ICO issues a reprimand to Virgin Media for SAR failures

Virgin Media has not complied with the UK GDPR and the Data Protection Act’s requirement to respond to Subject Access Requests (SARs) without undue delay, and at the latest within one month of receipt of the request.

Over a 6-month period in 2021, Virgin Media received over 9,500 SARs. 19% of these were not responded to during the statutory timeframe, the ICO says. However, the company’s compliance has improved in 2022.

In 2021, the ICO received 125 complaints about Virgin Media’s handling of SARs.

The ICO has requested that Virgin Media meets the statutory deadlines, and to provide adequate staff resource to process SARs. Virgin Media is to report to the ICO about the improvements made within three months. A further report is required after six months.

The ICO says it may take further enforcement action if more incidents and complaints are reported, and that it may publish the results of its investigation.

The ICO has also taken similar action against six public sector organisations, including the Home Office, for significant issues with meeting SAR deadlines. Between March 2021 and November 2021, the Home Office had a back log of just under 21,000 cases.

On 30 June the Information Commissioner John Edwards announced that he will use his discretion to reduce fines on the public sector.

“In practice, this will mean an increased use of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases.”