What did the Information Commissioner’s Office’s report say?
The Secretary of State for Justice has received an unwanted seasonal gift from the Information Commissioner‘s Office for not handling Subject Access Requests in a timely manner, in accordance with the Data Protection Act (DPA).
The enforcement notice stated that the Information Commissioner‘s Office had received “a large number of requests for assessment by complainants made under section 42 of the DPA. They concerned the respective failure by the data controller to respond to subject access requests without undue delay, in compliance with the requirements of section 7 of the DPA.”
In addition to this, the ICO found that the internal systems, policies and procedures that the Secretary of State for Justice had in place would not satisfy the Data Protection Act when it came to documenting and actioning any Subject Access Requests received.
In July 2017, there were 191 Subject Access Requests that had not been responded to – some of these requests for information had been initiated as far back as 2012. The Secretary of State for Justice then updated the status of their outstanding SARs in November last year with the following:
14 cases received in 2014 – due for completion by 31 December 2017
161 cases received in 2015 – due for completion by 30 April 2018
357 cases received in 2016 – due for completion by 31 August 2018
261 cases received in 2017 – due for completion by 31 October 2018
The Commissioner agreed that all data subjects referenced in the enforcement notice should receive the requested data by 31 October 2018 and that they should make the required changes to their internal systems by 31 January 2018.
Of course, the changes the Secretary of State’s department must make will need to satisfy GDPR, which replaces the DPA in May this year!
The Justice Department issued a formal statement:
“We have left no stone unturned in ensuring the historical backlog in responding to special access requests from offenders is addressed. The Information Commissioner has recognised our plan is robust and it is delivering results at pace and ahead of schedule.
Given the marked improvements already brought about by our urgent action in this area, we are very disappointed the Information Commissioner has decided to take formal action at this time.
‘We are committed to transparency and improving understanding of how the justice system works but the information we handle is often highly sensitive and we must weigh these interests with our responsibility never to put children, vulnerable victims, witnesses, staff or criminal investigations at risk.”
How long does an organisation have to respond to a Subject Access Request?
Under the current Data Protection Act 1998, a data controller has 40 calendar days in which to respond to a Subject Access Request – this is once the organisation has received the requested fee and all of the information required to find the details requested.
However, once the General Data Protection Regulation (GDPR) comes into effect in May this year, the SAR, or Right of Access response timeframe will reduce to one month. But if the requests you are receiving are complex or high in number, this can be extended to two months. In this instance, the ICO says “If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.”
Also, no fee can be demanded from a data subject to provide the information, unless, according to the ICO, the request is “manifestly unfounded or excessive, particularly if it is repetitive”, in which case the organisation can charge a “reasonable fee” to cover their costs.
Sadly the Secretary of State for Justice fell way outside of the requirements for both.
Where can I get more information on handling Subject Access Requests under GDPR?
Don’t get caught out like the Secretary of State for Justice!
If you need to improve your organisation’s internal systems, policies, and procedures, ISMS.online can help with a SAR policy and tool for managing them successfully. This, together with policies and tools to help you both describe and demonstrate how you meet the other requirements of GDPR, are all available in our pre-configured and secure online platform.