The Ministry of Justice appears to be in the last chance saloon over its shoddy handling of data subject access requests (DSARs), after it has been revealed that the organisation has a backlog of nearly 8,000 requests for information, including details on legal proceedings, immigration hearings and police investigations.
The case dates back to December 2017, when the Information Commissioner’s Office issued the MoJ with its first enforcement notice over a large but unspecified number of unanswered DSAR enquiries.
Under the regulation, DSARs must be answered within a month but, at the time, the MoJ managed to clear the backlog.
However, in January 2019, the MoJ confessed to the ICO that yet another pile of unanswered DSARs had built up. This led to the ICO closely monitoring the situation but then the Covid-19 pandemic hit, meaning the MoJ was let off the hook until March 2021 when the ICO re-examined the case.
It was then revealed the MoJ had 5,956 requests outstanding, with 372 of those dating back to 2018. By May 2021, the number had risen to 6,398 and by August 7,753.
While conceding that the pandemic has had a major effect on the handling of DSARs, the ICO ruling states: “The substantial number of subject access requests which remain outstanding and which are out of time for compliance is a cause of significant concern. These concerns demonstrate that the [MoJ] is currently failing to adhere to its obligations in respect of the information rights of the data subjects for whom it processes data.
“Previous meetings and correspondence between the [MoJ] and Commissioner have proven largely ineffective in reducing the number of outstanding subject access requests.
“The Commissioner takes the view that damage or distress is likely as a result of the data subjects whose subject access requests are outstanding being denied the opportunity of properly understanding what personal data may be being processed about them by the [MoJ]; furthermore they are unable to effectively exercise the various other rights statutorily afforded to a data subject in respect of that data.”
Even so, the enforcement notice states the ICO has given the organisation until December 2022 – nearly a year – to get its house in order, while warning that it could, just could, face a considerable fine if it fails to comply.
The wording of the ruling appears to suggest that the ICO has run out of patience with the MoJ but so far the Metropolitan Police is the only organisation to have fallen foul of the legislation, after it emerged that the force had a backlog of over 1,700 requests for copies of data in 2019.
Although the ICO also slapped the Met with an enforcement notice, the regulator did issue a warning to companies to ensure they comply with requests within the one month time-frame or face a serious kicking for being in breach of GDPR.
Last week, a report by the Data Protection Network revealed that some organisations are being forced to handle more than 500 DSARs a year, triggering accusations that many requests are needless, vexatious and even weaponised.
Related stories
Firms rocked by barrage of ‘weaponised’ data requests
Brexit Party pummelled over backlog of data requests
Firms accused of handing out personal data willy-nilly
Met farce fuels data access request warning to brands
‘I don’t believe it’…young make most GDPR complaints
Firms face bombardment of data requests under GDPR