⏰✅ FOI : Subject Access Request (SAR) Response Data & Article 12(3) GDPR.
(Appeal Decision Issued by the Scottish Information Commissioner). Request to the Highland Council.
Sent: 29 May 2025
Due: 26 June 2025
Review Sent: 30 June 2025
Due: 28 July 2025
SICO Appeal Sent: 23 August 2025
SICO Appeal Validated: 25 September 2025
SICO Appeal Ref: 202501434
SICO: Allocated to Investigator 31 December 2025.
SICO Decision Date: 27 January 2026
SICO Decision Ref: 015/2026 [Link to the Decision at the SIC website.]
SICO Decision Response Due: 13 March 2026
Response Received: 20 March 2026
Council Ref: FS-Case-718537532
The Highland Council finally answered this long running open FOI a week later than the Scottish Information Commissioner's decision notice required, about data protection statistics concerning subject access requests received at the Council since 2022 and the reasons for resistance to disclose the information is clear from the response.
20 March 2026
I refer to the above appeal to the Office of the Scottish Information Commissioner in relation to the Council’s failure to respond to your FOI request about Subject Access Request compliance. I’m sorry that you haven’t received a response until now. I have answered your questions below.
1. From the dates 1 JAN 2021 to 29 MAY 2025, a breakdown of number of SAR requests received per year and the number of SAR requests the Council applied an extension under Article 12(3) GDPR to.
Please see the table below. The Council’s current CRM system which is used to register SARs only came into use for the SAR process in February 2022. Therefore we do not have the details of all of the requests which were handled prior to 21st February 2022. Our retention policy for SARs is 3 years and so we are unable to obtain data from the case records.
2. Please also include the number of SARs wherein the extension under Article 12(3) was applied past the due date of the SAR request.
The Council does not collect this data in the CRM system consistently. ICT have confirmed that the date that an extension was communicated to the applicant is only recorded in the system where that extension is communicated through a system generated email. Furthermore, this is only recorded from September 2023 onwards. We, therefore, only have records for 60 of the cases which were extend and 16 of these were extended once the case was already late.
Over a quarter (26.66%) of extensions applied to subject access requests under Article 12(3) GDPR were applied AFTER the original due date of the SAR! 💀
3. Please also provide the number of those SAR requests that were not responded to within the timeframe of 1 month and also those not responded to within the timeframe of any extended due date.
Please see the table below.
** My notes on the stats.
Article 12(3) GDPR Extensions Applied
2022: 44.86%
2023: 48.28%
2024: 38.67%
2025: 45.75%
2022-2025: 44.14%
Nearly half of all subject access requests to the Highland Council have an Article 12(3) extension applied. That is a staggering number considering these are only meant to be rarely applied to complex requests.
If you extrapolate the trend of 26.66% of those extensions are applied AFTER the original due date which is a violation of the GDPR in its own right, we are beginning to see that the Highland Council is majorly failing in it's legal obligations under the Regulation which warrants an immediate internal audit. But, who audits the data protection compliance of the Council if the Chief Audit Executive, Donna Sutherland is also the strategic lead & manager of the data protection team?!
Extended SARs Failing to be Responded to On Time.
2022: 43.10%
2023: 72.31%
2024: 20.83%
2025: 35.65%
2022-2025: 39.00%
Even after extending the deadline for a further 2 months in almost half of all SARs received by the Highland Council, they are still failing to fulfill 39% of those on time! And… what does “late" even mean? My SAR in 2023 was not answered at all! I had to firstly, go to the ICO where they eventually released 13 pages; 9 of those pages my own emails. Then I had to take them to court for a court order after which, some 27 months after the SAR was sent, they ended up disclosing hundreds of pages of data. These definitions of “late” are probably further questions I will need to put to the Council. Also, what does “on time" exactly mean? Do they send a couple pages & withhold the rest? Do they provide the requester with copies of their own emails only and call it good? What does “on time” exactly mean?
