Organisations have been reminded that they could face a criminal prosecution if they fail to respect the public’s legal right to access their personal information. The warning has come from the Information Commissioner’s Office (ICO) after housing developer Magnacrest Ltd was fined by Westminster Magistrates for breaching data protection laws. The company failed to comply with an enforcement notice issued by the ICO and so the regulator prosecuted.
The court heard that an individual had submitted a subject access request on 17 April 2017. A Subject Access Request, or SAR, allows someone to request all of the personal information an organisation holds about them.
However, Magnacrest Ltd – which is based in Hazlemere, Buckinghamshire – failed to provide the information within the required timescale of 40 calendar days and the individual complained to the ICO, the data protection regulator.
The ICO served an enforcement notice on the company ordering it to comply with the law and provide the requested information. When the company failed to obey the notice, the ICO brought a criminal prosecution under Section 47(1) of the Data Protection Act 1998.
Magnacrest Ltd pleaded guilty to a charge of failing to comply with an enforcement notice when it appeared before Westminster Magistrates on 6 February this year. The company was fined £300, with a £30 victim surcharge, and was also ordered to pay £1,133.75 towards prosecution costs.
Mike Shaw, the ICO’s criminal enforcement manager, commented: “The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further. Organisations not only have to respect this right, but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.”