Subject access request handling tops UK data protection concerns

Out-Law News | 06 Jul 2015 | 4:30 pm | 1 min. read

The way organisations handle people's requests for access to personal data about them is the most frequent subject of data protection complaints in the UK, according to a new report.

According to the Information Commissioner's Office (ICO) latest annual report (84-page / 378KB PDF), 46% of all data protection complaints raised with the watchdog concerned subject access requests (SARs). Last year, half of all data protection cases dealt with by the ICO were about SARs.

Nearly a fifth (18%) of the data protection cases handled by the ICO in 2014/15 were about data sharing and other data disclosure issues, whilst 14% of cases concerned alleged inaccuracies with personal data records.

In total, the ICO received 14,268 in 2014/15, with 8% of complaints about data security issues. This marks a slight proportionate rise from 6% of the cases that concerned data security in 2013/14.

The most complained about group of organisations were lenders and local government authorities, ahead of health bodies and general businesses.

"We looked at concerns we received about lenders and challenged the sector to better explain their information rights practices to customers," the ICO said. "As a result this year we have dealt with over 700 fewer concerns about lenders; a significant reversal of recent trends."

The majority of all the data protection cases handled by the ICO were resolved inside 30 days. In less than 0.2% of cases last year, the ICO took enforcement action, including seeking undertakings from organisations about their data protection practices.

However, the ICO did require data controllers to take some corrective actions in 22% of cases and gave compliance advice in a further 10% of cases.

The ICO's annual report also highlighted a rise in the number of complaints it handled concerning alleged breaches of the Privacy and Electronic Communications Regulations (PECR). It received 180,188 PECR complaints last year compared to 161,720 in 2013/14. The bulk of complaints related to unsolicited marketing, including nuisance calls and spam text messages. The ICO was earlier this year given greater scope to fine companies that breach PECR.

According to the report, the ICO said it investigated 1,677 cases of data loss that organisations had self-reported in the past year. Health bodies and local government authorities self-reported on 439 and 125 occasions respectively.