The regulator for data protection has criticised Glasgow and Edinburgh city councils for failing to respond to requests for personal information on time.
The Information Commissioner’s Office (ICO) said the two councils have ‘repeatedly’ failed to respond to subject access requests (SARs) within the legal timeframe.
Councils in Scotland saw a 67% increase in the number of SARs between 2021 and 2024. This was partly due to the Redress Scotland scheme where people who suffered abuse in care can apply for redress using documents such as care records.
Despite this increase, the regulator found that 75% of Scottish councils improved their SAR compliance, with 13 reporting a compliance rate of 90% in 2023/24.
However, the ICO launched investigations into Glasgow City Council and City of Edinburgh Council after it did not see any improvements over 12 months.
An audit of Glasgow found that the council has good policies and procedures in place to handle SARs, but lacked the necessary resources.
Jenny Brotchie, acting head of Scottish Affairs at the ICO, said: ‘We expect all local authorities to have sufficient resources in place to handle the volume and complexity of SARs, and to keep people updated on the progress of their request.’
A spokesperson for Glasgow City Council said that since the Redress Scotland scheme was introduced the local authority has faced a 350% increase in SARs.
‘Despite this, we are managing to respond within the statutory timescales to roughly half of the requests we receive each month,’ they said.
Cllr Jane Meagher, the leader of City of Edinburgh Council, said the local authority had committed ‘substantial time, money and effort’ to improving response times.
‘This has started to pay dividends, with compliance rates showing sustained improvement throughout 2024 and reaching 89% for cases due in January 2025.’
Brotchie added: ‘We are taking a proportionate approach to monitoring local authorities, but these reprimands show that we will not hesitate to take enforcement action where necessary.’