The “all cases” percentages presented by the Council are a statistical manipulation designed to skew the reality of their non-compliance when you consider their clear abuse of the Article 12(3) GDPR extension which at best could be reasonably used in about 3-5% of cases which may be truly “complex”, then, the fact they are applying these extensions 26.66% of the time in breach of the law and then further, failing to respond to 39% of those extended cases on time.
4. Please provide the number of those requests that resulted in an Article 77 complaint to the ICO that the Council was then required to respond to.
I have reviewed the correspondence received from the ICO and can confirm that, since 1st January 2021, we have received 15 complaints regarding SARs. Some of these related to late responses and some to where the data subject did not believe that all information had been provided.
I hope that the above information satisfies your requests for information. If you remain dissatisfied with the Council’s responses, you have the right to appeal to the Scottish Information Commissioner under Section 47 of the Act, within six months of receiving the Council’s responses. Under Section 56(1) of the Act you subsequently have the right to an appeal, on a point of law, against a decision by the Commissioner.
Further guidance on information request reviews and right to appeal can be found on the Scottish Information Commissioner website at www.foi.scot.
Miles
Miles Watters
Information Governance Manager
The Highland Council
27 January 2026
Scottish Information Commissioner
Decision Notice 015/2026
Statistics on Subject Access Requests (SAR) submitted to the Authority – failure to respond
Applicant: The Applicant
Authority: Highland Council
Case Ref: 202501434
Summary
The Applicant asked the Authority for information about the statistics on Subject Access Requests (SARs) submitted to the Authority. This decision finds that the Authority failed to respond to the request and requirement for review within the timescale allowed by the Freedom of Information (Scotland) Act 2002 (FOISA).
Background
1. The Applicant made an information request to the Authority on 29 May 2025.
2. The Authority did not respond to the information request.
3. On 30 June 2025, the Applicant wrote to the Authority in respect of its failure to respond.
4. The Applicant did not receive a response to her requirement for review.
5. The Applicant wrote to the Commissioner on 23 August 2025, stating that she was dissatisfied with the Authority’s failure to respond and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
Investigation
7. Section 49(3)(a) of FOISA requires the Commissioner to notify public authorities of an application and to give them an opportunity to comment. The Commissioner did this on 25 September 2025.
8. The Commissioner received submissions from the Authority on 17 December 2025. These submissions are considered below.
9. The Authority explained that at the time the request was submitted, the FOI team was operating with vacancies and a number of a newly recruited staff which impacted its ability to respond, and that this was exacerbated by annual leave during the summer. It further stated that it developed a backlog of cases and then received an unusually high number of appeals at the same time.
10. The Authority stated that the Applicant’s request required the provision of data which was not held in the format requested but it could, to a large extent, be created through the analysis of the information it held in its internal system. It noted that this analysis required significant time and that it had been unable to carry it out because of the continuous flow of new requests. It clarified that the time required was not enough to engage the fees regulations.
11. The Authority confirmed that it had now filled all the vacant posts and was working to improve its compliance with the statutory timescales. The Authority confirmed that it would work towards providing the Applicant with a response.
12. Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the request to comply with a request for information. This is subject to qualifications which are not relevant in this case.
13. It is a matter of fact that the Authority did not provide a response to the Applicant’s request for information within 20 working days, so the Commissioner finds that it failed to comply with section 10(1) of FOISA.
14. Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the requirement to comply with a requirement for review. Again, this is subject to qualifications which are not relevant in this case.
15. It is a matter of fact that the Authority did not provide a response to the Applicant’s requirement for review within 20 working days, so the Commissioner finds that it failed to comply with section 21(1) of FOISA.
16. The remainder of section 21 sets out the requirements to be followed by a Scottish public authority in carrying out a review. As no review has been carried out in this case, the Commissioner finds that the Authority failed to discharge these requirements: he now requires a review to be carried out in accordance with section 21.
17. The Commissioner notes the Authority’s submissions on the pressures it was experiencing at the time it received the request. He would remind authorities that under paragraph 1.1.1 of the Scottish Ministers' Code of Practice on the discharge of functions by Scottish public authorities under FOISA and the Environmental Information (Scotland) Regulations 2004 (the Section 60 Code1), FOI should be recognised as a specific statutory corporatefunction within an authority. As such, it should receive the necessary levels of organisational support at both strategic and operational levels, as well as sufficient resource, to ensure compliance with Scotland’s access to information regimes.
