Ministry of Justice – Violation Found (United Kingdom, 2022)

The controller is the UK Ministry of Justice ('MoJ'), and processes personal data in the course of carrying out its functions. In December 2017, the MoJ had already been issued with an Enforcement Notice following a finding by the ICO that it had failed to comply with a large number of subject access requests without undue delay. Then, in January 2019 the ICO "was made aware by the controller that a backlog of subject access requests had again accrued." The DPA therefore launched a new investigation into the matter. After a series of exchanges with the MoJ, the ICO uncovered that there were 7,753 overdue access requests. As such, the ICO held that the controller contravened Article 15 GDPR by failing to inform the relevant data subjects, without undue delay, whether their personal data was being processed and, where that was the case, failed to provide access, in an intelligible form, to such personal data, and to the information as set out at Article 15(1) GDPR. As a result, it served the MoJ an Enforcement Notice to bring its processing into compliance by responding to data subjects' pending access requests. It also advised the MoJ to "develop a recovery plan, containing details of how it intends to remedy the issue of the out-of-time subject access requests."