ICO Serves Notice On Ministry of Justice Over Information Delays
The ICO’s has taken formal action against the MoJ after finding a backlog of hundreds of information requests, some dating back to 2012
The Information Commissioner’s Office (ICO) has taken the Ministry of Justice (MoJ) to task for what it called an “undue delay” in processing information requests and obliging the department to clear its backlog of hundreds of requests, some dating back to 2012, by the end of next October.
The office issued an enforcement action last week after it determined the MoJ’s current procedures were not in compliance with Section 7 of the Data Protection Act (DPA) of 1998, which requires organisations that hold data on individuals to respond to “subject access requests”.
Responses to such requests inform the individual whether the organisation – or “data controller” – is processing data on them, and if, so, what that information is.
The ICO said it initially looked into the MoJ’s response process for subject access requests after complaints were lodged.
‘Unlikely to achieve compliance’
“In dealing with the requests for assessment and associated correspondence relating to the complainants, as well as correspondence and discussions with the data controller, it became apparent to the Commissioner that the data controller’s internal systems, procedures and policies for dealing with subject access requests made under the DPA were unlikely to achieve compliance,” the ICO wrote in the enforcement action.
It noted that as of 28 July 2017 the MoJ had a backlog of 919 unanswered requests dating as far back as 2012.
The MoJ presented a recovery plan to the information commissioner that involved clearing the backlog by October 2018 and answering requests without “undue delay” from January 2018.
Under the DPA organisations are required to answer requests within 40 days.
An update on 10 November of this year found that the oldest unanswered requests now dated from 2014, with 14 cases from that year. In all there were 793 cases more than 40 days old, with the other cases on the list dating from 2015, 2016 and 2017.
‘No reasonable explanation’
The ICO said the MoJ hadn’t provided any “reasonable explanation” for its failure to respond to subject access requests in a timely manner, and took the view that the issue was likely to cause “damage or distress to individuals” because they were “denied the opportunity of correcting inaccurate personal data about them”.
The office issued the enforcement notice as a result of such factors, placing a legal requirement on the MoJ to clear its backlog by 31 October of next year and to update its systems to ensure information requests are responded to more quickly.
The justice secretary is also required to submit monthly progress reports and to “continue to his best endeavours to surpass the milestones” set out in the notice.
According to a report by The Register, the MoJ responded that it had “left no stone unturned” in ensuring the backlog of information requests by offenders was addressed, and said the information commissioner had recognised it had a plan in place that was delivering results “at pace and ahead of schedule”.
It said it was therefore “very disappointed” the information commissioner had considered it necessary to take formal action.
The MoJ said the delays of multiple years that hundreds of information requests have met with were due to the nature of the information the department deals with.
“The information we handle is often highly sensitive and we must weigh these interests with our responsibility never to put children, vulnerable victims, witnesses, staff or criminal investigations at risk,” the MoJ said.
The department did not immediately respond to a request for further comment.
Put your knowledge of artificial intelligence (AI) to the test. Try our quiz!