back to article UK data watchdog slaps Ministry of Justice with Enforcement Notice for breaking GDPR law

The UK's data watchdog has issued the Ministry of Justice with an Enforcement Order [PDF] after the government department broke data protection laws by failing to process thousands of subject access requests (SARs) without undue delay. The Information Commissioner's Office (ICO) said it was made aware of the backlog by the MoJ …

  1. Woodnag

    It's all ok!

    A spokesperson for the MoJ sent us a statement: "We take our responsibilities seriously"

    That's fine then.

    1. Yet Another Anonymous coward Silver badge

      Re: It's all ok!

      MoJ declares ICO terrorists and has them all deported

      1. Anonymous Coward
        Big Brother

        Re: It's all ok!

        Probably not deportation but you know submitting the request puts you on intelligence services' lists.

  2. Disk0


    Are for the ruled, not the rulers…

  3. Ken Moorhouse Silver badge

    with 25 requests that received no response and 7,728 which received a partial response

    Their Auto-Responder appears to be working well.

  4. Mike 137 Silver badge

    Valid and invalid purposes

    "sought to prioritise requests that were "urgent" due to legal proceedings like immigration hearings or police investigations"

    Strictly speaking (as implied by Durant v. FSA 2003) the function of subject access requests is to allow the data subject to exercise their rights as provided by data protection legislation. They're not supposed to be a substitute for general judicial discovery, for which other legal mechanisms exist. It amazes me that the MOJ does not understand this.

    1. Woodnag

      Re: Valid and invalid purposes

      "It amazes me that the MOJ does not understand this."

      understand? or give a toss about?

    2. Cynical Pie

      Re: Valid and invalid purposes

      It goes further than that - the Information Tribunal have been quite explicit in their rare DP involvements (most of their cases involve FOI) that a SAR should not be used as a substitute for discovery.

      What seems to escape people making SARs for this purpose is discovery is likely to actually get them more information than a SAR!!

      1. Neil Brown

        Re: Valid and invalid purposes

        SARs are purpose-blind, and the controller has no basis for attempting to "look behind" a SAR, to try to establish the applicant's motive. Similarly, they have no basis for rejecting a SAR as being made "for the wrong reason".

        The controller simply needs to get on and deal with it in the same way as any other SAR, and provide the information required by Article 15 (UK) GDPR.

        This is one of the areas in which I see controllers make life unnecessarily hard for themselves. Lots of people - both controllers and subjects - still misunderstand what is covered by a SAR. It's common (in my experience, at least) to see people using it to try to get copies of documents, or things which are not their personal data or which is not information related to the processing of their personal data. If that's what they want then, yes, discovery is far more likely to yield those results, if it is available). Similarly, controllers get themselves in a tizz about what they are required to provide, especially in the face of an assertive data subject or a represented data subject, asking for things to which they are not legally entitled.

        While there are undoubtedly times when discovery will be the better tool for the job, discovery is only available in limited situations. If someone is merely "under investigation", for example, discovery is unlikely to be available to them at that stage. Whether a SAR then would reveal anything useful might be a different matter, especially given the exemptions available to withhold the provision of information under a SAR, but SARs are available when discovery is not.

        1. Mike 137 Silver badge

          Re: Valid and invalid purposes

          'the controller has no basis for attempting to "look behind" a SAR'

          I didn't suggest they had (at least in this respect, although there is provision for decision freedom on e.g. 'vexatiousness'). I merely stated that using a SAR in lieu of judicial discovery is not strictly appropriate, and this has been upheld.

  5. Al fazed

    If only it were the DoJ

    I am currently the subject of legal proceedings where my landlord took 6 months to reply to my SAR. When they did respopnd, I received the paperwork several weeks after the trial I had needed the SAR for. I received several hundred pages of printed documents containing my name but, where every other piece of informatin - like the date, the person who wrote the letter etc, had been fully redacted.

    In the same case the landlords legal counsel produced the Court Bundle in printed format, only with several pages of my evidence having been altered. Pages containing flow charts and dev ops diagrams had been removed entirely from the document. Other pages were freshly presented now spanning over several pages, separated by many other pages without any refence made that would join the columns back to the tables they belong to.

    Neither organisation has held up their hand to alteration of information GDPR (ii), except for the legals who wrote a letter saying "they did not alter anything, the missing pages were like that when they picked up the document before printing, and ANYWAY, I did not rely on the evidence during the hearing".

    So much for the ICO, who did confirmed that these companies had broken the Data Protection Act but also informed me that they (the ICO) cannot do anything about it, it is up to me to bring these very powerful bodies to book over their DPA - GDPR breaches.

    SHEESH what a loada sh*t UK Data Protection Law is.


  6. Anonymous Coward
    Anonymous Coward

    Does GDPR still apply now that we've left the EU?

    Honest question.

    1. Neil Brown

      It's a reasonably complicated answer.

      The GDPR applies to anyone who falls within both its material and territorial scope. So an organisation in the UK can be subject to the GDPR.

      But the UK has its own version - the UK GDPR - which is very similar to the GDPR but with a few small tweaks, in addition to the Data Protection Act 2018. As with the GDPR, anyone who falls within the material and territorial scope of the UK GDPR is subject to it.

      In some cases, it is clear cut which applies. In others, it is not, and you end up looking at the specifics of each processing activity.

      1. EnviableOne

        Not entirely correct, if you read DPA18, it basically transcribes GDPR as it is on the date of Brexit into UK law, this is the UK-GDPR people talk about.

        Any changes to GDPR after this date do not apply to UK Data Subjects but continue to apply to EU data subjects.

  7. mark l 2 Silver badge

    The problem with the ICO fining the Ministry of Justice is its just moving money tax payers money around between different gov dept. Where as it should be a case of whomever was in charge of the dept that has failed should be the one to fall on their sword and be fired or resign. As ultimately it a failure of management.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like