ICO issues SAR undertaking

The Information Commissioner's Office (ICO) issued an undertaking on 28 August on Cardiff City Council, which requires the authority to improve its practices regarding Subject Access Requests (SARs). The undertaking is based on a SAR which the council failed to respond to within 40 working days. This failure prompted the Information Commissioner to take a closer look at the council's SAR compliance in general.

The ICO requires that the council will:

1. Clearly define procedures for dealing with subject access requests, and make sure that all staff involved in such work receive appropriate training in how to follow them;

2. Ensure that appropriate checks and supervision are put in place to ensure that third-party data is dealt with in accordance with the Act’s requirements and the data controller’s policies and procedures;

3. Make sure that sufficient measures are in place for the storage of paper records to ensure that subject access requests are responded to appropriately.

The Undertaking

Read an analysis of the merits and drawbacks of the the ICO's new Subject Access Code of Practice in PL&B’s UK Report, to be published next week.