The UK’s Secretary of State for Justice has been hit with an Enforcement notice by the Information Commissioner’s Office over backlogs and poor handling of requests for personal records made under data protection laws.
Subject Access Requests
In the UK, under the Data Protection Act 1998, anyone can make a request to any organisation (termed the ‘data controllers’) for copies of both paper and computer records and related information that the organisation is holding, using, or sharing about them. This is known as a ‘subject access request’ (SAR), and organisations usually charge a fee for providing the information e.g. up to £10 in normal circumstances. Under the DPA, organisations are required to answer data access requests within 40 days
The issuing of the Enforcement Notice by the ICO to the UK Ministry of Justice (technically the ‘data controllers in this case) on 21st December 2017 relates to the fact that ICO has received a large number requests for assessment by people whose subject access requests had not been dealt with quickly enough by the Ministry of Justice.
The Enforcement Notice highlighted the fact that there is a backlog of 919 SARs from individuals, some of which dated back to 2012.
Two Main Problems Highlighted
The two main problems highlighted by the Notice are that that the Justice Secretary (data controller) has contravened section 7 of the Data Protection Act for failing to act “without undue delay” and that the “data controller's internal systems, procedures and policies for dealing with subject access requests made under the DPA were unlikely to achieve compliance with the provisions of the DPA”.
Plan To Clear Backlog
The ICO Enforcement Notice did, however, acknowledge that the Ministry of Justice has given the ICO a recovery plan which shows that it intends to clear the backlog by October 2018, and answer new requests without “undue delay” from January 2018.
According to the update and plan published in the Enforcement Notice, the Ministry of Justice believes that it has 793 requests that are over 40 days old, and that it planned to deal with 14 cases from 2O14 by 31 December 2017, 161 cases received from 2015 by 30 April 2018, 357 cases from 2016 by 31 August 2018, and 261 cases from 2O17 by 31 October 2018.
What Does This Mean For Your Business?
This is an embarrassment for the Ministry of Justice, and may be an indication of a wider problem faced by many businesses and organisations in the UK that are still not getting to grips with their responsibilities under the current Data Protection Act, let alone getting prepared for the introduction of the UK’s Data Protection Bill, and the EU’s GDPR will come into force on 25th May 2018.
Under GDPR for example, businesses and organisations will have to deal with requests even more quickly, may have to provide additional information, and won’t be able to charge a fee for complying with requests. There will also be the challenges of responding to an individual’s ‘right to be forgotten’, and the prospect of much greater penalties greater penalties for non-compliance than under the current Data Protection Act.
This story is a reminder that all businesses and organisations should take the opportunity now to ensure that their data practices are in order and likely to be compliant with GDPR, and also to consider that being GDPR compliant could actually provide commercial advantages as this will become a serious factor for consideration in trading relationships and alliances.