ICO issues SAR undertaking


The Information Commissioner's Office (ICO) issued an  undertaking on 28 August on Cardiff City Council, which requires the authority to improve its practices regarding Subject Access Requests (SARs). The undertaking is based on a SAR which the council failed to respond to within 40 working days. This failure prompted the Information Commissioner to take a closer look at the council's SAR compliance in general.

The ICO requires that the council will:

1.   Clearly define procedures for dealing with subject access requests, and make sure that all staff involved in such work receive appropriate training in how to follow them;

2.  Ensure that  appropriate checks and supervision are put in place to ensure that third-party data is dealt with in accordance with the Act’s requirements and the data controller’s policies and procedures;

3. Make sure that sufficient measures are in place for the storage of paper records to ensure that subject access requests are responded to appropriately.

The Undertaking is at

Read an analysis of the merits and drawbacks of the the ICO's new Subject Access Code of Practice in PL&B’s UK Report, to be published next week. To subscribe, please go to www.privacylaws.com/publications



If you would like to comment on this article, please login or register.


Tag cloud