We don't know whether the most recent response to this request contains information or not – if you are Abdul Hai please sign in and let everyone know.

Subject access requests complaints

We're waiting for Abdul Hai to read recent responses and update the status.

Dear Information Commissioner's Office,

Can you publish the number of complaints upheld since GDPR came into force against data controllers who failed to handle subject access requests correctly along with the level of fines?

If possible can you name the data controllers and the fine level?

Yours faithfully,

Abdul Hai

Information Access Inbox, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

3 October 2019

 

Case Reference Number IRQ0872142

 

Dear Mr Hai,

Thank you for your request for information submitted to the Information
Commissioner’s Office (ICO). We received your request on 8 September 2019
and it was considered by the ICO’s Information Access Team.  
 
We have handled your request under the Freedom of Information Act 2000
(FOIA).

Your request

You requested the following information:

“Can you publish the number of complaints upheld since GDPR came into
force against data controllers who failed to handle subject access
requests correctly along with the level of fines? If possible can you name
the data controllers and the fine level?”

Our response

In response, we do hold information within the scope of your request. We
publish data protection complaints information routinely as part of our
online complaints data sets, which are available here:

[1]Complaints and concerns data sets  

You can search the data sets using the ‘case type’ or ‘legislation’ column
for data protection ‘DP’ complaints only. You can also refine your search
using the two nature columns, for cases listed as being about ‘subject
access’. Please also refer to the case outcome column for cases closed as
‘CMP final notice served’ to list cases where a fine was issued. A
description of all our data protection complaint case outcomes can be
found here: 

[2]Data protection case outcomes  

The ICO routinely publishes its complaints data sets online, as part of
our commitment to openness and transparency. You will note that the ICO
has already published complaints data sets relevant to this request for
May and June 2018. However, complaints data sets from July 2018 onwards,
which are included in the time frame of your request, have not yet been
published online. As this information is intended for future publication,
it is exempt from disclosure under section 22 FOIA, which is explained in
detail below.  

The outstanding casework data sets will be published sequentially by
calendar month. Due to the number of cases and the detailed checking
required prior to disclosure, the July 2018 data set will be published
soon, with further data sets being prepared for disclosure thereafter.

In relation to fines, it is also possible to search for civil monetary
penalties issued from the introduction of the General Data Protection
Regulation up to the present on the Enforcement Action page (linked below)
of the ICO website. Populate the search provided for ‘monetary penalties’
issued between dates of interest.

[3]Enforcement Action  

When you have filtered the results, you can see which organisation the
monetary penalty relates to, read the monetary penalty amount and review
whether any involve subject access failings.  

Section 21 FOIA

Where information is available online, such as published ICO casework data
sets, this information is considered reasonably accessible to the public
by other means. It is therefore technically exempt from disclosure under
section 21 FOIA because it is not necessary to make an information request
in order to access it.  

Section 22 FOIA

Some of the casework information sought is not yet published online and is
exempt under section 22 of FOIA.

Section 22 of the Act states that information is exempt from disclosure in
response to an information request if:
 
“(a) the information is held by the public authority with a view to its
publication, by the authority or any other person, at some future date
(whether determined or not),
(b) the information was already held with a view to such publication at
the time when the request for information was made, and
(c) it is reasonable in all the circumstances that the information should
be withheld from disclosure until the date referred to in paragraph (a).”
 
The exemption at section 22 is qualified by the public interest test,
meaning that the information should be disclosed if the public interest in
the maintenance of the exemption does not outweigh the public interest in
disclosure.
 
In this case, the public interest factors in favour of disclosing the
information are:   
 

* To promote openness and transparency by providing information about
data protection complaint cases that have been submitted to us under
the legislation we regulate.

The factors in favour of maintaining the exemption are:       
 
 

* The ICO has a history of publishing this information on a regular
basis and has committed to publishing relevant casework data sets
which will include the requested information in the future.
* To prepare this information for disclosure earlier than our intended
date of publication in response to individual requests we receive
would not be an efficient use of resources when we intend to publish
this information in due course anyway.
* Earlier disclosure is not necessary to satisfy any pressing public
interest at the present time.

Having considered the public interest arguments, we consider it reasonable
in the circumstances to withhold this information under section 22 of the
FOIA.

That concludes our response to your information request, we hope that it
proves helpful.   

Review procedure

If you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been handled
you should write to the Information Access Team at the address below or
email [4][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to our Customer Contact Team, at the address given or visit the
‘Complaints’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure can be accessed from our website:  

[5]Review procedure  

Yours sincerely,

Aideen Oakes

Lead Information Access Officer

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF

Please consider the environment before printing this email

For information requests please use: [6][ICO request email]

For information about what we do with personal data see our [7]privacy
notice

 
 
 
 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/media/about-the-ico/d...
3. https://ico.org.uk/action-weve-taken/enf...
4. mailto:[ICO request email]
5. https://ico.org.uk/media/1883/ico-review...
6. mailto:[ICO request email]
7. https://ico.org.uk/global/privacy-notice/

We don't know whether the most recent response to this request contains information or not – if you are Abdul Hai please sign in and let everyone know.