The rights of the public in the UK to access data held by state-run organisations are enforced by The Information Commissioner’s Office. I say enforced but effectively unless there’s a very significant series of large-scale errors or deliberate mischief ICO chooses to look the other way.
They’ll more often choose to look the other way in the event that the miscreant organisation is a public body: a large-scale data breach by the NHS in 2017 / 2018 attracted only a note from ICO to NHS Digital gently chiding their error.
Some of the means of looking the other way include ICO issuing a “finding” that the organisation you’ve requested data from has failed to comply with the law, or a “recommendation” that that misconducting organisation complies with the law. Neither of these two results has sufficient force to compel a turnaround from the data controller if they’re determined to dig in their heels. None of these weak regulatory methods described above actually produce the data you’ve requested: if the organisation is sufficiently obstreperous you’ll need to enforce your right of access to the data via civil legal action.
Yes, folks. You’ve guessed it! Another supposed “watchdog” that turns out to be toothless, doddering and tame.
At the beginning of the pandemic hitting the UK in March 2020 ICO issued guidance to organisations over handling data access requests which effectively boiled down to “don’t misuse the fact that there’s a national emergency to get around your statutory obligations”.
Eight months on and the initial finger-wagging approach has been replaced with a new edict from ICO: mark your own homework.
Organisations that infringe the law on data access issues are now routinely in receipt of this standard form letter the first page of which appears below:
The “seriously and robustly” in the above extract doesn’t apply to any actions ICO have taken in my experience of the organisation. Even in the face of large scale data breaches for which ample evidence of a data subject’s Section 173 rights being infringed exists ICO still takes the lethargic approaches mentioned above.
Briefly yours and my Section 173 rights are this:
The letter sent out by ICO continues:
…all of which explains the obligations on an organisation that they are already / should already be aware of.
One wonders what the point is of informing an organisation that’s already purposefully screwed up such as a subject access request what their obligations are. If the body is determined to withhold data for the purpose of – for example – preventing revelation of their own misconduct then a weakly worded letter from ICO will not make them correct their ways.
Misconducting organisations must be quaking in their boots regarding the powers and sanctions bit in the second to last paragraph, knowing ICO is notoriously weak on enforcement.
Thus the Merry-Go-Round of the UK’s weak regulatory and enforcement structure rumbles on.
Legal Babble 