The Information Commissioner’s Office (ICO) has served an enforcement notice on the UK’s Ministry of Justice for failing to respond to a large number of Subject Access Requests.
The Ministry of Justice has reportedly failed to respond to nearly 7,800 Subject Access Requests in contravention of both the UK GDPR and the Data Protection Act 2018. Upon its investigation, the ICO concluded that, as of 16 August 2021, 7,753 Subject Access Requests were overdue (comprising 25 requests that had received no response and 7,728 requests, which had only been provided with a partial response).
What should the Ministry of Justice have done?
In accordance with Article 15 of the UK GDPR, a data subject has the right to obtain from a data controller confirmation as to whether or not their personal data is being processed and if so, the data subject should be given access to their personal data.
Upon receiving a Subject Access Request, the Ministry of Justice should have responded within one month. If they needed more time to respond they should have confirmed within one month of receiving the request that they would need more time to respond.
ICO’s investigation
The initial ICO investigation into the backlog of Subject Access Requests commenced in January 2019. This was temporarily paused at the onset of the pandemic and was resumed in October 2020 when the ICO asked the Ministry of Justice for an update.
Following its investigation, the ICO concluded that the issuing of an enforcement notice would be a proportionate and regulatory step to try to bring the Ministry of Justice into compliance.
In accordance with the notice, the Ministry of Justice is required to complete all 7,753 outstanding Subject Access Requests by 31 December 2022. They have also been told to carry out changes to their internal systems, procedures, and policies to ensure that any future Subject Access Requests are dealt with adequately and within the necessary timeframe.
What happens if the Ministry of Justice fails to comply with the enforcement notice?
If the Ministry of Justice fails to comply with the notice it may result in the ICO serving a penalty notice, which could mean a fine of up to £17.5 million or 4% of the organisation’s annual turnover (whichever is higher).
How can we help?
Ruby Ashby is an Associate in our expert Dispute Resolution team.
Should you be affected by any issues surrounding the use of personal data, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.