The media platform OpenDemocracy, and journalist Jenna Corderoy, have produced an important and damning, report into the generally parlous situation data subjects are faced with when trying to access their information from public bodies.
The subject access right ("SAR") under the UK GDPR and the Data Protection Act 2018, is one that has existed in the UK since 1984, and the report, Getting Personal: Accountability and Personal Data in the UK, notes that it is
"…an extremely powerful right, covering public authorities as well as private companies, charities, political parties and other organisations. Over the years, SARs have been responsible for exposing injustices, supporting legal claims and revealing the extent of surveillance."
However, data from freedom of information requests, and interviews with a number of people who have tried to exercise their rights, reveals what the report describes as
"…long and unjustified delays – sometimes lasting several months [which] are depriving citizens of their personal information and undermining their legal and human rights."
The Information Commissioner's Office (ICO) has an enforcement role, but the report notes that "formal action is vanishingly rare" and that citizens are often left only with the possibility of bringing legal claims – something that is beyond the means of most.
The report includes an interview with Mishcon de Reya client John Pring (for whom we acted on a pro bono basis), who had to wait an astonishing two and half years to get access to his personal data from the Department of Work and Pensions, and who feels that a “policy of delaying the release of potentially embarrassing information, often for years, has gradually become ingrained within DWP".
There are a number of recommendations in the report. These include that the ICO should take more enforcement action and, in particular, that this should include intervention on individual SAR cases where there has been a clear breach of data protection laws, instead of only taking action about an organisation’s overall compliance levels.
Although there are some changes to the SAR process proposed in the Data Protection and Digital Information Bill currently before Parliament, none of these looks set to address the systematic, and structural, problems with compliance and enforcement. One hopes, though, that OpenDemocracy's report will at least generate a debate on the issue and how things might be improved.