Subject access compliance, whilst the single greatest cause of complaints received by the Information Commissioner’s Office (ICO) in recent years, is rarely the target of meaningful enforcement action. But a recent Enforcement Notice from the regulator will cause data controllers who regularly deal with such requests (SARs) to sit up and take notice.
The Notice was issued to the Ministry of Justice (MoJ) recently for its repeated and significant SAR handling failures. As of August 2021, the MoJ had failed adequately to respond to 7,753 SARs. This comprised 25 requests which had received no response, and 7,728 requests which had received only a partial response. The ICO also noted that the MoJ had received 34 formal complaints from data subjects.
The sting in the tail of the Notice was a reference to the maximum permitted level of fine for a breach under data protection law – £17.5m or 4 per cent of turnover, whichever is higher.
In one sense, this is consistent with the position stated in ICO Guidance. But a fine anywhere near the level referred to in the notice would represent a tectonic shift in enforcement. Until this Notice, the ICO had not shown any real signs of issuing large fines for SAR failures – limiting its actions to remedial advice and, for those controllers who repeatedly ignored its enforcement notices, a private prosecution leading to a far smaller fine (most notably that brought under the old Data Protection Act 1998 against SCL Elections, the company behind Cambridge Analytica, in the sum of £15,000 in 2019).
The scale of non-compliance by the MoJ, in terms of the number of requests involved, is of course pretty unusual and most organisations would have nowhere near that level of SAR volumes to deal with. It is also worth noting that a fine of a central government department is effectively moving money from one part of Whitehall to another (namely the Treasury), and so the ICO is more readily able to make an example of public bodies in this way: a fact witnessed also in regular large fines issued to police and local authorities.
However, a marker has certainly been laid down. First, that this kind of persistent and large scale non-compliance is not going to be tolerated by the regulator; and secondly, that there is now a precedent for the ICO using (or at least threatening to use) its strongest fining powers in relation to subject access. If it is to avoid the fine, the MoJ now has until the end of the year to deal with all the outstanding requests – which will no doubt be a significant challenge given its track record.
Even if the MoJ case seems far removed from the issues faced by most organisations, the principles illuminated by this Notice are of wider application to controllers of any size and sector. In particular, as the Notice makes clear: the regulatory forbearance demonstrated by the ICO during the height of the pandemic is likely a thing of the past, and the regulator is ready and willing to enforce the law for SAR non-compliance.
A reminder therefore that it is worth getting the day-to-day handling of SARs right, even if it feels painful at the time.
If you require further information about anything covered in this blog, please contact Owen O’Rorke, Sam Talbot Rice or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2022