Update - October 2024
We requested statistics from all 32 local authorities covering a three-year period, from 2021 to the end of the financial year 2023/2024. Our 2022 benchmark showed that just six local authorities had SAR compliance above 90% and four had compliance below 50%.
However, since our engagement began in April 2023, we have seen two key improvements:
- 24 out of 32 local authorities have improved their SAR compliance;
- The number of local authorities with more than 90% compliance has doubled (from six to 13);
These improvements have been made despite a substantial increase in the volume of request being made - 67% in total since 2021. Where local authorities do experience an increase in demand, we expect them to have sufficient resources in place to maintain their compliance rates.
We take a proportionate approach to our engagement with local authorities, and we are continuing to work with those who we have concerns about. Enfocement action is being considered where improvements have not been made to SAR compliance.
These statistics are accurate as of April 2024.
Dominique Mitchell is Senior Policy Officer at the ICO. |
Records of personal information are so important to people who have experience of the care system, as they are often key to understanding their personal history and identity. From reports written by social workers to photographs capturing memories, family and friends, records from someone’s time growing up in care can contain a large amount of personal information.
Under data protection law, everyone has rights over their own personal information. This includes the right to ask for their personal information from an organisation using a Right of Access request (sometimes known as a subject access request or SAR) and receive a copy of this information within a calendar month, unless an extension is applied.
We have heard directly from people about the stress and trauma caused by their experience requesting personal information from their time in care. Some have waited months, or even years in extreme cases, to receive a copy of their records. Others have shared their distress and frustration when unexpectedly receiving a response, opening lengthy documents with no context and heavy redactions. Organisations can struggle to understand what information they can release and often fail to treat these requests with the sensitivity they need.
As the UK data protection regulator, we want to improve the support we offer to both people with experience in the care system and the organisations that hold their information.
Our work with Scottish local authorities
At the ICO’s Scottish office, we have already taken proactive steps to engage with local authorities. Over the last year, we received complaints about several local authorities with poor performance handling SARs, including requests for care records, within the legal timeframe.
Many local authorities have seen increases in SARs in relation to Scotland’s Redress Scheme, where people who suffered abuse while in care can apply for redress. The scheme requires people to submit information and evidence in the form of supporting documents to support their application for redress, increasing the number of SARs to some local authorities.
For anyone seeking to claim redress in Scotland or access their care records for any other reason, undue delays and other challenges during the process only increase the trauma these people are facing. Organisations must get this right as poor compliance can have a detrimental impact on people trying to exercise their information rights.
We asked all 32 local authorities in Scotland to provide statistics about their response times to SARs, including how many were responded to within the legal timeframe, and the age of requests that had yet to receive a response. Where we identified poor compliance, we have been engaging directly with these local authorities, supporting them to put action plans in place and monitoring them closely for signs of improvement.
Since our engagement began, we have seen a positive response with some local authorities significantly reducing their backlog of requests and improving their overall response times. However, we are still concerned about the poor performance of several local authorities and the impact this continues to have on people applying for redress in Scotland.
We will continue to monitor local authorities in Scotland until we are satisfied that there has been significant and sustainable change. Where our engagement does not succeed in improving compliance, we will consider using our regulatory powers, which include enforcement action.
We expect all organisations who receive SARs to ensure that they:
- Communicate with people in a prompt and proportionate manner
- Have adequate resources in place to respond to requests within one calendar month, unless an extension is required
- Read and understand our Right of Access guidance
- Assess against our Accountability Framework and implement measures to meet our expectations
Share your experiences with us
As a regulator, we want to do more to help people with care experience to obtain their personal information and exercise other information rights, as well as support organisations to provide timely responses. We want to empower people to exercise their rights over their own personal information and in order to do this, we need to hear directly from people about any issues or challenges they faced regarding their personal information.
We are urging people with experience of the care system in any part of the UK to come forward and share their experiences both requesting their records and having their personal information handled in the care system. We want to understand the real impact of long delays and poor redactions, so we can identify areas where we can make the most difference with our support.
The information gathered from our previous workshops and the survey will help us to produce updated resources for all UK organisations, providing clarity on how they can improve their processes when handling requests for care records and protect the personal information of people with care experience.
If you have experience accessing your care records, please share details with us via our survey here.
We are here to help
We have guidance on our website to help people to understand their information rights, including the right of access and the process of making a SAR. Any organisations that needs help to respond to SARs can find further guidance on our website, or contact us for advice.
If anyone is concerned about how their data is being handled by an organisation, they can make a complaint to us here or if they live or are based in Scotland, they can contact our regional office.
You can read more about our commitment to improving our support here.
Notes to editors
For the purpose of this work, the ICO defines “experience of the care system” as the experience of growing up in the care system as a child or young person. The ICO is interested to hear from people with this experience, no matter how long they spent in care as a child or young person. It does not refer to experience of health and social care in later life.
The ICO uses the term care experience, but you may use a different phrase. Some terms may include:
- Care Leaver
- Looked After Person
- Fostered
- Adopted
- Kinship care
- Special guardianship
- Lived with family
Under data protection law, organisations are expected to respond to SARs within a 30-day timescale, unless an extension is requested.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.