In a recent press release issued by the Information Commissioner’s Office, it confirmed that a care home director had been successfully prosecuted for failing to comply with a subject access request. This serves to remind data controllers, particularly those in the health and social sector, of the seriousness of non-compliance with the data protection regime.
What happened?
A director of a care home was found guilty under section 173 of the Data Protection Act 2018 for refusing to respond to a request for a resident’s personal information, specifically having “blocked, erased or concealed” records.
The request was lawfully made by the resident’s daughter (who was legally authorised to exercise the right on the resident’s behalf under a lasting power of attorney). The information requested related to serious matters including incident reports, copies of CCTV footage and notes relating to her father’s care.
Once the matter was referred to the Information Commissioner’s Office, the director “did not provide any explanation about why his organisation would not respond to the SAR” and “tried to avoid scrutiny by asking the ICO to cancel his registration”.
Having failed to uphold the fundamental right of access, the director was subsequently found guilty by the Magistrates Court and ordered to pay a fine of £1,100 and additional costs of £5,440 after being found guilty.
What the law says
Under the UK data protection regime, data subjects have the right to:
- confirmation that you are processing their personal data.
- access a copy of the processed personal data, unless providing a copy adversely affects the rights and freedoms of others;
- supplementary information (listed here What is the right of access? | ICO)
- Notification of their rights to:
- request rectification or erasure of personal data;
- restrict or object to certain types of personal data processing; and
- make a complaint with the Information Commissioner.
Organisations must respond within one calendar month, unless an extension is legally permitted. The law permitted refusal to comply with the right in some circumstances (where a request is manifestly unfounded or excessive). The information requested may be, in whole or in part, subject to exemptions. However, it is a criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure under Section 173 of the Data Protection Act.
What can we learn from this?
The case highlights several issues for data controllers. Firstly, mishandling of data rights can have profound impacts on those that process the personal data and the data subjects to whom data relates. For the data subject and their representatives, the absence of this information had serious consequences on their care and wellbeing. As we see from this case, the director was held personally accountable under and while we don’t have a great amount of detail on their personal conduct, this correlates with the Information Commissioner’s Office regulatory action policy which states that high-impact, wilful, neglectful or repeated breaches can expect stronger regulatory action. In short, organisations have not choice but to pay attention.
Stephens Scown has a great deal of experience in handling subject access requests, particularly those which are complex in nature or involving data of a sensitive nature. Getting legal advice early on is one of the best steps an organisation can take to mitigate risk.
If you would like to know more, or have been affected by a similar situation then please get in touch with our Intellectual Property and Data Protection team or call us on 0345 540 5558.