Bristol City Council ICO Enforcement Case: Falling Behind On Subject Access Request Compliance

In August 2025, Bristol City Council became the latest UK local authority to face formal enforcement action from the Information Commissioner’s Office (ICO) for systematic failures in handling Subject Access Requests (SARs). With 231 overdue requests—some dating back more than three years—the case offers important lessons for any organisation handling personal data.

The Case at a Glance

Timeline of Failure

The problems at Bristol City Council didn’t emerge overnight. The ICO first made informal enquiries in February 2023 after receiving complaints from individuals about delayed responses. At that point, the council had 170 overdue SARs, with the oldest from December 2020.

Rather than improving, the situation deteriorated:

• February 2024: Backlog increased to 189 cases
• February 2024: BCC estimated it would take 50 months (over 4 years) to clear the backlog
• April 2024: ICO launched formal investigation
• June 2025: 231 overdue SARs, oldest from January 2022
• August 2025: Enforcement Notice issued

The Numbers

Between April 2023 and March 2024, Bristol City Council received 961 SARs but responded to only 400 (42%) within the statutory timeframe. This represents a compliance failure rate of 58%.

The council saw a 900% increase in SAR volumes compared to two years earlier. The majority of overdue requests related to children’s social care data. The ICO received 63 complaints from individuals between April 2023 and January 2025, with some complainants reporting distress and detriment from the delays.

The Three UK GDPR Violations

The ICO found Bristol City Council in breach of three key provisions of UK GDPR:

Article 15(1): Failure to Provide Access

This article requires controllers to confirm whether they’re processing personal data and, if so, provide access to that data along with specific information including:

• Purposes of processing
• Categories of personal data
• Recipients or categories of recipients
• Retention periods
• Rights to rectification, erasure, or restriction
• Right to lodge a complaint with the ICO
• Source of the data (if not collected from the data subject)
• Existence of automated decision-making

Bristol City Council failed to provide this fundamental information to data subjects, some of whom waited years for responses.

Article 15(3): Failure to Provide Copies

Controllers must provide a copy of the personal data undergoing processing. The council’s backlog prevented timely delivery of data copies, violating this core aspect of the right of access.

Article 12(3): Failure to Respond Within Timeframe

Controllers must respond to SARs “without undue delay and in any event within one month of receipt of the request.” This can be extended by two further months for complex requests, but the controller must inform the data subject of the extension and reasons within the initial one-month period.

With some SARs outstanding for over three years, Bristol City Council clearly breached the “without undue delay” standard.

What Went Wrong: Root Causes

Inadequate Resourcing

As of May 2025, Bristol City Council’s disclosure team consisted of:

• 1 Disclosure Manager
• 1 Disclosure Team Leader
• 2 Lead Disclosure Officers (one position vacant at the time)
• 10.3 Full Time Equivalent Disclosure Officers

Of these officers, only 1 FTE worked on the oldest cases under 500 pages, while 7.3 FTE handled prioritised cases in date order.

For context, Bristol is the eighth largest city in England and Wales outside London, with an estimated population of 483,000. The council cited budget constraints, but the ICO made clear that resource limitations don’t excuse non-compliance.

Poor Planning and Prioritisation

The council operated a reactive three-tier priority system:

• P1: Urgent due to court cases, ICO referrals, or multiple customer complaints
• P2: Following a customer request
• P3: Remaining SARs

This system created perverse incentives. Data subjects who made the most noise got faster responses, whilst those who waited patiently were disadvantaged. The ICO noted that the council didn’t always apply this prioritisation consistently—one P1 case related to court proceedings remained outstanding whilst other cases were completed.

The council’s Action Plan for addressing the backlog was “insufficient and lacking in detail with no timeframes provided for clearing the backlog of SARs,” according to the ICO. The plan failed to set out how BCC would systematically allocate cases, manage requests, or update individuals.

Failed External Partnership

In July 2024, Bristol City Council engaged an external organisation to process the oldest, most complex SARs of 500 pages or more. The plan was to send one test case, then five per month thereafter.

The results were dismal. By March 2025—eight months later—only two SARs had been completed. The council returned work to the external provider due to quality issues. The ICO found that BCC created an instructions document specifying quality requirements, but it’s unclear when this was produced. The Commissioner concluded “the required standard was not agreed at the outset of engaging the external organisation.”

