ICO issues enforcement notice to Bristol City Council for SAR failings

The Information Commissioner's Office (ICO) has issued an enforcement notice to Bristol City Council (BCC) for failing to comply with its legal obligations to respond to subject access requests (SARs). 

In February 2023, following several complaints, the ICO initiated an informal enquiry into the local authority. It found that BCC had a backlog of 170 overdue SARs, with the oldest dating back to December 2020. Despite ongoing informal engagement by the regulator, BCC's backlog increased to 189 outstanding cases by February 2024. Furthermore, the authority claimed that it would take an additional 50 months to clear the backlog. In April 2024, the ICO opened a formal investigation, which identified that BCC had received 961 SARs between April 2023 and March 2024, of which only 400 (42%) were responded to within the statutory timeframe. At a meeting with the ICO in August 2024, BCC confirmed that with the assistance of an external provider, it could clear its backlog within 36 months. By March 2025, the backlog had been reduced to 200 cases with the oldest request dating back to January 2022. However, difficulties with the quality of SARs led to complications with the external provider, which the ICO ultimately concluded stemmed from a failure to agree on an acceptable standard at the outset of engaging the external organisation. Between April 2023 and January 2025, the ICO received at least 63 complaints about BCC related to SARs. 

The ICO found that BCC had violated Articles 12(3), 15(1), 1and 5(3) of the UK General Data Protection Regulation (GDPR). 

The ICO enforcement notice requires BCC to:

Contact all overdue SARs to provide a response deadline and give weekly updates to the ICO until the backlog is cleared. The oldest cases must be cleared within 30 days. An action plan to clear the backlog must be created and shared within 90 days. Finally, long-term procedural changes to ensure future SARs are identified and completed on time must be implemented within 12 months. 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.