Fri 14 Nov 2025

Why strong SAR systems matter: Lessons from the ICO’s action against Bristol City Council

The ICO has issued an enforcement notice to Bristol City Council after repeated failures to respond to subject access requests, highlighting the importance of robust systems and processes for handling personal data.

The importance of having robust systems, processes and policies in place to handle subject access requests was highlighted recently by the Information Commissioner's Office decision to issue Bristol City Council (BCC) with an enforcement notice over repeated failures to respond to data subject requests.

Individuals have the right to make a request to an organisation to access and receive a copy of their personal data. A data subject access request (SAR) is a request asking for copies of personal data (and other supplementary information) that the organisation holds in relation to the person making the request. A SAR allows people to understand how and why their data are being used by an organisation and to check that they are being used lawfully. Organisations are usually required to respond to SARs within one month of receiving the request.

What happened?

In 2023, the ICO was notified that BCC had a large number of overdue SARs, going back to 2020. Since then, the ICO has made enquiries and worked closely with BCC to monitor its action plan and progress. As the backlog of requests continued to grow and no significant progress was made, the ICO launched a formal investigation into BCC's processes for handling SARs in 2024.

As of June 2025, BCC had 231 outstanding SARs, one of which was received as long ago as 2022. The ICO had received over 63 complaints from individuals about BCC's handling of SARs. Through the ICO's investigation, and the information that BCC provided as part of its representations, it was found that BCC was struggling financially and did not have sufficient staff, resources or training to manage SARs effectively. While BCC was working hard to clear the backlog, the ICO found its action plan too generic, and the timeframes for clearing the backlog were still significantly too long. BCC had estimated it would take around 36 months to clear all the requests. As a result, the ICO found that BCC had failed to comply with its UK GDPR obligations.

What did the ICO say?

The ICO reiterated that subject access requests are a fundamental right: people have the right to ask organisations what personal data they hold on them and why they are holding it.

The ICO acknowledged BCC's efforts to address the backlog and took the representations made during the investigation process into account. However, the ICO ultimately found that the infringements had caused, or were likely to cause, those affected damage or distress, and that issuing the enforcement notice was a proportionate and appropriate step to ensure compliance. The ICO also took full account of BCC's ongoing work to clear the backlog since 2023 and the local authority's financial difficulties.

Next steps

BCC is required to comply with the enforcement notice by completing the following steps:

  1. Contact all individuals with overdue requests to notify them of the delays.
  2. Provide outstanding responses by set deadlines, starting with the oldest cases.
  3. Provide the ICO with weekly updates until all requests have been dealt with.
  4. Create and share an action plan within 90 days of the enforcement notice to address the backlog and set out responsibilities, priorities and anticipated timelines.
  5. Within 12 months of receiving the enforcement notice, BCC must make system and process changes to ensure future SARs are identified and completed without delay. Such changes may include training staff to ensure UK GDPR compliance and increasing staffing and resources to ensure that SARs are dealt with within the prescribed timeframes.

If BCC fails to observe and implement the terms of the enforcement notice within the prescribed period, the ICO reserves the right to serve a financial penalty notice against the organisation. The ICO has the power to issue a penalty notice requiring payment of up to £17,500,000 or 4% of an undertaking’s total annual worldwide turnover, whichever is higher, for failing to comply with an enforcement notice.

Key takeaways for organisations

1. Keep a note of key dates

Record the date that the SAR was received and diarise the date by which the response must be issued. Generally, SARs must be responded to within one month, subject to extensions in limited circumstances, and it is important that this deadline is not missed.

2. Train staff

Responding to a SAR can be a complex process. Staff must be able to identify a SAR and verify the requesting individual's identity. The process of identifying data to be disclosed can be challenging, particularly where large volumes of information are held about an individual. Not all data have to, or should, be disclosed, so it is important that staff are well trained and able to identify and extract the relevant data without breaching data protection laws or infringing third-party rights.

3. Seek assistance

MFMac offers a comprehensive data and information law practice. Should you have any queries or require assistance in relation to responding to a subject access request, please contact David Gourlay or another member of our Data Protection and UK GDPR Team.

This article was co-authored by Aleksandra Werecka, Trainee Solicitor in MFMac's Commercial team.

Related Insights

View All

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice