IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

MoJ faces £17.5m GDPR fine over subject access request backlog

The Information Commissioner's Office says the rights of data subjects are now being infringed by the processing delay

A close up shot of the Ministry of Justice sign outside its headquarters in London

The UK's Ministry of Justice (MoJ) has been served an enforcement notice by the Information Commissioner's Office (ICO) for failing to address and respond to a growing backlog of Subject Access Requests (SARs).

The MoJ is said to have contravened Chapter 3, Article 15 of the EU and UK GDPR, and section 45 of the Data Protection Act 2018, and has now been ordered to develop a recovery plan that includes details of how to remedy the outstanding SARs, and "take appropriate steps" to ensure future SAR submissions are timely notified of any delays to a response.

The ICO said it issued the enforcement notice after considering, and agreeing, that "damage or distress is likely" as a result of the delay in SAR processing, which meant subjects were "being denied the opportunity of properly understanding what personal data may be being processed about them by the controller". Data subjects were also deemed to have been unable to exercise their statutory rights in respect to their data.

At its peak, it's believed the subject access request backlog had grown as high as 7,753.

The ICO acknowledged the difficulties faced by the MoJ, especially as pandemic restrictions limited affected its ability to process SARs. However, the "substantial number" of SARs that are out of time for compliance was "a cause of significant concern for the Commissioner," the ICO said in the enforcement notice.

It also added that "previous meetings and correspondence between the controller and commissioner have proven largely ineffective in reducing the number of outstanding SARs".

Failure to meet the demands of the enforcement notice will result in a fine of £17.5 million or 4% of its annual global turnover, whichever is higher. The MoJ has 28 days to appeal the notice.

"We take our responsibilities seriously and have set out an action plan to clear the backlog," an MoJ spokesperson told IT Pro."

"The MoJ devotes significant resources to meeting these legal obligations, and we have hired extra staff to assist in clearing outstanding requests," they added. "The pandemic has had an unprecedented impact on our work, but we responded quickly and adapted ways of working to continue to provide a level of service to requestors.

"We have engaged in constructive dialogue with the ICO before and throughout the pandemic and have a clear action plan we have in place to clear the backlog."

Timeline of events

The ICO originally became aware of a backlog at the MoJ on 7 January 2019, which resulted in conversations with the data controller over the following year. This almost led to an enforcement notice being issued - a formal exercise of the Commissioner's powers for violations of data protection law - which was ultimately delayed due to the pandemic.

According to the ICO, the pandemic "led to a shift in Commissioner's approach to regulatory action" and saw the investigation into the MoJ paused. New societal restrictions affected the MoJ's ability to respond to the backlog of SARs, the data controller told the ICO in an October 2020 update. Urgent cases were being prioritised, such as those affecting legal proceedings, police investigations, and immigration hearings.

Related Resource

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Whitepaper cover with solid red vertical line, and the title and Diligent logoFree Download

The ICO said contact between it and the MoJ resumed in March 2021 and by April, it became aware that the MoJ was facing 5,956 outstanding SARs to which the MoJ had only partially responded. A total of 372 of these dated back as far as 2018.

Regular progress updates from the MoJ regarding how it was addressing the backlog were then requested by the ICO and by May 2021, the backlog had grown to 6,398. The backlog grew further to 7,753 by August 2021 after the MoJ said it predicted the resumption of a full SAR service by "summer/autumn 2021". It also said that of the near-8,000 outstanding cases, 25 received no response at all and around 960 predated the pandemic.

The MoJ promised to address the pre-pandemic cases first, setting itself a deadline of 31 May 2022, after which time it "will then move forward with plans to revisit the remaining 6,772 partial response cases in the timeliest way achievable".

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download


Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021
ICO publishes new data protection standards for the adtech industry
data protection

ICO publishes new data protection standards for the adtech industry

25 Nov 2021
Celebrity data leaked after ransomware attack on London's Graff jewellers

Celebrity data leaked after ransomware attack on London's Graff jewellers

1 Nov 2021
ICO launches AI risk assessment toolkit for businesses
Information Commissioner

ICO launches AI risk assessment toolkit for businesses

21 Jul 2021

Most Popular

16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022