This failure likely caused further delays for data subjects whose cases were identified as suitable for external processing.

Training and Process Gaps

At a meeting in May 2025, Bristol City Council stated there were “no training materials” for the Disclosure Team. This directly contradicted an action point in the council’s Action Plan marked as high priority: “Review training and support offer.”

In response to the Preliminary Enforcement Notice, the council claimed new team members were trained by working on ‘live’ cases under supervision, using reference documents including a ‘Safeguarding Concerns Guide’, ‘Social Care Consult document’ and ‘Disclosures Officer checklist’. However, this contradiction was “not properly explained in the Representations,” according to the ICO.

The council also provided inconsistent and contradictory statistics throughout the investigation, with individual SARs disappearing from reports only to reappear the following month as still overdue.

The Enforcement Terms: What Bristol Must Do

The enforcement notice requires Bristol City Council to take specific steps within defined timeframes:

Immediate Actions (30-90 days)

1. Contact all data subjects with overdue SARs to notify them of delays
2. Complete all 2022 SARs within 30 days (1 request)
3. Complete all 2023 SARs within 90 days (44 requests)
4. Create a comprehensive action plan within 90 days

Medium-term Requirements (7-8 months)

5. Complete all 2024 SARs within 7 months (120 requests)
6. Complete all 2025 SARs within 8 months (66 requests)
7. Provide weekly progress reports to the ICO until backlog cleared

Long-term Compliance (12 months)

8. Implement system changes to ensure future SARs are identified and completed within statutory timeframes
9. Ensure adequate staffing and resources
10. Establish proper training programmes

Potential Penalties for Non-Compliance

If Bristol City Council fails to comply with the Enforcement Notice, the ICO may issue a penalty notice requiring payment of up to £17,500,000 or 4% of annual worldwide turnover, whichever is higher.

Not an Isolated Problem: Scottish Councils Face Similar Action

Bristol City Council isn’t alone. In February 2025, the ICO reprimanded both Glasgow City Council and City of Edinburgh Council for repeatedly failing to respond to SARs within legal timeframes.

City of Edinburgh Council

The enforcement action found that during 2023, the council failed to respond to 40% of Subject Access Requests within the statutory one-month timeframe. This violated the same UK GDPR provisions as Bristol: Articles 12(3), 15(1) and 15(3).

The Scottish Picture

The ICO’s investigation followed proactive engagement with all 32 local authorities in Scotland after becoming aware of delays “amounting to years in some cases.”

Key findings included:

• 68% overall increase in SARs to Scottish local authorities between 2021-2024
• Many requests related to the Redress Scotland scheme, where people who suffered abuse whilst in care can apply for redress using supporting documents such as care records
• Resource and budget constraints identified as primary issues, particularly for Glasgow City Council
• 75% of local authorities improved SAR compliance
• 13 local authorities reported 90%+ compliance in 2023/24

The ICO’s statement was blunt: “Those who were let down in the past are being let down again, this time by poor SAR compliance.”

Lessons for Data Controllers

Resource Appropriately from the Start

Don’t wait for a crisis. Bristol City Council experienced a 900% increase in SARs over two years but failed to scale resources accordingly. Scottish authorities saw a 68% increase linked to the Redress Scotland scheme.

Budget for data protection compliance as essential infrastructure, not an optional add-on. When you experience significant increases in request volumes, adjust staffing proactively rather than allowing backlogs to accumulate.

Implement Robust Processes

The ICO criticised Bristol City Council’s Action Plan for failing to set out “in specific detail as to how BCC intends to systematically deal with its SAR backlog, how it intends to allocate SAR cases, or set target completion dates.”

Your SAR handling process should include:

• Clear logging, assignment, and tracking systems
• Defined timelines at each stage
• Regular communication with data subjects about progress
• Systematic prioritisation that doesn’t disadvantage patient requesters
• Accurate, consistent record-keeping

Plan External Support Properly

If you engage external providers to help with backlogs:

• Set clear expectations and quality standards before engagement begins
• Create detailed instructions upfront, not months into the contract
• Conduct regular quality reviews
• Don’t rely solely on external providers for critical compliance obligations

Bristol City Council’s external provider completed only 2 SARs in 8 months, demonstrating the risks of poorly managed outsourcing.

