Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Business prosecuted after data subject access request failing

A housing developer has been prosecuted after ignoring an order by the UK's data protection authority to comply with a data subject access request.11 Feb 2019

Magnacrest, based in Buckinghamshire in England, pleaded guilty to a charge of failing to comply with an enforcement notice brought by the UK's Information Commissioner's Office (ICO). The ICO brought the prosecution before Westminster Magistrates' Court.

UK data protection laws provide people with a right to a copy of the personal data organisations hold on them upon request. These are called data subject access requests.

According to the ICO, an individual submitted a subject access request to Magnacrest on 17 April 2017 and subsequently complained to the watchdog when they did not receive the information they asked for within the statutory timeframe for response.

The ICO followed the complaint up with Magnacrest and sent an enforcement notice to the company requiring it to provide the information requested. When Magnacrest failed to do so it elected to use its prosecution powers.

The ICO chose not to issue a monetary penalty notice for failure to comply with the subject access request, instead issuing an enforcement notice. Failure to comply with an enforcement notice is a criminal offence and Magnacrest was issued with a £300 criminal fine in the magistrates' court.

The Data Protection Act (DPA) 1998 was the relevant legislation in force at the time the subject access request was submitted. The Act has since been replaced in the UK by the General Data Protection Regulation (GDPR) and a new Data Protection Act 2018 that supplements the GDPR provisions.

Like the DPA 1998, the new Data Protection Act sets out rules on subject access requests. Under the new rules, subject access requests must generally be complied with within one month – previously a 40 day time limit applied.

Supplemental information also has to be disclosed by organisations alongside the personal data they provide in response to subject access requests. That includes information about the categories of personal data they hold about the requester, what the purposes of, and legal basis for, their processing is, who they have shared the data with and where they have sourced the personal data they hold from.

Under the new UK data protection regime, fines of up to €20 million, or 4% of a business' annual global turnover in the preceding financial year, whichever is higher, could be imposed by the ICO for non-compliance with data subject access requests.

Mike Shaw, the ICO’s criminal enforcement manager, said: "The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further. Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution."

Magnacrest was fined £300 and told to pay a £30 victim surcharge. It was also ordered to pay £1,133.75 towards prosecution costs.

Last month, SCL Elections, better known as the business behind the now defunct data analytics company Cambridge Analytica, was prosecuted at Hendon Magistrates' Court in London over its failure to respond fully to a data subject access request and for later ignoring an ICO enforcement notice served on it for doing so.