So, Liverpool City Council have the dubious honour of being the first to be prosecuted for failing to act on an Enforcement Notice from the Information Commissioner Office (ICO). See press release.
The District Judge at Liverpool Magistrates’ Court said the council had shown an ‘appalling breakdown of communication’ and ‘a clear lack of compliance’ with the Data Protection Act 1998.
So what did they do? Basically this;
- Former employee submits Subject Access Request (SAR) and is provided with some data.
- Employee thinks the council is holding back medical data, so she complains to the ICO.
- ICO investigates and asks Liverpool CC to respond; they don't!
- ICO brings this (and the matter of another investigation) to the notice of the Council CEO.
- CEO fails to respond!
- ICO takes them court.
The outcome? Liverpool CC receives a fine of £300
Am I alone in thinking that the message this sends to all of the data controllers out there is;
- If you get a SAR that looks a bit tricky SIT ON IT, and withhold the difficult stuff.
- If the data subject is knowledgeable (concerned) enough s/he might complain and the ICO might investigate.
- If they do, IGNORE them, they might go away, and we will 'get away' with it.
- If they do rock up on the doorstep, say we're sorry and take the £300 fine.
That's a lot cheaper than having to put in place people, process and technology to ensure that we process data in accordance with the data subjects' rights.
Jeeeez!
Comments