The Information Commissioner’s Office (ICO) has threatened to fine the Ministry of Justice (MoJ) if it fails to deal with thousands of outstanding subject access requests (SARs).
The ICO has served an enforcement notice after the MoJ admitted that by August last year it was sitting on 7,753 overdue SARs.
The ICO first served an enforcement notice on the MoJ in 2017 after it failed to respond to a large number of SARs “without undue delay”.
The MoJ complied within the deadlines set, but another backlog soon accrued.
An ICO investigation was temporarily paused because of the pandemic. In October 2020, the MoJ said it had sought to “prioritise and process some subject access requests where the request had been in relation to ‘urgent matters’, i.e. legal proceedings, immigration hearings, or police investigations”.
By March 2021, it had 5,956 SARs outstanding to which it had only partially responded, with 372 of those dating back to 2018 – the MoJ had introduced a process of providing a partial response to requests from “offenders”, including prisoners.
The number of partial responses had risen to 6,398 by May, but the MoJ told the ICO it anticipated resuming a “full SAR service” later in 2021 subject to further Covid restrictions.
But by August the number had risen to 7,753, to which it had not responded at all to 25.
The ICO said it acknowledged the efforts the MoJ had made to comply with its data duties during the pandemic.
“However, the substantial number of subject access requests which remain outstanding and which are out of time for compliance is a cause of significant concern for the Commissioner.
“These concerns demonstrate that the controller is currently failing to adhere to its obligations in respect of the information rights of the data subjects for whom it processes data.”
The ICO said previous meetings and correspondence with the MoJ had proven “largely ineffective” in reducing the number of outstanding SARs.
It concluded that the MoJ was in breach of both the GDPR and the Data Protection Act 2018 and that the failures were likely, in the words of the Act, to cause damage or distress to the data subjects by not knowing what data was being processed about them and the problems this could cause to exercise statutory rights.
Under the terms of the enforcement notice, the MoJ is obliged by the end of 2021 to inform the 7,753 people who made a SAR whether or not it was processing their data and provide them with a copy of it.
The MoJ must also change its internal systems in such a way that future SARs are complied with.
The ICO warned that it could impose a fine of up to £17.5m or 4% of an undertaking’s total annual turnover, whichever is the higher, on those who failed to comply with an enforcement notice.
An MoJ spokesman said: “We take our responsibilities seriously and have set out an action plan to clear the backlog.”
It is understood that the MoJ has taken on more staff as part of this plan.