Get one whole story, direct to your inbox every weekday.
Data protection law allows individuals to submit Subject Access Requests (SARs) to companies and organisations in order to find out what information is held about them.
SARs must be answered within three months. But the ICO watchdog said the organisations had “repeatedly failed to meet this legal deadline”.
As well as the two government departments, Hackney, Croydon and Lambeth councils were hit with regulatory action by the watchdog, as were Kent Police and Virgin Media.
One person who requested their own adoption and care records was left “upset and angry” after a London council refused to tell them how long it would take.
Another said: “The delay in providing this information… is jeopardising my ability to defend myself and risks my whole career.”
In a third case, a parent wanted a copy of their child’s asylum application so they could submit a follow-up. Without it, they were unable to proceed. An official representing them told the ICO: “I have chased this matter for seven months and have received nothing. My client’s child is constantly at risk so long as he stays in the home country.”
As of July this year, the Home Office was sitting on more than 3,000 overdue SARs.
But the Ministry of Defence had a backlog three times that length, with an average waiting time of more than a year for those it had managed to answer.
The reprimand is the latest action from the new Information Commissioner, John Edwards, who also issued an enforcement notice against the Department for International Trade earlier this month over its “persistent failures” in handling freedom of information (FOI) requests.
In a statement today, Edwards said that SARs were “fundamental rights” that provided an “essential gateway to accessing other rights”.
“Being able to ask an organisation ‘what information do you hold on me?’ and ‘how it is being used?’ provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted,” he said.
Jon Baines, senior data protection specialist at legal firm Mishcon de Reya, told openDemocracy the ICO’s previous lack of serious enforcement has drawn criticism over recent years.
But he said: “One hopes that what seems to be a revived focus by the ICO on the importance of compliance with the fundamental principles of data protection law means that data subjects can now have confidence that their rights will be respected and, where necessary, enforced.”
A government spokesperson said: “We take our obligations under the Data Protection Act 2018 and UK General Data Protection Regulation very seriously, and we are working hard to remove delays to Subject Access Requests identified by the Information Commissioner’s Office.”
CommentsWe encourage anyone to comment, please consult the oD commenting guidelines if you have any questions.