MoJ faces £17.5m GDPR fine over subject access request backlog

A close up shot of the Ministry of Justice sign outside its headquarters in London

The UK's Ministry of Justice (MoJ) has been served an enforcement notice by the Information Commissioner's Office (ICO) for failing to address and respond to a growing backlog of Subject Access Requests (SARs).

The MoJ is said to have contravened Chapter 3, Article 15 of the EU and UK GDPR, and section 45 of the Data Protection Act 2018, and has now been ordered to develop a recovery plan that includes details of how to remedy the outstanding SARs, and "take appropriate steps" to ensure future SAR submissions are timely notified of any delays to a response.

The ICO said it issued the enforcement notice after considering, and agreeing, that "damage or distress is likely" as a result of the delay in SAR processing, which meant subjects were "being denied the opportunity of properly understanding what personal data may be being processed about them by the controller". Data subjects were also deemed to have been unable to exercise their statutory rights in respect to their data.

At its peak, it's believed the subject access request backlog had grown as high as 7,753.

The ICO acknowledged the difficulties faced by the MoJ, especially as pandemic restrictions limited affected its ability to process SARs. However, the "substantial number" of SARs that are out of time for compliance was "a cause of significant concern for the Commissioner," the ICO said in the enforcement notice.

It also added that "previous meetings and correspondence between the controller and commissioner have proven largely ineffective in reducing the number of outstanding SARs".

Failure to meet the demands of the enforcement notice will result in a fine of £17.5 million or 4% of its annual global turnover, whichever is higher. The MoJ has 28 days to appeal the notice.

"We take our responsibilities seriously and have set out an action plan to clear the backlog," an MoJ spokesperson told IT Pro."

"The MoJ devotes significant resources to meeting these legal obligations, and we have hired extra staff to assist in clearing outstanding requests," they added. "The pandemic has had an unprecedented impact on our work, but we responded quickly and adapted ways of working to continue to provide a level of service to requestors.

"We have engaged in constructive dialogue with the ICO before and throughout the pandemic and have a clear action plan we have in place to clear the backlog."

Timeline of events

The ICO originally became aware of a backlog at the MoJ on 7 January 2019, which resulted in conversations with the data controller over the following year. This almost led to an enforcement notice being issued - a formal exercise of the Commissioner's powers for violations of data protection law - which was ultimately delayed due to the pandemic.

According to the ICO, the pandemic "led to a shift in Commissioner's approach to regulatory action" and saw the investigation into the MoJ paused. New societal restrictions affected the MoJ's ability to respond to the backlog of SARs, the data controller told the ICO in an October 2020 update. Urgent cases were being prioritised, such as those affecting legal proceedings, police investigations, and immigration hearings.

RELATED RESOURCE

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

FREE DOWNLOAD

The ICO said contact between it and the MoJ resumed in March 2021 and by April, it became aware that the MoJ was facing 5,956 outstanding SARs to which the MoJ had only partially responded. A total of 372 of these dated back as far as 2018.

Regular progress updates from the MoJ regarding how it was addressing the backlog were then requested by the ICO and by May 2021, the backlog had grown to 6,398. The backlog grew further to 7,753 by August 2021 after the MoJ said it predicted the resumption of a full SAR service by "summer/autumn 2021". It also said that of the near-8,000 outstanding cases, 25 received no response at all and around 960 predated the pandemic.

The MoJ promised to address the pre-pandemic cases first, setting itself a deadline of 31 May 2022, after which time it "will then move forward with plans to revisit the remaining 6,772 partial response cases in the timeliest way achievable".

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.