UK: Lessons to learn from a £40,000 fine for a mishandled subject access request.


The UK’s privacy regulator, the Information Commissioner’s Office (“ICO”), has issued a GP practice with a fine of £40,000 for unlawfully disclosing the personal data of two individuals in  response to a data subject access request (“SAR”) from a third person.  In its public statement on the enforcement action, the ICO criticised the practice for not having adequate systems or training in place to ensure that its staff were equipped to deal with SARs properly.

A SAR is a request under section 7 of the Data Protection Act 1998 for, amongst other things, the personal data of the requester which is held by the organisation to which the request is directed. In this case, the request came from a father, who submitted the request on behalf of his son, asking for details of his son’s medical records.  However, in preparing what appears to have been a hasty response to the request, the surgery also disclosed personal details relating to the child’s mother, who was estranged from the father, as well as those of the mother’s parents and an older child the man was not related to.  This was in spite of explicit instructions to the surgery from the mother  to protect her details from the father.

Although the person at the surgery dealing with the request made some effort to consult with the child’s GP, the decision was made to disclose the child’s entire medical records without any redaction.

The ICO indicated that it had taken into account the individual liability of the surgery’s partners when setting the level of the fine, and that most organisations would expect to receive a much larger fine for a similar breach.



This case illustrates a number of common failings with the way in which organisations deal with SARs. In particular, the following shortcomings were apparent:


  1.  Preparing a “blanket” response to a SAR – a SAR is a request for an individual’s personal data only. It does not authorise an individual to receive full copies of any records relating to them, and an organisation should not simply disclose an individual’s file in its entirety.
  2. Not taking into account third party personal data – the ICO’s guidance is very clear that an organisation does not have to comply with a SAR where doing so would necessitate the disclosure of a third party’s personal data where that third party: (i) has not consented to the disclosure of their personal data; and (ii) it is not otherwise reasonable to disclose their personal data without their consent. In this case, the mother had explicitly told the surgery to protect her personal details, so it was clear that the surgery should have redacted her details from the records disclosed, or withheld any records that could not be disclosed without revealing her details. In other cases, organisations will need to either actively seek consent from third parties, or make judgments about whether it is reasonable in all the circumstances to disclose third party personal data without consent.
  3. Not having a system in place to deal with SARs – when the SAR was received, there was a clear breakdown in communication between the staff member nominally responsible for the response, and those within the surgery who knew the child and were aware of the mother’s warnings. In addition, the staff member responsible does not appear to have followed a set process for considering and responding to the request, but simply sent out the child’s file in its entirety. A good SAR system, underpinned by an appropriate policy, will follow a series of steps, from validating the identity of the requester and the scope of the request, to conducting a full and proper search, pulling in all relevant parts of the organisation, to then considering the relevant records and applying any exemptions to the records to redact information which should not be disclosed.
  4. Not providing staff with training on data protection – the ICO made it clear that it did not blame the individual staff member, but rather the surgery as a whole for not providing its staff with appropriate training regarding their obligations under data protection law, and the particular issues to consider when dealing with SARs.

SARs are sometimes seen as an inconvenient administrative burden by organisations. However, the General Data Protection Regulation, due in force in 2018, will enhance the rights of data subjects, even further and reduce the response time for organisations from 40 to 30 days.  Therefore there has never been a more important time to get to grips with dealing with information rights, and, as this case demonstrates, there are potentially severe consequences for not doing so.