Privacy Advisor

UK—ICO Issues SAR Undertaking Against Cardiff City Council

September 20, 2013

By Brian Davidson, CIPP/E

The ICO issued an undertaking against Cardiff City Council on 28  August following a failure to respond within the prescribed 40-day period to a Subject Access Request (SAR) made by an individual in July 2011.

An assessment by the ICO found that the council did, and indeed continues, to display “systematic failures” to meet its SAR requirements under Section 7 of the Data Protection Act (DPA). Section 7 entitles individuals to contact an organisation to be provided with details on what information the organisation holds about the individual.

Specifically, the ICO considered the council’s compliance with the Sixth Data Protection Principle, which mandates that personal data must be processed in accordance with the rights of the individual under the DPA. The undertaking requires the council to ensure that the procedures for dealing with SARs are clearly defined with appropriate staff training put in place, that appropriate checks are put in place to ensure that third-party data is dealt with in accordance with the DPAs requirements and sufficient measure are in place for the storage of paper records to ensure that SARs are responded to appropriately.

The undertaking follows the ICO’s recent publication of its new SAR Code of Practice, designed to assist organisations in dealing with SAR requests. An ICO press release states that it handled more than 6,000 complaints relating to SAR requests in the last financial year, with more than one in six of those complaints relating to money lenders, including credit reference agencies and banks.

A copy of the SAR Code of Practice is available here.

Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.