Beyond the Backlog: Lessons from Bristol City Council’s Data Rights Failures

September 25, 2025
Jim
Data Protection, Data Subject Access Request, GDPR, Penalties
0

The right to access personal data held by public authorities, formally known as a Subject Access Request (SAR), is a fundamental part of UK data protection law. When that right is not upheld, individuals can be left without vital information that may affect their lives, legal cases, or understanding of their own histories.

Recent findings from the Information Commissioner’s Office (ICO) highlight serious failings at Bristol City Council (BCC) in meeting these obligations. The case offers important lessons for all public bodies entrusted with managing sensitive information.

1. The Scale of the Backlog

The ICO investigation revealed that BCC has faced significant challenges in handling SARs within the legal timeframe of one month (with limited scope for extensions). As of June 2025:

231 requests were overdue.
The oldest dated back more than three years, to January 2022.
Between April 2023 and March 2024, only 42% of 961 SARs were completed on time.

These figures indicate not isolated delays but a persistent, systemic problem.

2. Outsourcing difficulties

In July 2024, the council engaged an external provider to help process complex and long-standing requests. However, by March 2025, only two cases had been completed. The ICO concluded that the outsourcing effort was undermined by inadequate planning and unclear instructions from the council itself, compounding rather than alleviating the backlog.

3. Culture and Accountability

While rising SAR volumes and financial pressures were acknowledged, the ICO pointed to deeper cultural issues as the root cause. In particular, the council was found to demonstrate a poor organisational attitude towards compliance. For example, it suggested that the ICO should determine whether the council had adequate resources; signalling a lack of ownership of its statutory duties.

4. Weak Planning and Inconsistent Reporting

The ICO also found shortcomings in BCC’s internal planning and reporting:

The council’s “Action Plan” was described as insufficient, lacking detail and clear timeframes.
Forecasts for clearing the backlog shifted repeatedly, ranging from 50 months to a target of the end of 2026.
Compliance data provided to the ICO was inconsistent, with cases appearing and disappearing from reports without explanation.

Such inconsistencies reflect wider issues in governance and oversight.

5. Impact on Individuals

Behind these administrative problems lies a significant human cost. Between April 2023 and January 2025, the ICO received 63 complaints about delayed responses, many describing distress as a result. Notably, a majority of the overdue requests related to children’s social care; among the most sensitive categories of personal data.

In one high-priority case, a request flagged for court proceedings remained unresolved months later, underlining the real-world implications of these delays.

Conclusion: A Wider Lesson for Public Bodies

The ICO has now issued an enforcement notice requiring BCC to take specific remedial steps, including resolving its oldest outstanding request within 30 days. The action underscores that compliance with SAR obligations is not optional and that the consequences of failure extend well beyond administrative inconvenience.

This case is an important reminder for all public authorities: safeguarding the right of individuals to access their personal data requires not only resources, but also strong leadership, robust processes, and a clear culture of accountability.

Tags: GDPR Penalties Subject Rights

Cookie	Duration	Description
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Principle Defence

Principle Defence

Book a Call