UK coding technology

Continual delays in processing requests has led the U.K. Information Commissioner's Office to issue an enforcement notice against the Ministry of Justice (MOJ). Because of last month's notice, the MOJ must clear up the delays and come up with an approach that will allow for quicker responses for individuals seeking information about themselves regarding data protection.

Specifically, a November 2017 report said there were 793 cases which were over 40 days old. This is compared to the backlog of 919 subject access requests, as of July 28, 2017, some of which dated back to 2012.

Subject access requests need to be processed within 40 days of a valid request, Annabel Gillham, an attorney with Morrison & Foerster's London office, told Legaltech News. Gillham said the ICO was concerned about the backlog and the length of delay, and “did not consider the procedures, put in place, for dealing with new requests, to be sufficient.”

The notice also said that when reviewing communications from the complainants, and correspondence and discussions with the MOJ, it became apparent to the ICO that the “data controller's internal systems, procedures and policies for dealing with subject access requests made under the DPA [Data Protection Act of 1998] were unlikely to achieve compliance with the provisions of the DPA.”

Gillham further explained that the enforcement notice gives the ICO “significant oversight over the remedial steps to be taken, [and] the MOJ will need to submit monthly progress reports to the ICO at the beginning of each month.” These will document how the terms of the enforcement notice are getting implemented.

“Having a backlog reflects a lack of procedures, which causes ineffectiveness in meeting basic legal obligations,” Eduardo Ustaran, an attorney at Hogan Lovells, said. “What the regulators are after is a new approach which requires thinking ahead of what measures need to be in place to enable compliance.”

“The ICO will not hesitate to take enforcement action against organizations failing to comply with access requests,” Gillham added. “The ICO proactively monitors how long public authorities take to respond to freedom of information requests from the public about their activities.”

More generally, Gillham said that data subject access to personal information can be a “minefield for data controllers, particularly where sensitive data—such as that held by the MOJ about criminal offences—is concerned, or where third-party confidentiality is at risk.”

“It can be challenging to put in place a one-size-fits-all policy or procedure for handling requests, and this is borne out by the MOJ statistics,” she added.

Furthermore, backlogs can be a serious issue for public and private sector organizations if an effective recovery plan is not put in place. “Enforcement notices can ultimately lead to fines and criminal sanctions, not to mention reputational damage. Failure to respond to requests for personal information can also lead to compensation claims from individuals for damages or distress caused,” Gillham said.

Organizations subject to the EU's new General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, means a “backlog poses even more of a problem, as the time for response to new requests will be much shorter—just one month—and the potential fines for noncompliance will be far more severe,” according to Gillham.

Looking ahead, there likely will be an increase in requests by individuals for personal information, both in the public and private sectors, Gillham speculated. “With highly publicized data security breaches, people are becoming more aware of their rights to know what personal information is held about them and why.”