Several Organisations Reprimanded by the ICO for Not Complying with Subject Access Requests

Published 6 October 2022

esterday the ICO named and shamed seven organisations for not responding to individuals when they asked for their information through a Subject Access Request (SAR).

The ICO received a number of complaints about these seven organisations relating to various failures in responding to SARs. These ranged from missing the deadlines, withholding information to not responding at all.

Some of figures are quite staggering:

  • Ministry of Defence has a SAR backlog of 9,000 requests with a waiting time of 12 months.
  • The Home Office has 3,000 unanswered SARs outside the legal time limit.
  • Virgin Media failed to respond to 1330 SARs within the timeframe.

Organisations have 30 calendar days to respond to a SAR, this may be extended up to three months and they don’t have to be made in writing.

The seven organisations have been issued a reprimand and have up to six months to make improvements.

The naming and shaming is likely to be more detrimental than the ICO’s slap on the wrist. That said, only Virgin Media is a company of choice, the others, being government organisations, can’t always be avoided.

What Does My Organisation Need to Do?

  1. Awareness and training – make sure everyone in the organisation knows how to recognise a rights request and what to do with one.
  2. Keep a record of all requests received.
  3. Make sure to have robust and effective verification procedures for individuals exercising their rights.
  4. Make sure everyone in the organisation knows the ‘Rights Request Procedure’ and where to find it.

If you have any further questions around how to validate or fulfill data subject rights requests, please contact us and we’ll be happy to help.


Becky Nicholson

Senior Data Protection Consultant