Ministry of Justice served with enforcement notice for breach of the Data Protection Act 1998

The Information Commissioners Office (ICO) has punished the Ministry of Justice (MOJ) for failing to comply with the Data Protection Act 1998. The MOJ are the first central government department to have been served with an enforcement notice by the ICO.

The breach relates to significant delays of the MOJ’s handling of subject access requests (‘SAR’), which are required to be dealt with without “undue delay”. The ICO received a large number of complaints in relation to the delays and the investigation by the ICO found that as of July 2017, there was a backlog of 919 subject access request from individuals, some dating back to 2012. As of 10 November 2017 the MOJ had 793 cases over 40 days old, which is the prescribed period during which a data controller must comply with a SAR.

The ICO found that it was likely that damage or distress had been caused to individuals as a result of them being denied the opportunity of correcting any potentially incorrect personal data that may have been held about them, due to them being unable to establish what personal data was being processed, within the time scales.

They also found that the European Convention on Human Rights had been unlawfully interfered with due to the MOJ’s failure to respond to SAR in accordance with the Act.

The enforcement notice has imposed various requirements upon the Secretary of State including to provide any individuals with outstanding SAR’s by 31 October 2018 with any personal data about them that has been processed and to supply them with a copy of such personal data. The Secretary of State must also provide the ICO with a monthly progress report.

Service of this notice by the ICO is an indication of the tough approach that has been taken by Elizabeth Denham, the Information Commissioner since taking up the role in July 2016. It also provides an insight into what is to come, particularly in light of the impending introduction of the General Data Protection Regulation, which will increase the requirements on data processors and the rights of individuals in respect of their personal data.

Should you require any information relating to GDPR please contact Ana James-Pittau at ajames-pittau@paulrobinson.co.uk or on 01702 338 338. We are also holding a GDPR workshop on 6 February 2018, please contact Ana in the event that you are interested in attending.