ICO rebukes council for slow responses to data requests

CROYDON IN CRISIS: Information Commissioner gives Croydon six months to clean up its act over how it responds to the public.

Dumb and Dumber: neither Mayor nor CEO responded today to an invitation to comment on the ICO’s stern reprimand to the council

Croydon Council has been reprimanded by the Information Commissioner’s Office after it was found to have failed to respond properly to more than half of the Subject Access Requests, or SARs, a form of Freedom of Information request, that it has received from members of the public.

The ICO issued its formal reprimand to south London’s rottenest borough in July.

Today they published their  findings on Croydon and six other bodies – including other London boroughs Lambeth and Hackney – which have failed to perform up to the standards required by data laws.

The Information Commissioner’s Office says that it is “the country’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals”.

Releasing the details of the various reprimands, John Edwards, the Information Commissioner, said today, “SARs and requests made under the Freedom of Information Act are fundamental rights and are an essential gateway to accessing other rights.

“Being able to ask an organisation ‘what information do you hold on me?’ and ‘how is it being used?’ provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted.”

FoIs are ‘fundamental rights and are an essential gateway to accessing other rights’: Information Commissioner John Edwards

Yet Croydon’s poor performance in responding to information requests is nothing new.

In 2019 – before they could hide behind the excuses of covid or the Town Hall’s bankruptcy – Croydon was identified as among the worst London boroughs for responding in a timely manner to FoI requests.

The Freedom of Information Act demands that public authorities respond to information requests within 20 working days. On SARs, they usually have one month.

Three years ago, the Campaign for Freedom of Information found that Croydon and most of London’s councils fail to respond in time to 40 per cent of all FoI requests. The ICO had set authorities a performance target of answering at least 90 per cent of requests on time

Many campaigners, activists, Council Tax-payers and, yes, journalists, suspect that councils’ delays in responding to FoI and SARs requests are often deliberate delaying tactics, employed by the authorities to avoid scrutiny.

Today, the ICO said that Croydon and the six other reprimanded bodies were identified for investigation “following a series of complaints in relation to multiple failures to respond to requests for copies of personal information collected and processed by the organisations, either within statutory time limit or, in many cases, at all”. As well as information being withheld, the ICO discovered breaches of the UK’s General Data Protection Regulation and the Data Protection Act.

In Croydon’s specific case, the ICO investigation revealed that from April 2020 to April 2021, the council “had responded to less than half of their SARs within the statutory timescales.

“This meant that 155 residents did not receive a response in accordance with the UKGDPR.”

This being Croydon, it gets worse.

In the 13 months from June 2021 to July 2022, the ICO issued Croydon with 27 decisions notices under the Freedom of Information Act “related to the council’s failure to respond to information requests”.

As well as the reprimand, Croydon Council has been issued with “a practice recommendation under our renewed approach to FOI regulation for failure to meet statutory response deadlines”.

The ICO’s reprimand to Croydon reads more like a rebuke.

“Based on the findings of this investigation, the ICO deems that London Borough of Croydon has only responded to 49.85per cent of the SARs it has received within the statutory timescales allowed during the period from 01 April 2020 to 15 April 2021.

“This meant that 155 requests made to the Council did not receive a response in accordance with the requirements of the UK GDPR. This could have significant impacts on the data subjects affected and we expect the London Borough of Croydon to take steps to improve its compliance in this area.”

Indeed, the ICO found that Croydon was actually getting slower at responding to SAR requests during the investigation. The council has “a moderate backlog of SAR cases”, the ICO said.

The Commissioner is demanding that Croydon ups its game.

“The Commissioner recommends that London Borough of Croydon could take certain steps to improve its compliance with UK GDPR,” they say.

The cash-strapped council has been given a six-point improvement plan. Another one.

The ICO says:

  1. We expect London Borough of Croydon to ensure that it meets the requirements of all information rights legislation to which it is subject;
  2. London Borough of Croydon should take steps to ensure that Subject Access Requests are responded to within statutory deadlines;
  3. London Borough of Croydon should complete a review of policies or procedures in relation to SARs to ensure these are up to date and adequate;
  4. London Borough of Croydon should ensure that it has adequate staff resource is in place to process and respond to SARs;
  5. London Borough of Croydon should improve how SARs are recorded and monitored;
  6. The SAR improvement plan is lacking detail. London Borough of Croydon should produce a detailed improvement plan that shows how it is going to tackle the SAR backlog and improve its SAR response rate.

The council has been told that they need to provide the ICO with an update by the end of October (three months on from the issuing of the letter of rebuke), with a further update due in January 2023.

Unread in Fisher’s Folly: this report from 2019 criticised several London boroughs, including Croydon

And the ICO warns, “I would like to point out that if further information relating to this subject comes to light, or if any further incidents or complaints are reported to us, we will revisit this matter and further formal regulatory action may be considered as a result.”

A Katharine Street source told Inside Croydon, “There’s probably three reasons why this has happened. One: Croydon’s poor DPO – Data Protection Officer – is probably under-resourced and overworked.

“Two: the level of bureaucracy and organisational dysfunction in Croydon makes it a nightmare to gather all the information to respond.

“And three: oversight and review interfere with the independence of the DPO’s role.”

Another source at the Town Hall suggested that responding to people’s – even councillors’ – requests for information is clearly low on council staff’s list of priorities at the minute. “But poor FoI request management is nothing new in Croydon, and has been going on for some time – since before covid and since before the council’s financial problems. So they can’t be used as excuses here.”

And a source with extensive experience of handling data requests in the public sector told us, “It will be interesting to watch out for the Action Plan that the Commissioner has instructed the council to implement. Will they publish it on the council website for full transparency about the improvements it is making?”

On the matter of openness and transparency, the ICO says, “We actively publicise our regulatory activity and outcomes, as this helps us to achieve our strategic aims in upholding information rights in the public interest.

“We may publish information about cases reported to us, for example where we think there is an opportunity for other organisations to learn or where the case highlights a risk or novel issue.”

Inside Croydon today asked Katherine Kerswell, the council’s chief executive, and Jason Perry, the elected Mayor, for their comments on the ICO’s reprimand letter. We also asked them to direct us to where on the council’s website we would be able to find the ICO’s findings.

By the time of publication, neither part-time Perry nor Kerswell had bothered to reply.

Become a Patron!

About insidecroydon

News, views and analysis about the people of Croydon, their lives and political times in the diverse and most-populated borough in London. Based in Croydon and edited by Steven Downes. To contact us, please email inside.croydon@btinternet.com
This entry was posted in Croydon Council, Katherine Kerswell, Mayor Jason Perry and tagged , , , , , , , , , , , , . Bookmark the permalink.

1 Response to ICO rebukes council for slow responses to data requests

  1. derekthrower says:

    Don’t the ICO know that Council Services are now provided on the same basis as part-time Perry provides his services to the people of Croydon. Don’t the ICO have any consideration for our DEMOC?

Leave a Reply