Cardiff CC has vowed to process personal data "in accordance with the rights of data subjects" (4-page / 80KB PDF) under the Data Protection Act after a review by the Information Commissioner's Office (ICO) found that the Council was, and still is, failing to adhere to statutory requirements in the way it deals with SARs.
Under the DPA, organisations are generally required to provide a copy of the personal data they hold about an individual when that individual requests access to it within 40 days of receiving that request. In order to comply with SARs, organisations must generally provide the information in an "intelligible form". The copy must also be in "permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise."
Cardiff CC has committed to ensuring that, in future, the "procedures for dealing with subject access requests are clearly defined and managed" and that staff are appropriately trained in how to follow those procedures.
In addition, the Council has also agreed to make sure that "appropriate checks and supervision" arrangements are put in place. This is to "ensure that third-party data is dealt with in accordance with the Act’s requirements and the data controller’s policies and procedures", according to the undertakings signed by Cardiff CC.
Cardiff CC will also ensure that there are "sufficient measures ... in place" to allow it to store paper records and respond "appropriately" to SARs.
The ICO said it had undertaken a review of CCC's handling of SARs after receiving a complaint from an individual who had not received a response to their SAR within the statutory 40 day timeframe permitted under the DPA.
The ICO issued a new code of practice for dealing with SARs last month.