ICO Reprimands Organizations for Data Access Request Failures

ICO Reprimands Organizations for Data Access Request Failures

ICO reprimands
ICO reprimands

We’ve talked extensively about DSARs on our blog before. For a quick refresher: DSAR stands for data subject access request, and refers to the right of consumers to ask a company to grant them access to all personal data collected about them. These requests may be filed in order to update the data, delete it, transfer it to another company, or simply to see what data has been collected. Whatever the case, privacy laws have very detailed requirements of how companies should handle DSARs. Generally, these requirements include:

  • Companies may not make it unreasonably challenging for consumers to submit a DSAR.
  • DSARs must be fulfilled within a specified timeframe (laws differ on how long this is).
  • DSARs must be fulfilled to the level of detail requested by the consumer.
  • DSARs may only be refused under very specific circumstances (such as a consumer making unreasonable demands or asking for data other than their own).
  • If a company refuses to fulfill a DSAR, they must both provide an explanation and allow for an appeal within a specified timeframe.

Allowing unfulfilled DSARs to pile up leaves consumers without access to their own data. And as recent activity in the UK has shown, privacy enforcement authorities take this very seriously.

ICO Reprimands 7 Organizations for DSAR Failures

The UK’s Information Commissioner’s Office (ICO) announced on September 28 that they were issuing reprimands against seven organizations who either failed to respond properly to DSAR requests or ignored them entirely. Complaints about these companies’ behavior paint an alarming picture of disregard for consumers’ data and needs. The ICO highlighted several of these complaints in their announcement, including:

  • A user whose password reset link was sent to the wrong email address, and was told they were wrong when they explained the problem
  • A user trying to help an at-risk child whose efforts were stonewalled by delayed delivery of critical information
  • A user whose childhood adoption records were seemingly lost
  • More than one user who were told their request was being processed, and then simply never heard back

The organizations in question are:

  • The Home Office, with a backlog of unprocessed DSARs numbering approximately 21,000 last year and approximately 3,000 in July 2022
  • Kent Police, with a backlog of 200 overdue DSARs in May 2022 and a track record of taking 18 months or more to fulfill requests. (British privacy laws require a response within 1-3 months.)
  • London Borough of Croydon, which failed to respond to more than half of their DSARs within the required timeframe
  • London Borough of Hackney, which also failed to respond to more than half of their DSARs on time, with the oldest DSAR being over 2 years old
  • London Borough of Lambeth, which failed to respond to 26% of their DSARs between 2020-2021 and shows no signs of improving
  • Ministry of Defense, with a backlog of 9,000 DSARs dating back to March 2020 and a track record of making consumers wait a year or more for their information
  • Virgin Media, who failed to respond to 14% of submitted DSARs in 2021, though their 2022 track record shows signs of improvement

The ICO has ordered these organizations to improve their practices within 3-6 months to avoid legal action.

Avoid DSAR Mistakes with a Straightforward System

DSAR fulfillment plays an important role in privacy practices and legal compliance. That’s why we designed 4Comply, our state-of-the-art privacy compliance software, to make rights fulfillment as straightforward as possible. Avoid the same mistakes as these organizations with a system that streamlines the whole process and keeps you on time. Get in touch with us today to learn more.