United Lincolnshire Teaching Hospitals NHS Trust – Violation Found (United Kingdom, 2024)

The United Lincolnshire Teaching Hospitals NHS Trust functions as an organisational unit within the National Health Service in the UK. The UK DPA (Information Commissioner – ICO) launched an ex-officio investigation against the NHS trust, here the controller. During the investigation, the controller confirmed that between the 1 March 2021 and 31 March 2022, it had failed to respond to 32% of access requests within the statutory timeframe of one month. It informed the ICO that it had responded to approximately 68% of access requests within one month. However, the controller noted that there were deficiencies in its system for logging the access requests and that the accuracy of the data provided to the ICO could not be guaranteed. Specifically, the controller could not specify how many access requests had not been answered yet. The controller detailed that its access request management system had not been fit for purpose and that it had changed to a different improved system in 2024. The ICO issued a reprimand to the controller as it was unable to demonstrate compliance with Articles 12(3) UK GDPR, Article 15(1) UK GDPR and Article 15(3) UK GDPR between the 1 March 2021 and 31 March 2022. The ICO stated that the controller had infringed Article 12(3) UK GDPR as it could not determine the number of access requests to which the extended statutory timeframe of three months applied. Further, it breached Article 12(3) UK GDPR as it could not determine how many access requests were still in its backlog. Also, the controller had breached Article 15(1) UK GDPR and Article 15(3) UK GDPR for failing to respond to access requests and any further copies of personal data. The ICO welcomed the implementation of a new system with adequate tracking functions of incoming access requests. The ICO highlighted that although the controller still has a significant backlog of access requests it showed improvements.