Last week the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 

Many Scottish local authorities have seen an increase in SARs in the past few years, particularly in relation to the Redress Scotland scheme which allows people, who suffered abuse while in care, to apply for redress using supporting documents such as their care record. This increase was reported as 67% between 2021 and 2024.  

In its press release, the ICO says it has supported local authorities to improve their SAR response times and this has led to a 75% improvement, with 13 local authorities reporting a compliance rate of 90% in 2023/24. However, two local authorities have been singled out for a reprimand: 

Why did the ICO not issue a fine? In June 2022, the ICO revised its approach to enforcement of the UK GDPR against public sector organisations choosing to issue reprimands in most cases. Last summer, it announced a review of this approach following criticism that it was not effective in delivering GDPR compliance and that it was unfair to treat the public sector differently to other sectors. 

In December last year, the Commissioner issued a statement following publication of the review report. In short, he has decided to continue with his approach. He said: 

“Feedback from the review said that public authorities saw the publication of reprimands as effective deterrents, mainly due to reputational damage and potential impact on public trust, and how they can be used to capture the attention of senior leaders. Central government departments cited increased engagement and positive changes on the back of reprimands, particularly with our regular interaction with the government’s Chief Operating Officers Network. But wider public sector organisations displayed limited awareness, which means we must do more to share best practice and lessons learned.” 

The Commissioner also launched a consultation on the scope of the public sector enforcement approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority. The deadline for responding to this consultation was 31st January 2025. We await its outcome.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!   

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.