Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Welsh council commits to improve handling of subject access requests after 'system failures' found

Cardiff City Council (Cardiff CC) has signed undertakings with the UK's data protection watchdog to improve its handling of data subject access requests (SARs) after "systemic failures" in compliance were found.12 Sep 2013

Cardiff CC has vowed to process personal data "in accordance with the rights of data subjects" (4-page / 80KB PDF) under the Data Protection Act after a review by the Information Commissioner's Office (ICO) found that the Council was, and still is, failing to adhere to statutory requirements in the way it deals with SARs.

Under the DPA, organisations are generally required to provide a copy of the personal data they hold about an individual when that individual requests access to it within 40 days of receiving that request. In order to comply with SARs, organisations must generally provide the information in an "intelligible form". The copy must also be in "permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise."

Cardiff CC has committed to ensuring that, in future, the "procedures for dealing with subject access requests are clearly defined and managed" and that staff are appropriately trained in how to follow those procedures.

In addition, the Council has also agreed to make sure that "appropriate checks and supervision" arrangements are put in place. This is to "ensure that third-party data is dealt with in accordance with the Act’s requirements and the data controller’s policies and procedures", according to the undertakings signed by Cardiff CC.

Cardiff CC will also ensure that there are "sufficient measures ... in place" to allow it to store paper records and respond "appropriately" to SARs.

The ICO said it had undertaken a review of CCC's handling of SARs after receiving a complaint from an individual who had not received a response to their SAR within the statutory 40 day timeframe permitted under the DPA.

The ICO issued a new code of practice for dealing with SARs last month.