The Ministry of Justice (MoJ) failed to respond adequately to nearly 7,800 Subject Access Requests (SARs), prompting the Information Commissioner’s Office (ICO) to issue an advisory. formal notice against the department.
The Department of Justice was found to be in breach of both the UK General Data Protection Regulation (GDPR) and Part Three of the Data Protection Act 2018 (DPA 18), which set out rules for the processing of law enforcement data for the first time in British history.
The issuance of the enforcement notice by the ICO on January 18, 2022 is only the second time that a notice has been issued to a public body for breaches of the obligations set out in Part Three since its entry into force. in May 2018. The first was turned over to the Metropolitan Police Service (MPS) in June 2019 for similar failures under Part Three to clear its SAR backlog.
“As of August 16, 2021, there were 7,753 ‘overdue SARs,’ comprising 25 requests that received no response and 7,728 requests that received only a partial response,” the notice to the ministry reads. Justice.
He also noted that the number of overdue SARs had steadily increased over the months. As of March 31, 2021, the Justice Department had 5,956 outstanding SARs, of which 372 dated back to 2018. A subsequent Justice Department update on May 18, 2021 showed the number had risen to 6,398, before climb to over 7,750 in August.
Under UK data protection rules, the Ministry of Justice is legally obliged to respond to SARs within one month.
“The significant number of subject access requests that remain outstanding and do not meet timelines is a significant source of concern for the Commissioner. These concerns demonstrate that the data controller is not currently complying with its obligations in relation to the rights to information of the data subjects for whom it processes the data,” the notice states.
“Previous meetings and correspondence between the Comptroller and the Commissioner have proven largely ineffective in reducing the number of outstanding subject access requests.”
He added that between April 1, 2020 and June 31, 2021, the Department of Justice had received 34 formal complaints from affected individuals regarding inadequate SAR responses.
The ICO’s initial investigation into the SAR backlog began in January 2019, but was halted with the onset of the pandemic and only resumed in October 2020 when the ICO contacted the Department of Justice for an update.
It is unclear how many SARs were overdue when the ICO was initially alerted to the backlog in early 2019.
In response to the ICO’s query regarding what constitutes a partial response, the Department of Justice responded that because limited SAR service was implemented in response to pandemic restrictions, only certain information was available.
“Requesters have been informed of the reasons why the information held on [redacted] was all that could be provided when their SAR was recognized. They were also reminded that they had other ways of accessing their information via their [redacted] without needing to make a SAR and being informed that they may submit another SAR after the pandemic passes,” the Department of Justice said.
However, the ICO noted that the process put in place to provide partial SARs was only applied to “offender” requests.
“The Commissioner considers that harm or distress is likely because data subjects whose access requests are pending are being denied the opportunity to properly understand what personal data may be processed about them by the controller. processing; furthermore, they are unable to effectively exercise the various other rights granted by law to a data subject with respect to such data,” the notice states.
“Given the significant level of the contravention, the commissioner considers that an enforcement notice would be a proportionate regulatory action to bring the monitor into compliance.”
Under the notice, the Justice Department is required to complete the 7,753 outstanding SARs by December 31, 2022, and must also make necessary changes to its “internal systems, procedures and policies” to ensure that future SARs are properly processed.
The ICO has also advised the Department of Justice to draw up a “recovery plan” with details on how it intends to remedy the situation.
Failure to comply may result in the ICO sending the Department of Justice a penalty notice, which would mean a fine of up to £17.5 million, or 4% of the figure. the organization’s annual global revenue, whichever is greater.
Other criminal justice sectors have also been struggling with SAR backlogs. In the case of the Metropolitan Police Service, this resulted in the ICO issuing an enforcement notice against the force for its backlog of 662 SARs, of which 280 were overdue.
However, despite the fact that the MPS did not fully comply with the enforcement notice after several months, and despite the persistence of the backlog, the ICO did not issue a sanction notice or take other regulatory measures.
When asked why it made no public announcement regarding its MPS enforcement decisions at the time, the ICO did not answer the question directly, instead stating “we continue to work closely collaboration with the MPS as it makes further improvements to its service and carefully monitors their continued performance”.
In a report published by the ICO on November 10, 2020 on the Speed of responses to freedom of information requests by police forces in England, Wales and Northern Ireland, he said the regulator had taken formal action against the MPS “for failing to meet its data protection obligations by not responding to SARs on time”, but failed to mention that he had not pursued action when the MPS failed to meet its demands.
The same report also highlighted a much broader problem with the public trying to access law enforcement data (listed in Appendix 7 of DPA 18), finding that a quarter of all requests requests (including freedom of information and subject access requests) from the police were not completed on time.
“While performance rates vary considerably from one police service to another, it is clear that some services are not responding to a large number of requests within the regulatory timeframes. It is important to remember that behind every request is an individual or group seeking to assert their legal rights and obtain information important to them,” he said. “Ultimately, it is unacceptable that approximately 25% of all requesters do not receive prompt responses to their requests.”