will continue to support organisations to meet their obligations, including developing a SAR generator to “help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organisation regarding what is required from them”. He reminded organisations that the ICO expects “all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organisations stay on the right side of the law”.

In a blog post, the ICO Head of Data Protection Complaints, Andrew Laing, said that the ICO issues thousands of pieces of advice on SARs to organisations every year. He lists the key takeaways as:

• talk to customers: find out what they want; customers are less likely to complain to the ICO if organisations handle their data protection complaint well; tell customers if the deadline for individual rights requests cannot be met;
• dialogue is key: the ICO sees a lot of requests made for all the information held by an organisation, when actually the requester only wants information relating to a specific incident; organisations should ask requesters to provide additional details, such as the context in which information may have been processed and likely dates when processing occurred, to help locate the requested information;
• be proactive to build trust: organisations dealing with a complex or particularly large SAR should explain that they will send out information in batches and provide a timeframe for this; people often come to the ICO when they do not know what is going on with their data protection complaint;
• explain exemptions if they apply: while a customer may not be happy, providing an explanation of why information has not been provided can help them understand the decision; and organisations should keep a record of their decision-making so that it can be shared with the ICO if necessary;
• use plain English: explain things in a way that someone will understand, as data protection legislation can be confusing; and
• honesty is the best policy: people complain when their information is being used in a way they did not expect, or they do not understand; organisations should therefore keep their privacy policy up to date where necessary and make sure it is accessible and easy to understand.