0370 270 6000

Enforcement notice issued against council by the ICO due to subject access request backlog

18 September 2018

This article is taken from September's public matters newsletter. Click here to view more articles from this issue.

An enforcement notice has been issued by the Information Commissioner’s Office (the ICO) under the Data Protection Act 1998 which requires the London Borough of Lewisham to clear a backlog of subject access requests by 15 October 2018.

The ICO found that on 29 March 2018, Lewisham had a backlog of 113 subject access requests, the oldest of which dates back to 2013. Lewisham had a recovery plan in place which involved eliminating the backlog by 31 July 2018, but informed the ICO on 25 July 2018 that this deadline would not be met. A new deadline was proposed to deal with the remaining 19 outstanding requests, all of which were received prior to 25 May 2018 when the new legal framework for data protection came into force, but the ICO was concerned with Lewisham’s failure to adhere to previous deadlines set for clearing old subject access requests.

The ICO found the following breaches of the DPA 1998:

  • Lewisham failed to inform individuals, without undue delay, whether their personal data was being processed by or on behalf of the council and failed to communicate to individuals, without undue delay, what information may constitute personal data
  • the systems, procedures and policies put in place by Lewisham for dealing with subject access requests are inadequate, which has contributed to the contravention of the sixth data protection principle.

Under the terms of the enforcement notice, Lewisham is required to:

  • inform the 19 individuals who submitted subject access requests before 25 May 2018, whether the personal data processed by it includes personal data of which those individuals (or any of them) are the data subjects
  • supply each of them with a copy of any such personal data so processed in accordance with the requirements of the DPA 1998.

Practical tips 

This enforcement notice emphasises the importance of identifying and appropriately managing compliance issues, particularly those that impact directly on data subjects.

Although the enforcement notice was issued under the previous legal framework, the same requirements in terms of responding to subject access requests continue to apply. Indeed, the stronger emphasis on accountability under the new framework means that organisations must ensure that they can demonstrate robust internal processes to identify and manage compliance issues.

Where a compliance gap is suspected or identified, we recommend the following steps in order to avoid enforcement action by the ICO:

  • early identification of issues regarding data protection, for example any backlog in subject access requests

  • appropriate escalation of such issues, ensuring for instance that the Data Protection Officer and other members of the senior management team are informed as appropriate. Where a breach has been identified, the ICO may also need to be notified

  • developing and documenting a process to deal with the compliance issue (including a recovery plan if required). This may include needing to add additional resources to deal with a particular issue in a timely manner

  • reviewing and updating progress against the recovery plan at agreed intervals and ensuring appropriate reporting throughout the process.

Receive our latest government sector news

Choose the way you want to keep up to date with our latest updates and insights. Sign up to our monthly newsletter or join the conversation with our team on LinkedIn.

Sign up to receive updates >

Follow our LinkedIn showcase page >


Focus on...

Legal updates

Reinstatement for property damage losses – when does it apply?

The Court of Appeal has recently considered the correct test for measuring the indemnity for property damage losses and has provided useful guidance on whether an insured needs to intend to reinstate the property to its pre-loss condition.


Legal updates

Coronavirus (COVID-19) insurance considerations

With instances of COVID-19 rapidly increasing throughout the UK, many businesses are considering the options available to limit staff and customer exposure to Coronavirus.


Legal updates

Good insurance business # 1 - Insurance Product Value and the duty to act in the best interests of customers: risks from intermediary remuneration

On 19 November 2019, the Financial Conduct Authority (“FCA”) published “Finalised guidance” (FG19/5) for “insurance product manufacturers and distributors”.


Legal updates

Financial Services – ‘Duty of Care’ Bill: consumer protection or damp squib?

The Financial Services Duty of Care Bill (the “Bill”) was introduced into the House of Lords in October 2019 and had its second reading on 9 January 2020.


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up