18. The Commissioner would also remind authorities that under paragraph 1.4.1 of the Code, Authorities should have in place robust arrangements to ensure that staff absence, whether planned or unplanned, does not affect their ability to respond to requests for information, and requests for review, within statutory timescales.
19. The Commissioner recommends that the Authority considers whether it would be appropriate to apologise to the Applicant for its failure to comply.
Decision
The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in dealing with the information request made by the Applicant. In particular, the Authority failed to respond to the Applicant’s request for information and requirement for review within the timescales laid down by sections 10(1) and 21(1) of FOISA.
The Commissioner requires the Authority to issue a response by 13 March 2026.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
Jill Walker
Deputy Head of Enforcement
25 September 2025
Our Ref 202501434
25 September 2025
Application for Decision by the Scottish Information Commissioner
Public Authority: Highland Council
I refer to your email of 23 August 2025, in which you applied for a decision from the Scottish Information Commissioner. Your application was about the failure of Highland Council to respond to your information request dated 29 May 2025, and your subsequent request for review of 30 June 2025.
I am satisfied that your application is valid in terms of the Freedom of Information (Scotland) Act 2002 (FOISA).
Pauline Keith will now carry out an investigation into the way in which Highland Council dealt with your information request. She will be your point of contact during the investigation.
The investigation will be limited to Highland Council’s compliance with the timescales in FOISA. At this stage, the Commissioner cannot investigate whether or not you should have received any of the information you asked for.
What happens next?
I will send Highland Council a copy of your application and ask it to explain why it failed to reply to your information request and request for review. It will be told that the Commissioner is investigating your application and will be given an opportunity to comment. Pauline Keith will keep you informed of any developments.
Once we have enough information to allow me to conclude whether Highland Council failed to comply with FOISA, we will consider what steps need to be taken.
If the authority issues a response
It is possible that Highland Council will respond to your request once I let it know that you have made an application to the Commissioner. If this happens, let us know:
if you still require a decision from the Commissioner or
if you are happy to withdraw the application. (Highland Council’s failure to respond to you on time will be recorded in our case handling system and may be taken into account for the purposes of future action under the Commissioner’s Enforcement Policy.)
If you become aware of any other matter which might affect the investigation, please let us know as soon as possible.
The decision
Once a decision has been reached, a copy of the decision will be sent to you and to Highland Council.
At the end of the investigation, we will publish the decision on our website. The published version will not name you or include other information which we think could lead to you being identified.
30 June 2025
Dear Miles,
The following FOI are now overdue. If you could return on those at your earliest convenience I should be grateful.
1. FS-Case-718537532. SAR Response Data & Article 12(3). Target date: 26 JUN 25.
2. FS-Case-718514872. Data sharing agreement. Target date: 26 JUN 25.
Kind regards.
29 May 2025
Good Morning,
Please provide the following information:
1. From the dates 1 JAN 2021 to 29 MAY 2025, a breakdown of number of SAR requests received per year and the number of SAR requests the Council applied an extension under Article 12(3) GDPR to.
2. Please also include the number of SARs wherein the extension under Article 12(3) was applied past the due date of the SAR request.
3. Please also provide the number of those SAR requests that were not responded to within the timeframe of 1 month and also those not responded to within the timeframe of any extended due date.
4. Please provide the number of those requests that resulted in an Article 77 complaint to the ICO that the Council was then required to respond to.
Thank you for your time and attention.
Kind regards
Send an FOI request to the Highland Council here.
https://www.gov.scot/binaries/content/documents/govscot/publications/advice-and-guidance/2016/12/foi-eir-section-60-code-of-practice/documents/foi-section-60-code-practice-pdf/foi-section-60-code-practice-pdf/govscot%3Adocument/FOI%2B-%2Bsection%2B60%2Bcode%2Bof%2Bpractice.pdf