Ministry of Justice served with Enforcement Notice by the ICO
Published: March 23rd, 2022
7 min read
On the 18th January 2022, the ICO published that enforcement action was to be taken against the Ministry of Justice for its contravention of Section 45 of the Data Protection Act 2018 and Article 15 of the EU/UK General Data Protection Regulations, in that it had failed to provide over 7,500 data subjects with responses to their subject access requests requesting copies of their data, in accordance with its legal obligations.
In the recent publication, the Information Commissioner's Office confirmed that the Ministry of Justice was in contravention of vital data protection legislation, citing that their failure to provide, without delay, SAR information for 7,753 data subjects was completely unacceptable. The ICO's publication also referred to a previous Enforcement Notice that was issued in December 2017 arising from the same issues, this being the reason the ICO has now taken the further step to issue enforcement action.
The ICO stated:
"Enforcement action must now be issued in light of the distress that many people will be suffering as a result of the delays. The MOJ is now being advised to take steps to rectify the situation immediately"
The ICO also referenced in the public report that it had the power to fine those in breach of the GDPR up to 4% of their total annual global turnover.
The MOJ has now been given a deadline to the 31st December 2022 to inform all affected data subjects as to whether or not they are processing personal data concerning them, and if so to provide them with copies of any such data they may reasonably request. The MOJ has also been ordered to carry out numerous changes to its internal systems and procedures to ensure that future subject access requests received by them are identified and complied with in accordance with Article 15 of the UK GDPR, and without undue delay.
Whilst it is possible to recover damages as a result of mishandling of subject access requests, it should be noted that the Claimant must be able to show that they have suffered tangible losses or significant distress as a direct result of the breach. That amount of loss or damage must not be trivial and must be seen to meet the threshold of seriousness. The incident must be capable of causing a person in the modern world, of ordinary fortitude, to suffer. Claimants should be discouraged from the view that a data incident will automatically give rise to a claim for compensation. The onus will be on them to prove the losses.
Here at Forbes Solicitors, we act for individuals who have suffered distress or losses as a result of data breaches.