UK data watchdog slaps Ministry of Justice with Enforcement Notice for breaking GDPR law The UK's data watchdog has issued the Ministry of Justice with an Enforcement Order [PDF] after the government department broke data protection laws by failing to process thousands of subject access requests (SARs) without undue delay. The Information Commissioner's Office (ICO) said it was made aware of the backlog by the MoJ …
"sought to prioritise requests that were "urgent" due to legal proceedings like immigration hearings or police investigations"
Strictly speaking (as implied by Durant v. FSA 2003) the function of subject access requests is to allow the data subject to exercise their rights as provided by data protection legislation. They're not supposed to be a substitute for general judicial discovery, for which other legal mechanisms exist. It amazes me that the MOJ does not understand this.
It goes further than that - the Information Tribunal have been quite explicit in their rare DP involvements (most of their cases involve FOI) that a SAR should not be used as a substitute for discovery.
What seems to escape people making SARs for this purpose is discovery is likely to actually get them more information than a SAR!!
SARs are purpose-blind, and the controller has no basis for attempting to "look behind" a SAR, to try to establish the applicant's motive. Similarly, they have no basis for rejecting a SAR as being made "for the wrong reason".
The controller simply needs to get on and deal with it in the same way as any other SAR, and provide the information required by Article 15 (UK) GDPR.
This is one of the areas in which I see controllers make life unnecessarily hard for themselves. Lots of people - both controllers and subjects - still misunderstand what is covered by a SAR. It's common (in my experience, at least) to see people using it to try to get copies of documents, or things which are not their personal data or which is not information related to the processing of their personal data. If that's what they want then, yes, discovery is far more likely to yield those results, if it is available). Similarly, controllers get themselves in a tizz about what they are required to provide, especially in the face of an assertive data subject or a represented data subject, asking for things to which they are not legally entitled.
While there are undoubtedly times when discovery will be the better tool for the job, discovery is only available in limited situations. If someone is merely "under investigation", for example, discovery is unlikely to be available to them at that stage. Whether a SAR then would reveal anything useful might be a different matter, especially given the exemptions available to withhold the provision of information under a SAR, but SARs are available when discovery is not.
'the controller has no basis for attempting to "look behind" a SAR'
I didn't suggest they had (at least in this respect, although there is provision for decision freedom on e.g. 'vexatiousness'). I merely stated that using a SAR in lieu of judicial discovery is not strictly appropriate, and this has been upheld.
I am currently the subject of legal proceedings where my landlord took 6 months to reply to my SAR. When they did respopnd, I received the paperwork several weeks after the trial I had needed the SAR for. I received several hundred pages of printed documents containing my name but, where every other piece of informatin - like the date, the person who wrote the letter etc, had been fully redacted.
In the same case the landlords legal counsel produced the Court Bundle in printed format, only with several pages of my evidence having been altered. Pages containing flow charts and dev ops diagrams had been removed entirely from the document. Other pages were freshly presented now spanning over several pages, separated by many other pages without any refence made that would join the columns back to the tables they belong to.
Neither organisation has held up their hand to alteration of information GDPR (ii), except for the legals who wrote a letter saying "they did not alter anything, the missing pages were like that when they picked up the document before printing, and ANYWAY, I did not rely on the evidence during the hearing".
So much for the ICO, who did confirmed that these companies had broken the Data Protection Act but also informed me that they (the ICO) cannot do anything about it, it is up to me to bring these very powerful bodies to book over their DPA - GDPR breaches.
SHEESH what a loada sh*t UK Data Protection Law is.
ALF
It's a reasonably complicated answer.
The GDPR applies to anyone who falls within both its material and territorial scope. So an organisation in the UK can be subject to the GDPR.
But the UK has its own version - the UK GDPR - which is very similar to the GDPR but with a few small tweaks, in addition to the Data Protection Act 2018. As with the GDPR, anyone who falls within the material and territorial scope of the UK GDPR is subject to it.
In some cases, it is clear cut which applies. In others, it is not, and you end up looking at the specifics of each processing activity.
The problem with the ICO fining the Ministry of Justice is its just moving money tax payers money around between different gov dept. Where as it should be a case of whomever was in charge of the dept that has failed should be the one to fall on their sword and be fired or resign. As ultimately it a failure of management.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