Take a Proactive Approach to Compliance

When Bristol City Council asked the ICO to “advise if the council is adequately resourced,” the Commissioner’s response was clear: it’s for organisations to demonstrate compliance with their data protection obligations and judge what resources are needed.

The ICO noted that Bristol City Council demonstrated a “poor organisational attitude towards data rights and compliance with the law” despite repeated engagement to resolve the backlog.

Don’t expect the regulator to tell you how to resource properly. Address backlogs before they become unmanageable. Engage transparently with the ICO when issues arise, but take ownership of solutions.

Maintain Accurate Records

Throughout the investigation, Bristol City Council provided “confusing and contradictory” statistics, with individually recorded SARs disappearing from reports only to reappear the next month as still overdue.

In one example, an email from BCC dated 29 May 2025 stated 117 outstanding 2024 cases, but representations submitted on 30 June 2025 listed 120 outstanding 2024 cases—an unexplained increase of 3 cases.

Implement consistent tracking and reporting. Conduct regular audits of outstanding requests. Clear documentation demonstrates good governance and helps you identify problems early.

The Human Impact

Sally-Anne Poole, Head of Investigations at the ICO, stated: “Subject access requests are a fundamental right that allows people to know what information organisations hold about them and how it is being used.”

The enforcement notices reference real harm:

• Complaints cited distress and detriment
• Many requests related to children’s social care data
• Some linked to court proceedings where timely access was critical
• Years-long waits for personal information
• In Scotland, abuse survivors seeking redress faced further delays

The right of access is a cornerstone of UK GDPR. It enables individuals to understand what data is held about them, which is necessary for exercising other rights such as rectification or erasure. Delays don’t just breach technical legal requirements—they undermine trust in public institutions and cause real harm to vulnerable people.

The ICO’s Enforcement Approach

The Bristol City Council case demonstrates the ICO’s escalation process:

1. Informal engagement (March 2023 – April 2024): Monthly meetings, requests for information, discussions about action plans
2. Formal investigation (April 2024): Information gathering, assessment of compliance
3. Preliminary Enforcement Notice (June 2025): Opportunity for representations
4. Enforcement Notice (August 2025): Legally binding requirements with defined deadlines

Sally-Anne Poole emphasised: “The ICO will enforce when collaboration fails.”

The ICO issued around 60 reprimands to public bodies during the trial period of their public sector approach, signalling a willingness to take action when necessary. However, they prefer collaborative solutions where organisations demonstrate genuine commitment to improvement.

Key Takeaways

Subject Access Requests are not optional. They’re a legal obligation backed by significant penalties for non-compliance.

Resource constraints don’t excuse non-compliance. While the ICO acknowledges the challenges facing public sector organisations, the law doesn’t provide an exemption for budget pressures.

Systematic failures require systematic solutions. Generic action plans without specific timelines, responsibilities, and targets won’t satisfy the ICO.

Proactive compliance is cheaper than enforcement action. Bristol City Council now faces strict deadlines, weekly reporting requirements, and the prospect of penalties up to £17.5 million if it fails to comply.

The ICO will enforce when collaboration fails. Two years of informal engagement didn’t resolve Bristol’s problems. Scottish authorities faced reprimands despite proactive ICO engagement. If your organisation has a SAR backlog, don’t assume the ICO will wait indefinitely.

What You Should Do Now

Review your organisation’s SAR handling processes against the issues identified in this case:

1. Assess capacity: Do you have sufficient resources to handle your SAR volume within statutory timeframes?
2. Check your backlog: Are any SARs overdue? How old is your oldest outstanding request?
3. Review your processes: Do you have clear procedures for logging, assigning, tracking and completing SARs?
4. Examine your training: Do staff have documented training materials and clear guidance?
5. Audit your records: Are your statistics accurate and consistent?
6. Evaluate external support: If you use external providers, are quality standards clearly defined and monitored?

If you identify problems, address them immediately. The longer backlogs persist, the harder they become to resolve and the more likely you are to face regulatory action.

The Bristol City Council case demonstrates that even well-intentioned organisations can face serious enforcement action when they fail to prioritise fundamental data protection rights. Don’t let resource constraints become an excuse for non-compliance.

Further Resources

• Bristol City Council Enforcement Notice – ICO
• Scottish Local Authorities Enforcement Action – ICO
• City of Edinburgh Council Reprimand – ICO
• Subject Access Requests Guidance – ICO
• Right of Access Guide – ICO