Can the right of access be enforced under Part 3?
In detail
- What enforcement powers does the ICO have?
- Can a court order be used to enforce a SAR?
- Can people be awarded compensation?
- Is it a criminal offence to destroy and conceal information?
What enforcement powers does the ICO have?
Anyone has the right to make a complaint to us about an infringement of the data protection legislation in relation to their personal information. For example, this may apply if an organisation fails to:
- comply with a SAR; or
- give someone enough information to allow them to make a SAR.
In appropriate cases, we may take action against a controller or processor if they fail to comply with data protection legislation. For example, we could issue a controller or processor with a:
- warning;
- reprimand;
- information notice;
- assessment notice;
- interview notice;
- enforcement notice; or
- penalty notice.
A processor has no obligations under section 45 of the DPA 2018. However, under section 59, the controller and processor must have a contract in place. The contract must state that the processor will help the controller with their obligations to comply with a SAR by taking appropriate technical and organisational measures, as far as possible (taking into account the nature of the processing).
If you are a joint controller, you are only liable to the extent you are responsible for the specific action in question, under the terms of the joint arrangements. Joint controllers must ensure you make appropriate joint arrangements for dealing with SARs.
Bear in mind that we may issue an information notice or assessment notice against any person.
Can a court order be used to enforce a SAR?
If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. It's a matter for the court to decide, in each case, whether to make such an order.
If you are a joint controller, bear in mind that a court may only make an order against you, to the extent you are responsible for the specific action in question. This is determined in accordance with the terms of the joint arrangements.
Can people be awarded compensation?
If someone suffers damage or distress (including financial loss) because an organisation has infringed their data protection rights (including failing to comply with a SAR), they are entitled to claim compensation. They can only claim compensation from the processor if it has:
- not complied with any of its statutory obligations; or
- acted outside or contrary to the controller's instructions.
If you are a joint controller and your joint arrangements allocate your responsibilities for SARs, you are only liable for any breach of the duties assigned to you in accordance with the terms of the joint arrangements.
You are not liable to pay compensation if you can prove that you are not responsible in any way for the event giving rise to the damage.
A person may seek to settle their claim with you directly first before starting court proceedings. However, only the courts can enforce a person's right to compensation.
Is it a criminal offence to destroy and conceal information?
Yes. It's a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing a person who has made a SAR from receiving the information they are entitled to.
It's a defence if you can prove that:
- the alteration, defacing, blocking, erasure, destruction or concealment of the information would have happened regardless of whether someone made a SAR; or
- you acted in the reasonable belief that the person making the SAR wasn't entitled to receive the information requested.
Further reading – ICO guidance
Contracts and liabilities between controllers and processors