An NHS trust has been issued with a reprimand by the Information Commissioner's Office (ICO) for failing to respond to subject access requests (SARs) in a timely manner.
Article 12(3) of the UK General Data Protection Regulation (GDPR) requires data controllers to respond to SARs without undue delay and in any event within one month of receiving them. The deadline may be extended by two months where necessary, taking into account the number and complexity of the SARs, in which case the data controller must inform the data subject of the delay and the reasons for it.
The trust confirmed that, during the relevant period, it had failed to respond to approximately 32 per cent of SARs within one month. The ICO also considered information provided by the trust regarding deficiencies in its system for logging and managing SARs. The trust could not give an accurate figure for the number of SARs it had yet to deal with, but acknowledged that it had a large number of outstanding SARs that were over one month old. It was also unable to confirm the number of SARs to which the extended three-month timeframe applied, or how many of those it had responded to. The trust was still working with paper records and issues with processing SARs had not been addressed for several years.
The ICO noted remedial steps taken by the trust, including the development of an Information Asset Management Strategy, the provision of staff training on SARs and recruiting additional staff on a temporary basis, which had led to a reduction in the backlog of SARs.
Taking all the circumstances into account, the ICO decided to issue a reprimand. It also set out recommendations that might assist the trust in rectifying the infringements and ensuring future compliance with the GDPR.