Subject access – enforcement notice issued to MOJ

In case it slipped your notice in the run up to Christmas, you may like to note that on 19 December 2017, the ICO issued an enforcement notice to the Ministry of Justice in respect of its systemic failure to comply with its subject access obligations – see here. As the notice makes clear, as at 28 July 2017, MOJ had a backlog of some 919 subject access requests, some of which dated back to 2012! According to paragraph 6 of the Notice, by November 2017, there were still 793 cases over 40 days old. Of those, some 141 were received in 2015 and 357 were received in 2016. MOJ had apparently put in place a recovery plan aimed at eliminating the backlog by October 2018 but the ICO plainly thought that enforcement action was required in any event. Accordingly, it issued a notice in effect requiring (a) all of the requests referred to in paragraph 6 to be dealt with by 31 October 2018 and (b) MOJ’s internal systems to be adapted to make them fit for purpose by 31 January 2018.

Notably, in deciding whether or not to issue an enforcement notice, the ICO took into account that in its view ‘damage or distress to individuals is likely as a result of them being denied the opportunity of correcting inaccurate personal data about them…’ (paragraph 14). This finding inevitably raises the question of whether MOJ is now going to be facing a plethora of claims (or possibly even a group claim) for compensation brought by the affected data subjects (cf. AB v Ministry of Justice [2014] EWHC 1847 (QB): £2,250 awarded to claimant who suffered distress as a result of MOJ’s unlawful handling of his subject access request).

Anya Proops QC