0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

enforcement notice issued against council by the ICO due to subject access request backlog

18 September 2018

This article is taken from September's public matters newsletter. Click here to view more articles from this issue.


An enforcement notice has been issued by the Information Commissioner’s Office (the ICO) under the Data Protection Act 1998 which requires the London Borough of Lewisham to clear a backlog of subject access requests by 15 October 2018.

The ICO found that on 29 March 2018, Lewisham had a backlog of 113 subject access requests, the oldest of which dates back to 2013. Lewisham had a recovery plan in place which involved eliminating the backlog by 31 July 2018, but informed the ICO on 25 July 2018 that this deadline would not be met. A new deadline was proposed to deal with the remaining 19 outstanding requests, all of which were received prior to 25 May 2018 when the new legal framework for data protection came into force, but the ICO was concerned with Lewisham’s failure to adhere to previous deadlines set for clearing old subject access requests.

The ICO found the following breaches of the DPA 1998:

  • Lewisham failed to inform individuals, without undue delay, whether their personal data was being processed by or on behalf of the council and failed to communicate to individuals, without undue delay, what information may constitute personal data
  • the systems, procedures and policies put in place by Lewisham for dealing with subject access requests are inadequate, which has contributed to the contravention of the sixth data protection principle.

Under the terms of the enforcement notice, Lewisham is required to:

  • inform the 19 individuals who submitted subject access requests before 25 May 2018, whether the personal data processed by it includes personal data of which those individuals (or any of them) are the data subjects
  • supply each of them with a copy of any such personal data so processed in accordance with the requirements of the DPA 1998.

Practical tips 

This enforcement notice emphasises the importance of identifying and appropriately managing compliance issues, particularly those that impact directly on data subjects.

Although the enforcement notice was issued under the previous legal framework, the same requirements in terms of responding to subject access requests continue to apply. Indeed, the stronger emphasis on accountability under the new framework means that organisations must ensure that they can demonstrate robust internal processes to identify and manage compliance issues.

Where a compliance gap is suspected or identified, we recommend the following steps in order to avoid enforcement action by the ICO:

  • early identification of issues regarding data protection, for example any backlog in subject access requests

  • appropriate escalation of such issues, ensuring for instance that the Data Protection Officer and other members of the senior management team are informed as appropriate. Where a breach has been identified, the ICO may also need to be notified

  • developing and documenting a process to deal with the compliance issue (including a recovery plan if required). This may include needing to add additional resources to deal with a particular issue in a timely manner

  • reviewing and updating progress against the recovery plan at agreed intervals and ensuring appropriate reporting throughout the process.

Receive our latest government sector news

Choose the way you want to keep up to date with our latest updates and insights. Sign up to our monthly newsletter or join the conversation with our team on LinkedIn.

Sign up to receive updates >

Follow our LinkedIn showcase page >

<>

focus on...

Legal updates

Legal and regulatory newsletter - October 2019

The aim of the newsletter is to provide our clients and contacts across the financial services market with quarterly updates and insights on topical legal and regulatory issues.

View

Legal updates

Legal and regulatory monthly update - September 2019

The latest update covering delegated authority, insurance product development, the senior insurance managers regime, data protection, operational control frameworks, Lloyds market, and horizon scanning.

View

Legal updates

FCA Enforcement Annual Performance Report for 2018/19

Last month the FCA published the FCA Enforcement Annual Performance Report for 2018/19.

View

Legal updates

Tips for dealing with Litigants in Person

This article provides some tips to bear in mind when dealing with Litigants in Person and a reminder of a number of pieces of guidance, to assist in-house teams in dealing with Litigants in Person in disputes or court/tribunal proceedings.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Charlotte Harpin

Charlotte Harpin

Senior Associate (New Zealand Qualified)

View profile

mailing list sign up



Select which mailings you would like to receive from us.

Sign up