Skip to main content
Hafan

Bristol City Council issued with enforcement notice over failures to respond to data requests

  • Date 24 September 2025
  • Type News

We have issued an enforcement notice to Bristol City Council (BCC) for failing to comply with its legal obligations to respond to people who asked for the personal information the council held on them – known as a subject access request (SAR). 

Sally-Anne Poole, Head of Investigations at the ICO, said: 

“Subject access requests are a fundamental right that allows people to know what information organisations hold about them and how it is being used. Despite our repeated engagement with Bristol City Council over a sustained period of time, limited progress has been made to clear a backlog of requests. Our investigation has found that the Council’s approach towards compliance demonstrates a poor organisational attitude towards data rights and compliance with the law. This enforcement notice requires them to clear their SAR backlog in a timely manner, and make lasting improvements to bring their practices in line with the law.” 

The full enforcement notice can be read here

 

The enforcement notice requires BCC to take the following actions: 

  • Contact all people with overdue SARs to notify them of delays. 
  • Provide outstanding SAR responses by set deadlines, with the oldest cases (from 2022) to be resolved within 30 days. 
  • Give weekly progress updates to the ICO until all overdue SARs are resolved. 
  • Create and share an action plan within 90 days to address the SAR backlog, including clear responsibilities, prioritisation and timelines. 
  • Within twelve months, make system and process changes to ensure future SARs are identified and completed on time. Such changes may include: 
    • Adequate staffing and resources for SAR responses. 
    • Training for staff to ensure compliance with UK GDPR. 

Advice for the public 

People have the right to ask an organisation for the personal data they hold about them, why they are holding it and who they are sharing it with. A person can make a SAR verbally or in writing, including via social media. A person does not need to use a specific form of words, refer to legislation or direct the request to a specific contact. 

You can find guidance on making a SAR on the ICO website

If you have concerns about an organisation’s response, you can raise a complaint with them directly and then, if unresolved, report it to us

 

Notes for editors
  • The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. 
  • The  ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  • The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  • To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns