Department accrued a five-year backlog of requests, notice from watchdog reveals
Justice secretary David Lidington has been handed an enforcement notice by the Information Commissioner’s Office in relation to a backlog of requests from members of the public to access their data – some of which were five years old.
The notice reveals that the ICO has received “a large number of requests for assessment” of the secretary and the Ministry of Justice from complainants unhappy with the handling of their requests to access personal data held by the department. The MoJ, complainants alleged, had not complied with its duties under section 7 of the Data Protection Act, to wit it had failed “to respond to subject-access requests without undue delay”.
The content of these complaints, in conjunction with initial discussions with the department, led the ICO to conclude last summer that the MoJ’s “internal systems, procedures, and policies for dealing with subject-access requests… were unlikely achieve compliance” with the act.
As of 28 July 2017, the department had a backlog of 919 requests for access to personal data – some of which had been submitted as long ago as 2012. At this point the ministry formulated a plan to clear this build-up entirely by October 2018, and to make sufficient inroads by the start of this year to be able handle all newly received requests promptly.
By 10 November of last year, the department appears to have already dealt with the very oldest subject-access requests, but still had a backlog of 793 that had been received more than 40 days previously. This included 14 requests from as far back as 2014, which the MoJ planned to clear by the end of 2017.
- ICO ‘making enquiries’ after MPs admit sharing passwords with staff
- PAC censures NHS and DoH after ‘staggering mishandling of data’
- The ten key questions – and nine answers – facing the public sector on GDPR
The 161 outstanding requests dating from 2015 are slated to be dealt with by 30 April 2018, while the 357 from 2016 will be addressed by 31 August, the MoJ said, and the 261 from last year will be completed by 31 October.
The enforcement notice said: “The commissioner is of the view that the data controller (the justice secretary) has contravened the sixth data-protection principle in that, contrary to section 7 [of the Data Protection Act], he has failed to inform the individuals, without undue delay, whether their personal data is being processed by or on behalf of the data controller and, where that is the case, failed, without undue delay, to have communicated to them in an intelligible form such information as may constitute such personal data.”
This contravention came as a result of systemic shortcomings, the notice added.
“The commissioner is of the view that the data controller is contravening the sixth data-protection principle to the extent that the systems, procedures and policies in relation to him dealing with subject-access requests submitted to the data controller are unlikely to result in compliance with those same requirements under the DPA.”
The ICO is to enforce four requirements on the justice secretary.
The first is that the MoJ meets its pledge to deal with all subject-access dating from last year or earlier by 31 October 2018. The second is that, by the end of this month, the department suitably amends its “systems, procedures, and policies” so as to ensure that it is able to comply with the Data Protection Act from now on.
The third requirement is that the justice secretary continues “to use his best endeavours” to meet the first two requirements. The final measure of enforcement is that the information commissioner must receive a “progress report at the beginning of each month documenting, in detail, how the terms of this enforcement notice have been, or are being, implemented”.
The justice secretary has the right to appeal the enforcement notice, and can do so by contacting the General Regulatory Chamber Tribunal within the next two weeks.