ICO (UK) - Plymouth City Council
| ICO - Plymouth City Council | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 12(3) GDPR Article 15(1) GDPR Article 15(3) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 28.04.2023 |
| Fine: | n/a |
| Parties: | Plymouth City Council |
| National Case Number/Name: | Plymouth City Council |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | At33 |
A reprimand has been issued to Plymouth City Council in relation to the infringements of Article 12 (3) and Article 15 of the UK GDPR. This case forms part of the ICO’s wider work into SAR compliance.
English Summary
Facts
For SARs that have been completed within the statutory one month deadline by the council, the highest compliance rate over the last three years is 45% for the year of 2021/2022. For SARs completed within a 90 day period the highest compliance rate is 77% for the year 2022/2023; however, at the time of writing, this compliance rate was correct as of 29 September 2022.
In total, 18 SARs took up to two years to complete and there are eight SARs up to two years old which have still not been completed. A further 18 SARs then took between three months and one year for completion. As of 31 January 2023, there are still 20 SARs which are up to one year old that have not been completed yet.
Holding
The ICO considers that the council has failed to provide access to personal data and provide copies of the personal data owing to the significant delays in SAR responses. These delays have been occurring over the last three years. The compliance rates in relation to subject access requests (SAR) have not been adequate over the last three years. A reprimand has been issued under the UK GDPR and further action has been recommended to ensure the council becomes compliant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 2018 AND UK GENERAL DATA
PROTECTION REGULATION
REPRIMAND
The Information Commissioner (the Commissioner) issues a reprimand to
Plymouth City Council (‘the council’) in accordance with Article 58(2)(b) of
the UK General Data Protection Regulation (UK GDPR) in respect of
certain infringements of the UK GDPR.
The reprimand
The Commissioner has decided to issue a reprimand to Plymouth City
Council in respect of the following infringements of the UK GDPR:
• Article 12 (3) which states the controller shall provide information
on action taken on a request under Articles 15 to 22 to the data
subject without undue delay and in any event within one month of
receipt of the request. That period may be extended by two further
months where necessary, taking into account the complexity and
number of the requests. The controller shall inform the data subject
of any such extension within one month of receipt of the request,
together with the reasons for the delay. Where the data subject
makes the request by electronic form means, the information shall
be provided by electronic means where possible, unless otherwise
requested by the data subject.
• Article 15 (1) (right of access by the data subject) which states the
data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or
her are being processed, and, where that is the case, access to the
personal data.
• Article 15 (3) (right of access by the data subject) which states the
controller shall provide a copy of the personal data undergoing
processing.
The reasons for the Commissioner’s findings are set out below.
Article 12 (3)
The ICO considers that the council has failed to provide information to the
data subject without undue delay and in any event within one month of
receipt of the request. That period may be extended by two further
months where necessary, taking into account the complexity and number
1of requests. The compliance rates in relation to subject access requests
(SAR) have not been adequate over the last three years.
Article 15 (1 and 3)
The ICO considers that the council has failed to provide access to personal
data and provide copies of the personal data owing to the significant
delays in SAR responses. These delays have been occurring over the last
three years.
For SARs that have been completed within the statutory one month
deadline by the council, the highest compliance rate over the last three
years is 45% for the year of 2021/2022. For SARs completed within a 90
day period the highest compliance rate is 77% for the year 2022/2023;
however, at the time of writing, this compliance rate was correct as of 29
September 2022.
In total, 18 SARs took up to two years to complete and there are eight
SARs up to two years old which have still not been completed. A further
18 SARs then took between three months and one year for completion. As
of 31 January 2023, there are still 20 SARs which are up to one year old
that have not been completed yet.
Mitigating factors
In the course of our investigation, we have noted that the council have
taken some mitigating action, such as:
• SARs are logged and tracked with key performance indicators (KPIs)
being produced for senior management on a monthly basis.
• The list and allocation of current SARs are assessed weekly in an
attempt to drive productivity and minimise complaints.
• Investments have been made in the management team to
maximise productivity in the team.
• Overtime has been offered to current staff following Chief Executive
approval.
• A total investment of £110,000 made in improving the capacity of
the team. This increased the team capacity from 2.6 FTE to 5.6 FTE
from April 2021 to August 2022. In addition to this, a staff member
from another team also provided assistance.
Remedial steps taken by Plymouth City Council
The Commissioner has also considered and welcomes the remedial steps
taken by Plymouth City Council in the light of this incident. In particular
the investments made in order to increase the capacity of the team;
2including the employment of new staff to assist in tackling the SAR
backlog.
Decision to issue a reprimand
Taking into account all the circumstances of this case, including the
mitigating factors and remedial steps, the Commissioner has decided to
issue a reprimand to Plymouth City Council in relation to the
infringements of Article 12 (3) and Article 15 of the UK GDPR set out
above.
Further Action Recommended
The Commissioner recommends that Plymouth City Council should take
certain steps to ensure its compliance with UK GDPR. With particular
reference to Article 12 (3) and Article 15 of the UK GDPR, the following
steps are recommended:
1. The council should take all steps to ensure SARs are responded to
within the statutory deadlines, in line with Articles 12 (3), 15 (1)
and 15 (3) of the UK GDPR.
2. The council should continue to monitor SAR compliance data.
3. The council should action the remaining outstanding SARs for
completion.
4. The council should consider any additional improvements that can
be made to the SAR handling process at the council.
5. The council should ensure that it has adequate staff resource in
place to process and respond to SARs.
6. The council should provide staff in all departments of the council
with appropriate training in order that all employees can recognise a
SAR. The council should also consider the way in which the
completion of this training monitored, to ensure that staff have
completed this within a specified and appropriate timeframe.
3
