A concern for many organisations is what will happen if they fail to meet a statutory deadline when responding to individual rights requests made under the GDPR. Contrary to Nietzsche, time is not a flat circle – at least for regulatory reporting purposes.

Response times feature prominently in a recent UK ICO decision that may come as some comfort to businesses dealing with these issues. The decision concerns the Freedom of Information Act 2000, for which the ICO is both subject to and the regulator of. It’s a bit like that Spider-Man meme where two Spider-Mans (Spider-Men?) are pointing at each other. We’re not dealing with the GDPR, but the principles aren’t that different – here, time is not relative.  

In this case, a request for information regarding NHS Digital was sent to the ICO on 18 May 2021, which the regulator acknowledged the following day. However, and despite being reminded of its responsibility to do so, the ICO failed to respond to the requestor by 27 July 2021 – the date on which the ICO (the FOIA regulator) issued a decision notice in respect of the failure of the ICO (the FOIA recipient) to respond to the information request. The ICO (the FOIA recipient) has 35 calendar days to respond to the request for information, and its failure to do may result in the ICO (the FOIA regulator) making a written certification to the High Court.

So what does this all mean? Well, the ICO would likely look dimly on an organisation that seeks to justify its failure to meet a reporting deadline on the basis that the ICO also sometimes doesn’t meet its own deadlines. Regulatory enforcement shouldn’t – and usually doesn’t – operate by way of “do as I say, not as I do”. But it is helpful to know that regulators also struggle with responding to large information requests, and a company that does so in good faith, but misses the deadline to respond by (for example) a few days, would hopefully be treated in a way that reflects the regulator's own experiences with such requests.