Ascannio - stock.adobe.com

MoJ faces ICO enforcement over subject access requests backlog

Ministry of Justice receives enforcement notice from information commissioner over ‘substantial’ backlog of subject access requests described as being of ‘significant concern’

The Ministry of Justice (MoJ) has failed to adequately respond to nearly 7,800 subject access requests (SARs), prompting the Information Commissioner’s Office (ICO) to issue a formal enforcement notice against the department.

The MoJ was found to be in contravention of both the UK General Data Protection Regulation (GDPR) and Part Three of the Data Protection Act 2018 (DPA 18), which set out specific rules for the processing of law enforcement data for the first time in British history.

The ICO’s issuing of the enforcement notice on 18 January 2022 is only the second time one has been handed to a public body for contraventions of the obligations set out in Part Three since it came into effect in May 2018. The first was handed to the Metropolitan Police Service (MPS) in June 2019 for similar failures under Part Three to clear its SAR backlog.

“As of 16 August 2021, there were 7,753 ‘overdue SARs’, comprising 25 requests which had received no response, and 7,728 requests which had received only a partial response,” said the notice to the MoJ.

It also noted that the number of overdue SARs had been steadily building over months. As of 31 March 2021, the MoJ had 5,956 outstanding SARs, 372 of which dated back to 2018. A subsequent update from the MoJ on 18 May 2021 showed the number had risen to 6,398, before climbing to over 7,750 by August.

Under the UK’s data protection rules, the MoJ is legally obliged to respond to SARs within one month.

“The substantial number of subject access requests which remain outstanding and which are out of time for compliance is a cause of significant concern for the commissioner. These concerns demonstrate that the controller is currently failing to adhere to its obligations in respect of the information rights of the data subjects for whom it processes data,” said the notice.

“Previous meetings and correspondence between the controller and commissioner have proven largely ineffective in reducing the number of outstanding subject access requests.”

It added that between 1 April 2020 and 31 June 2021, the MoJ had received 34 formal complaints from data subjects concerning the inadequate SAR responses.

The initial ICO investigation into the SAR backlog commenced in January 2019, but was paused with the onset of the pandemic, and only resumed in October 2020 when the ICO contacted the MoJ for an update.

It is unclear how many SARs were overdue at the point when the ICO was initially alerted to the backlog in early 2019.

In response to the ICO’s request for what constitutes a partial response, the MoJ responded that, because a limited SAR service was implemented in response to pandemic restrictions, only certain information was available.  

“Requestors were advised of the reasons why the information held on [redacted] was all that could be provided when their SAR was acknowledged. They were also reminded that they had other access routes to their information via their [redacted] without the need to make a SAR as well as being informed that they could submit a further SAR after the pandemic passed,” said the MoJ.

However, the ICO noted that the process implemented for providing partial SARs was solely applied to requests from “offenders”.

“The commissioner takes the view that damage or distress is likely as a result of the data subjects whose subject access requests are outstanding being denied the opportunity of properly understanding what personal data may be being processed about them by the controller; furthermore they are unable to effectively exercise the various other rights statutorily afforded to a data subject in respect of that data,” said the notice.

“Having regard to the significant level of the contravention, the commissioner considers that an enforcement notice would be a proportionate regulatory step to bring the controller into compliance.”

Under the notice, the MoJ is required to complete all 7,753 outstanding SARs by no later than 31 December 2022, and must also carry out changes to its “internal systems, procedures and policies as are necessary” to ensure that future SARs are properly addressed.

The ICO has also advised the MoJ to draw up a “recovery plan” with details of how it intends to remedy the situation.

Failure to meet the obligations may result in the ICO serving the MoJ with a penalty notice, which would mean a fine of up to £17.5m, or 4% of the organisation’s annual worldwide turnover, whichever is higher.

Other criminal justice sectors have also struggled with SAR backlogs. In the case of the Metropolitan Police Service, it resulted in the ICO issuing an enforcement notice against the force for its backlog of 662 SARs, 280 of which were overdue.

However, despite the MPS’s failure to fully comply with the enforcement notice after many months, and despite the backlog persisting, the ICO did not issue a penalty notice or take any further regulatory action.

Asked why it did not make any public announcements regarding its MPS enforcement decisions at the time, the ICO did not directly answer the question, instead stating “we continue to work closely with the MPS as it makes further improvements to its service and are carefully monitoring their ongoing performance”.

In a report published by the ICO on 10 November 2020 about the Timeliness of responses to information access requests by police forces in England, Wales and Northern Ireland, it said the regulator had taken formal action against the MPS “for failing in its data protection obligations by not responding to SARs on time”, but failed to mention it did not pursue the action when the MPS failed to meet its requirements.

The same report also highlighted a much wider problem with the public trying to access data from law enforcement bodies (listed in Schedule 7 of the DPA 18), finding that a quarter of all requests for information (including freedom of information and subject access requests) from the police were not completed on time.

“Whilst performance rates vary widely amongst police forces, it is clear that some forces are failing to respond to a large quantity of requests within statutory deadlines. It is important to remember that behind every request is an individual or group seeking to assert their legal rights and obtain information that is significant to them,” it said. “Ultimately, it is unacceptable that approximately 25% of all requesters do not receive a timely response to their requests.”

Read more about police data and technology

Read more on IT legislation and regulation