When John Edwards assumed the role of Information Commissioner in January 2021 some drew conclusions from his early speeches that he might take a light touch approach to enforcement. He certainly indicated that issuing fines was not necessarily his priority, saying "[they] are a slow way to find certainty. Each one takes a great deal of time and resource to put a single stake in the ground".
Since then, however, there have been a number of notable actions taken by the Information Commissioner's Office (ICO), including moves that illustrate that monetary penalties are not the only tool in the ICO's box.
The latest example is the announcement on 28 September of seven reprimands (a statutory enforcement action under Article 58 UK GDPR) mostly to large public sector organisations, for serious and consistent failure to respond in a timely and compliant way to data subject access requests.
Although there are no direct punitive sanctions resulting from the reprimands, they are accompanied by requirements to make improvements and thus are potentially a precursor to stricter action.
The lack of serious enforcement by the ICO has drawn criticism over recent years. An access request by a data subject is an expression of a fundamental right – it requires, ordinarily, a response within one month, yet some of the examples given by the ICO in its announcement indicate serious disregard for this right:
In relation to an asylum application involving a child, a complainant said “All we need is the asylum transcript so we can submit a humanitarian application. However, we can do nothing without those transcripts. I have chased this matter for seven months and have received nothing. My client's child is constantly at risk so long as he stays in the home country.”
“In January I made an SAR. In March I received written confirmation that stated the SAR was in progress. However, I still have not received the information.” Having been told that the delay could affect the complainants credit score, they continued “I feel powerless in this and have been adversely affected by the stress it has caused.”
Mishcon de Reya recently acted in a similar matter on a pro bono basis for journalist John Pring, in his efforts over two years to secure a response to his subject access request to the Department for Work and Pensions. He resorted to seeking legal support after the ICO at that time said it couldn't help.
The ICO's revived focus on the importance of compliance with the fundamental principles of data protection law will hopefully mean data subjects can have confidence that their rights will be respected and, where necessary, enforced.