Our monthly look at the enforcement action taking by the Information Commissioner in respect of Privacy and Data Protection matters continues with a review of the enforcement action published by the ICO in December 2017. You can view last month’s review of the November 2017 enforcement action here. December 2017 was not an overly busy month for the ICO; they published just one Enforcement Notice.
- Ensure that you have in place adequate procedures to ensure that you handle Subject Access requests within the time allowed by the law.
Secretary of State for Justice
The Secretary of State for Justice was served with an Enforcement Notice [pdf] requiring him to deal with his department’s backlog of delayed Subject Access Requests. As at 10 November 2017 the Ministry of Justice had 793 Subject Access Requests which were over 40 days old; some of this backlog was made up of Subject Access Requests made in 2014. This was a reduction from the 919 requests more than 40 days old as at 28 July 2017 (which included requests going back to 2012). The Data Protection Act 1998 requires that Subject Access Requests be responded to within 40 calendar days (this will be reduced to 30 calendar days under the GDPR – you can find out more about this change, and others to the right of subject access requests, in my blog post on Subject Access Requests under the GDPR).