Merry Christmas, UK prosecutors: Here's a special gift... a slap from the privacy watchdog
Mass paperwork backlog sets off ICO
Final update The UK Ministry of Justice has been slammed for poor handling of requests for personal records made under data protection laws – and told to fix the 700-plus backlog by October.
In an enforcement notice [PDF] issued yesterday, Blighty's data protection watchdog, the Information Commissioner’s Office (ICO), said the justice department had been too slow in processing requests from people asking what information was held on them.
The Data Protection Act requires that organisations respond to these subject access requests – without undue delay – to say whether it is processing their personal data, and if so, what data that is.
In the document, the ICO revealed that, as of July 28, 2017, there was a backlog of 919 subject access requests made to the department, some of which date back to 2012. It acknowledged that there had been “some progress” to dealing with this; an update on November 10 said that 793 were over 40 days old – which is the prescribed period for a response.
This comprises: 14 from 2014, which the department has said it aims to deal with by December 31, 2017; 161 from 2015, which are due for completion by April 30; 357 from 2016, due by August 31; and 261 from 2017, due by October 31.
Despite this progress, the ICO said that the justice secretary - in his role as data controller - has contravened section 7 of the Data Protection Act for failing to act “without undue delay.” Moreover, it said, the data controller is contravening another principle because the “systems, procedures and policies in relation to him dealing with subject access requests… are unlikely to result in compliance with those same requirements under the DPA”.
There has been “no reasonable explanation” for the failings, the notice continued.
Because of this, and in light of the fact it is likely that these contraventions could cause damage or distress, the ICO said it had decided to issue an enforcement notice.
The notice orders the justice secretary to ensure that internal systems, procedures and policies comply with the law by January 31, 2018, and formally requires him to ensure all requests are dealt with by October 31, 2018, at the latest.
In addition, the justice secretary must provide the ICO with a monthly progress report, and “continue to his best endeavours to surpass the milestones” above.
The MoJ did not immediately respond to a request for comment. ®
Updated to add
A Ministry of Justice spokesperson has been in touch to say: “We know the importance of responding quickly and accurately to all subject access requests and are taking urgent action to improve our performance. As the Information Commissioner recognises, we are committed to tackling our backlog and timeliness has already improved markedly.”
After a few hours of deliberation, the Ministry of Justice offered us a fuller statement:
We have left no stone unturned in ensuring the historical backlog in responding to special access requests from offenders is addressed. The Information Commissioner has recognised our plan is robust and it is delivering results at pace and ahead of schedule.
Given the marked improvements already brought about by our urgent action in this area, we are very disappointed the Information Commissioner has decided to take formal action at this time.
We are committed to transparency and improving understanding of how the justice system works but the information we handle is often highly sensitive and we must weigh these interests with our responsibility never to put children, vulnerable victims, witnesses, staff or criminal investigations at risk.
Sponsored: Beyond the Data Frontier