24 February, 2022
The Ministry of Justice (MoJ) has recently received an Enforcement Notice from the Information Commissioner's Office (ICO) following a substantial backlog of subject access requests described by the ICO as being of "significant concern". The ICO has found that the MoJ failed to adequately respond to nearly 7,800 subject access requests (SARs), resulting in the Information Commissioner issuing a formal Enforcement Notice against the department.
It was revealed that the MoJ had contravened both the UK General Data Protection Regulation (UK GDPR) and Part 3 of the Data Protection Act 2018 by failing to adequately respond to SARs.
The Enforcement Notice is only the second of its kind to be issued by the ICO to a public authority, demonstrating the seriousness of the breaches of data protection law. The ICO findings revealed that from the 16th of August 2021, there were 7,753 overdue SARs, which compromised 25 requests which had received no response, and 7,728 requests which had received only a partial response.
It is also worth noting that the number of overdue SARs has been steadily building over the months. As of 31st March 2021, the MoJ had 5,956 outstanding SARs, 372 of which dated back to 2018. Following a subsequent update from the MoJ on 18th May 2021, it revealed that the number had increased to 6,398, before reaching to over 7,750 in August.
Under the UK's data protection rules, the MoJ is legally obliged to respond to SARs within one month of the request.
In its Enforcement Notice the ICO stated "The substantial number of subject access requests which remain outstanding, and which are out of time for compliance is a cause of significant concern for the commissioner. These concerns demonstrate that the controller is currently failing to adhere to its obligations in respect of the information rights of the data subjects for whom it processes data".
It added that between the 1st of April and 31 June 2021, the MoJ had received 34 formal complaints from data subjects with regards to inadequate SAR responses.
Under the terms of the Enforcement Notice, the MoJ is required to complete all 7,753 outstanding SARs by no later than the 31st of December 2022 and must implement changes to its internal systems and procedures, to ensure that all SARs are addresses properly.
The ICO has requested the MoJ to draft a recovery plan on how it intends to remedy the situation.
In the event that the MoJ fails to meet the obligations laid down by the ICO, this may result in the ICO issuing a penalty notice, which could potentially mean a fine up to the sum of £17.5 million.
The significant backlog of SARs arose after an increase in the number of requests received over the last couple of years. This will be familiar to RPs who have also seen a huge increase in the number of SARs received since the GDPR came into force in May 2018. We have also seen a rise in RPs receiving "bulk requests" from claims management companies/solicitors on behalf of tenants as a pre-cursor to legal proceedings. This places a significant burden on RP's resources and an RP may struggle to comply with the number of requests being received within a short period of time. Current guidance from the ICO provides little scope for RPs to reject or delay responding to these bulk SARs as it states that each SAR within a bulk request must be considered individually and responded to appropriately. However, the ICO guidance does confirm that it acknowledges the potential resource implications of the duty to respond to bulk SARs. If it receives a complaint about a SAR, the ICO will take into account the volume of requests an organisation had at the time if it receives the complaint, and any steps that they had taken to allow bulk applications to be dealt with effectively.
For more information contact Bethany Paliga in our Housing & Regeneration department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Housing & Regeneration department here