ICO's enforcement notice for the Ministry of Justice
Hello and welcome back to our newsletter. Today we’re going to talk about the ICO and its enforcement on the Ministry of Justice for failing to comply and respond to Subject Access Requests.
The Ministry of Justice had received a total of 7,753 Subject Access Requests, 372 of which dated from 2018, which remained unanswered.
According to the ICO, MoJ has contravened article 15 of the EU and UK GDPR, as well as Section 45 of DPA18, for failure to comply with its legal obligations.
The ICO mentioned that “the Commissioner is of the view that the controller has contravened Chapter 3, Article 15 of the EU and UK GDPR in that it has failed to inform the relevant data subjects referred to at paragraph 22, without undue delay, whether their personal data is being processed by or on behalf of the controller and, where that is the case, has failed without undue delay to provide access, in an intelligible form, to such personal data, and to the information as set out at Article 15(1) of the EU and UK GDPR”.
Based on this, “the Commissioner has decided to exercise his powers under section 149(2)(b) DPA to serve an Enforcement Notice requiring the controller to take the specified steps to comply with the legislation. The terms of the Notice are set out in Annex 1 of this Notice”.
In case the Ministry of Justice fails to comply with the Enforcement Notice, the Commissioner may serve a penalty notice of an amount up to £17.500.000 or 4% of the annual turnover, whichever is higher.