As a business owner or manager, it’s crucial to respond promptly to information requests, especially Subject Access Requests (SARs). The recent reprimand issued to the Labour Party by the Information Commissioner’s Office (ICO) highlights the legal obligations and potential repercussions of failing to meet these requirements.

What Happened?

The Labour Party was reprimanded by the Information Commissioner’s Office (ICO) for repeatedly failing to respond to SARs in a timely manner. SARs are requests from individuals asking an organisation to provide any personal data it holds about them and details on how that data is being used.

Under data protection law, organisations must respond to these requests within one month, with a possible extension of up to two months for more complex cases. However, an ICO investigation revealed that the Labour Party had a significant backlog of SARs following a cyber-attack in October 2021. By November 2022, there were 352 outstanding SARs, 78% of which had not been responded to within the mandatory three-month timeframe. Alarmingly, over half of these requests were delayed by more than a year.

Furthermore, a previously unmonitored ‘privacy inbox’ was discovered, containing approximately 646 additional SARs and 597 requests for the deletion of personal data. None of these requests had been addressed.

What Can You Do?

While most businesses are unlikely to receive as many information requests as the Labour Party, it is still essential to respond to them promptly.

Consider the following actions:

  • Document clear procedures for handling SARs, and ensure all staff are aware of these processes and the importance of timely responses.
  • Designate responsibility for monitoring and managing SARs, and ensure the responsible individuals have the necessary resources to handle the task effectively.
  • Regularly monitor all communication channels, such as designated email addresses, where SARs might be submitted.
  • Keep up to date with the ICO’s guidance on SARs to ensure your business remains compliant with legal requirements and follows best practices.

The ICO’s reprimand of the Labour Party serves as a reminder of the importance of responding to SARs promptly. As a business, failing to comply with these obligations can lead to legal consequences, damage to your reputation, and a loss of trust among customers and the public.

By implementing effective procedures for handling SARs, you can mitigate these risks and demonstrate your commitment to data protection and individuals’ rights.

See: ICO action against Labour Party for failing to respond to requests for personal information on time