ICO (UK) - Norfolk County Council
From GDPRhub
| ICO - Norfolk County Council | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 12(3) GDPR Article 15(1) GDPR Article 15(3) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 05.05.2023 |
| Fine: | n/a |
| Parties: | Norfolk County Council |
| National Case Number/Name: | Norfolk County Council |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | At33 |
The Commissioner has decided to issue a reprimand to the Council in relation to the infringements of Article 12 (3), Article 15 (1) and Article 15 (3) of the UK GDPR set out above.
English Summary
Facts
The Council has only responded to 260 out of 511 SARs within the statutory period of one or three months during the period of 6 April 2021 to 6 April 2022.
Holding
This could have had a significant impact on the data subjects affected and we expect the Council to take steps to improve its compliance in this area. A reprimand has been issued under the UK GDPR and further action has been recommended to ensure the Council takes steps to address its SAR backlog.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 2018 AND UK GENERAL DATA
PROTECTION REGULATION
REPRIMAND
The Information Commissioner (the Commissioner) issues a reprimand to
Norfolk County Council (the Council) in accordance with Article 58(2)(b)
of the UK General Data Protection Regulation in respect of certain
infringements of the UK GDPR.
The reprimand
The Commissioner has decided to issue a reprimand to the Council in
respect of the following infringements of the UK GDPR:
• Article 12 (3) which states ‘the controller shall provide information
on action taken on a request under Articles 15 to 22 to the data
subject without undue delay and in any event within one month of
receipt of the request. That period may be extended by two further
months where necessary, taking into account the complexity and
number of the requests. The controller shall inform the data subject
of any such extension within one month of receipt of the request,
together with the reasons for the delay. Where the data subject
makes the request by electronic form means, the information shall
be provided by electronic means where possible, unless otherwise
requested by the data subject’.
• Article 15 (1) which states ‘the data subject shall have the right to
obtain from the controller confirmation as to whether or not
personal data concerning him or her are being processed, and,
where that is the case, access to the personal data’.
• Article 15 (3) which states ‘the controller shall provide a copy of the
personal data undergoing processing’.
The reasons for the Commissioner’s findings are set out below.
Based on the findings of the investigation, the Council has only responded
to 260 out of 511 SARs within the statutory period of one or three months
during the period of 6 April 2021 to 6 April 2022. This could have had a
significant impact on the data subjects affected and we expect the Council
to take steps to improve its compliance in this area.
Mitigating factors
1In the course of our investigation we have noted that the Covid – 19
pandemic has impacted the Council’s ability to access manual records due
to the lack of access to buildings which contributed to the backlog as staff
couldn’t access physical records when they formed part of a request.
Remedial steps taken by the Council
The Commissioner has also considered and welcomes the remedial steps
taken by the Council in the light of this incident. In particular it has taken
steps to increase its staff working on SARs and consolidated them into a
single, dedicated team which is solely focussed on SAR responses and
closing the backlog.
Decision to issue a reprimand
Taking into account all the circumstances of this case, including the
mitigating factors and remedial steps, the Commissioner has decided to
issue a reprimand to the Council in relation to the infringements of Article
12 (3), Article 15 (1) and Article 15 (3) of the UK GDPR set out above.
Further Action Recommended
The Commissioner recommends that the Council should take certain steps
to ensure its compliance with UK GDPR. With particular reference to
Articles 12(3) and 15 (1) and (3) of the UK GDPR, the following steps are
recommended:
1. The Council should take steps to ensure that SARs are responded to
within statutory deadlines.
2. The Council should ensure it has adequate staff resources in place
to process and respond to SARs. The ICO notes that the Council has
taken steps to ensure it has adequate staffing levels to manage its
SAR intake; however it considers the Council should continue to
review and monitor this.
3. The Council should ensure it continues to implement effective
measures to address its backlog.
The Commissioner requires the Council to provide details of the actions
taken to address the above recommendations within six months of receipt
of this reprimand, and by no later than Monday 6 November 2023.
2
