Ministry of Justice data protection issues: ICO Enforcement Action

Due to a number of Ministry of Justice data protection issues, it has been reported that the UK data regulator, the ICO, has now published Enforcement Action against the MoJ.

In a recent publication from the ICO (the Information Commissioner’s Office), it was confirmed that the Ministry of Justice was in contravention of vital data protection legislation. The reason cited was due to their failure to provide, with “undue delay”, copies of information for a staggering 7,753 data subjects.

About the Ministry of Justice data protection problems

The ICO’s enforcement notice was issued on 12^th January 2022 and outlines the legal framework and obligations that the MoJ is under. It also cited a previous Enforcement Notice that was issued on 21^st December 2017 arising from the same issue of a large number of Subject Access Requests (SAR) that were reportedly delayed.

Whilst it is understood that obligations were then followed in accordance with the framework for the previous notice, the ICO was made aware of a backlog of SAR’s occurring again at the start of January 2019. However, due to the coronavirus pandemic, regulatory action was paused in 2020.

Between the end of 2020 and the end of 2021, correspondence between the ICO and the MoJ kept the regulator in the loop over the Ministry of Justice data protection issues and the backlog of Subject Access Requests it was facing.

About the Enforcement Action

The Ministry of Justice data protection issues have now resulted in the ICO taking the view that, as a result of undue delays, Enforcement Action must be issued in light of the distress that many people will be suffering from as a result of the delays. The MoJ is now being advised to take steps to rectify the situation, and the ICO has referenced in the report the power to fine those in breach of the GDPR up to £17,500,000, or 4% of total annual global turnover (whichever is the higher).

The terms of the Enforcement Action are that, by 31^st December 2022, the MoJ must have:

“informed the 7,753 data subjects referred to at paragraph 22, who have made a subject access request, whether or not the controller is processing personal data concerning that data subject, and if so provide that data subject with a copy of their data, subject only to the proper application of any exemption from, or restriction or adaptation of, the right of subject access provided for in or by virtue of the EU or UK GDPR or DPA”

and:

“carry out such changes to its internal systems, procedures and policies as are necessary to ensure that future subject access requests received by the controller, in respect of it, are identified and complied with in accordance with Article 15 of the UK GDPR, subject only to the proper application of any exemption from, or restriction or adaptation of, the right of subject access provided for in or by virtue of the UK GDPR or DPA.”

Source: ICO.

What can people do about data injustice?

Anyone facing Ministry of Justice data protection problems that has directly resulted in distress caused by their actions could be eligible to claim data breach compensation if a breach has occurred.

Whilst the ICO is there to manage and enforce the regulatory matters, they are not there to issue compensation to victims who suffer distress. However, the GDPR can entitle victims of a data breach to claim compensation, and that is what we do as leading privacy claims lawyers. For eligible claimants, we are also able to offer No Win, No Fee legal representation.

Please do not hesitate to contact the team for free, no-obligation advice should you need to do so here now.

Claim compensation for council email data leaks

CC email data leaks and claiming compensation