Bristol City Council Faces Enforcement over SAR Failures

The Information Commissioner’s Office (ICO) has issued a formal enforcement notice to Bristol City Council after uncovering serious, ongoing failures in how the Council manages Subject Access Requests (SARs). This action follows years of complaints and evidence of systemic delays. The message from the ICO is clear: organisations that fail to take SAR compliance seriously will face enforcement.

SAR Failures at Bristol City Council

The ICO’s investigation revealed that Bristol City Council has struggled with a growing backlog of SARs since 2020. A Subject Access Request gives individuals the right to ask for a copy of their personal data and to understand how that data is used. Failing to respond in time undermines public trust and breaches data protection law.

Between April 2023 and January 2025, the ICO received 63 complaints from individuals waiting too long for responses. Many reported that the delays caused them harm and distress, leaving them unable to resolve personal matters or defend their rights. The ICO found that the Council had made limited progress despite repeated engagement and guidance. As a result, enforcement became the only option.

Why SARs Matter

SARs are not a formality. They are a cornerstone of data protection rights under the UK GDPR and Data Protection Act 2018. By making a SAR, an individual can see exactly what information an organisation holds about them, why it holds that data, and who it is shared with. For some, this is about transparency and reassurance. For others, especially vulnerable individuals, a SAR can directly affect access to housing, social services, or justice.

When organisations delay or ignore SARs, people lose trust and may face real-world consequences. The ICO has repeatedly emphasised that SAR compliance is fundamental. Sally-Anne Poole, Head of Investigations at the ICO, summarised the issue:

“Subject access requests are a fundamental right that allows people to know what information organisations hold about them and how it is being used. Despite our repeated engagement with Bristol City Council over a sustained period of time, limited progress has been made to clear a backlog of requests. Our investigation has found that the Council’s approach towards compliance demonstrates a poor organisational attitude towards data rights and compliance with the law.”

What the Council Must Do

The enforcement notice issued to Bristol City Council sets out a strict list of actions. These include:

• Contacting all individuals with overdue SARs to explain the delays and confirm when they can expect a response.
• Clearing the backlog by specific deadlines, ensuring that the oldest SARs (dating back to 2022) are completed within 30 days.
• Providing the ICO with weekly progress updates until the backlog is fully resolved.
• Publishing an action plan within 90 days that clearly sets out responsibilities, priorities and timelines.
• Making lasting organisational changes within 12 months to prevent SAR delays in future. This may require hiring more staff, investing in resources, and delivering staff training.

The ICO’s demands highlight that responding to SARs is not simply an administrative task. Councils and public bodies must show they can manage the process consistently, transparently, and within the one-month statutory deadline.

Lessons for Other Organisations

Bristol City Council’s enforcement notice should serve as a warning for all public authorities and organisations. The ICO expects SARs to be treated as a legal obligation, not an afterthought. Failing to respond on time risks enforcement, reputational damage, and potential fines.

Every organisation should ask itself some key questions:

Do we have a clear process for managing SARs from start to finish?
Do we have enough staff, technology and resources to respond within the legal timeframe?
Are we training employees so they understand SAR rights and know how to respond appropriately?
Can we evidence our compliance if the ICO asks?

If the answer to any of these questions is “no,” then urgent action is needed. The ICO has shown that it will not hesitate to escalate matters where organisations repeatedly fail to meet their obligations.

The Wider Context of SAR Compliance

SAR backlogs are not unique to Bristol. Many councils, charities, and businesses struggle with the volume and complexity of requests. However, the law is clear: SARs must be answered within one month unless an extension is justified. Even then, organisations must explain the reasons for any delay to the individual making the request.

Technology can help reduce SAR risks. Case management systems, redaction tools, and specialist support can speed up responses and reduce errors. But technology alone is not enough. Organisations also need strong governance, clear policies, and a culture that treats data rights as a priority. Without these, the risk of enforcement grows.

Our View

At Data Protection People, we believe the Bristol City Council case highlights two critical points. First, SARs are central to data protection compliance and public trust. Second, enforcement action is not limited to fines; the ICO will impose detailed corrective measures when organisations fail repeatedly. Councils, businesses, and charities should take this case as a clear sign that SAR processes must be robust, well-staffed, and monitored closely.

We recommend that organisations run regular compliance checks, train staff to handle SARs effectively, and seek support where needed. By doing so, you protect both your organisation and the people whose data you process.

Contact Us

If your organisation is struggling with Subject Access Requests, we can help. Our SAR Support service provides expert assistance to manage requests on time and in line with the law. We also offer GDPR Audits to identify gaps, ongoing compliance support, and staff training to build confidence in handling SARs. Contact us today to protect your organisation and deliver on data rights.