Basic legal rights are being undermined by public authorities in the UK, by failing to disclose what personal data they hold on individuals, including victims of human trafficking and the Windrush scandal, openDemocracy can reveal.

People requesting copies of their private information, such as police or immigration records, have faced long delays or had their requests ignored entirely. Others have been given folders with key documents missing.

This is having a knock-on effect in the justice system, with lawyers telling openDemocracy that asylum applications and claims for false imprisonment have been put on hold due to the delays.

Victims of the Windrush Scandal have also struggled to obtain copies of their immigration papers in order to claim compensation.

The UK’s data protection laws allow individuals to request a copy of any of their personal data that is held by an organisation. These applications, known as Subject Access Requests (SARs), have become a vital tool for collecting evidence in legal cases, as well as helping to hold authorities to account.

But a year-long investigation by openDemocracy has found that public authorities – including police forces and government departments – are routinely missing statutory response deadlines. The findings of the investigation are set out in a 27-page report published today.

In Whitehall, the Foreign, Commonwealth & Development Office (FCDO) stands out for its poor record for handling SARs. Last year, it responded to just one in five requests within the standard one-month deadline.

Lawyers and campaigners also singled out the Metropolitan Police for criticism. At the beginning of the year, almost 2,000 SARs being dealt with by the force were more than 60 days old.

In one case, lawyers needed to see the records of a human trafficking victim and asylum seeker, whom the Home Office had wrongfully accused of absconding when they were abducted by traffickers, held against their will and sexually exploited.

The government department later admitted it was wrong to withdraw the individual’s asylum application, and accepted they were a victim of trafficking and modern slavery. But the lawyers still needed to understand why the claim had been withdrawn in order to reinstate it. Lengthy delays to the SAR meant they had no choice but to progress the asylum case without these important documents, though the asylum claim was not reinstated until the day after the Home Office released them months later.

‘Wild West’

Individuals affected have almost no way to challenge their case. This has created a ‘wild west’ of personal data, in which public organisations are effectively free to flout the law.

The Information Commissioner’s Office, which is supposed to police SAR compliance, very rarely takes direct action, admitting it doesn’t “punish an organisation for breaking the law” apart from in the “most serious cases”.

Instead, the watchdog encourages ordinary citizens to pursue cases themselves through the courts. But this route is prohibitively expensive for most people, leaving them at the mercy of individual organisations, with little to no ability to enforce the law.

This is compounded by the fact that SAR compliance is already shrouded in secrecy, with several public authorities refusing to provide openDemocracy with their performance data.

An ICO spokesperson said that it provides “advice to organisations to improve their information rights practices” and has issued 13 reprimands since September 2022.

“We work closely with public authorities to monitor their regulatory obligations and help organisations respond effectively to requests for information,” they said. “We have processes in place to identify concerns, and these include looking at backlogs and how requests for information are handled.”

Major departments like the Home Office, Ministry of Justice, the Department for Work & Pensions and the Ministry of Defence are frequently complained about to the ICO.

In response to openDemocracy’s findings, a government spokesperson said: “We take our obligations under the Data Protection Act 2018 and UK General Data Protection Regulation very seriously, and we are working hard to remove delays to Subject Access Requests identified by the Information Commissioner’s Office.”

You can read our full report into SAR failures here.