ICO Reprimands NHS Trust for Delays in Responding to Subject Access Requests

The Information Commissioner's Office (ICO) has issued a reprimand to an NHS trust for failing to respond to subject access requests (SARs) within the required timeframe, highlighting ongoing concerns over data protection compliance.

Under Article 12(3) of the UK General Data Protection Regulation (GDPR), data controllers must respond to SARs without undue delay and within one month of receipt. In cases where requests are particularly complex or numerous, the deadline may be extended by up to two additional months, provided that the data subject is informed of the delay and its reasons.

During the relevant period, the NHS trust admitted that it had failed to respond to approximately 32 per cent of SARs within the one-month deadline. The ICO’s investigation also revealed serious deficiencies in the trust’s systems for logging and managing SARs. The trust was unable to provide an accurate figure for the number of outstanding requests exceeding the deadline, nor could it confirm how many SARs fell within the extended three-month timeframe or how many of those had been completed. The trust’s continued reliance on paper records further contributed to long-standing inefficiencies, with SAR processing issues persisting for several years.

Despite these failings, the ICO acknowledged the trust’s efforts to address the backlog, including:

• Developing an Information Asset Management Strategy
• Providing staff training on handling SARs
• Recruiting temporary staff to assist with processing requests

These measures had helped reduce the number of outstanding SARs.

Considering all the circumstances, the ICO opted to issue a reprimand rather than a fine, while also providing recommendations to support the trust in rectifying GDPR breaches and ensuring future compliance.

This case serves as a critical reminder to organisations handling personal data to have robust systems in place for processing SARs efficiently and in line with GDPR obligations.