In recent years, many organisations - particularly in the public sector - have seen a marked increase in the exercise of data subject rights under the UK GDPR. Among these, the right of access stands out as the most frequently invoked. For in-house lawyers in the healthcare sector, this trend presents both operational and legal challenges, especially as the volume of data subject access requests (DSARs) continues to rise.
The reasons behind this surge are varied. DSARs are often used in the context of complaints, grievances, and litigation. Individuals may seek access to their personal data to support employment disputes, clinical negligence claims, or broader concerns about how their information is being handled. As awareness of data rights grows, so too does the likelihood that healthcare organisations will receive requests.
Despite this upward trend, many public sector bodies - including those in health and social care - operate under tight financial constraints. It’s understandable that resources are often prioritised for statutory service delivery. However, a recent enforcement notice issued by the Information Commissioner’s Office (ICO) against Bristol City Council (BCC) serves as a cautionary tale about the risks of under-resourced data protection functions.
BCC developed a significant backlog in its responses to DSARs during and after the disruptions of 2020. By March 2023, 179 DSARs were overdue, with the oldest dating back to December 2020. Despite informal engagement and monitoring by the ICO, the backlog worsened, reaching 189 outstanding requests by February 2024. Alarmingly, BCC estimated it would take over three years to clear the backlog without sufficient additional support.
The predicted timeline, plus the increase in the backlog, prompted the ICO to escalate its involvement, moving from informal engagement to a formal investigation. Although BCC made efforts to improve its processes, the ICO ultimately issued an enforcement notice. For data governance professionals, the notice offers valuable insight into the regulator’s expectations around backlog management and resourcing.
Notably, the ICO demonstrated patience and offered informal support over an extended period. However, the regulator concluded that BCC’s approach reflected “a poor organisational attitude towards data subjects’ rights and BCC’s compliance with the law.” The enforcement notice imposes strict deadlines, including a 30-day turnaround for DSARs dating from 2022, as well as longer - but still fixed - periods for more recent requests.
The case underscores a critical point: organisations that allow DSAR backlogs to develop and fail to take effective remedial action should expect formal enforcement and time-bound orders. For healthcare providers, where data is often sensitive and requests complex, the stakes are particularly high.
As the ICO continues to scrutinise organisational attitudes toward data rights, healthcare organisations must ensure that their commitment to transparency and accountability is reflected in their handling of DSARs.
In-house legal teams should work closely with data protection officers to ensure that DSAR processes are adequately resourced and regularly reviewed. Proactive investment in training, systems, and staffing can help avoid the reputational and regulatory risks associated with non-compliance.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.