The Information Commissioner’s Office has warned companies that they risk a day in court if they fail to respect consumers’ legal right to access the personal information that is held on them.
The warning follows the second prosecution since the turn of the year for a business which had failed to respond to a so-called “subject access request” (SAR).
Westminster Magistrates Court heard that an individual had submitted a SAR on 17 April 2017 to housing development firm Magnacrest. But Magnacrest, based in Hazlemere, Buckinghamshire, failed to provide the information within the required timescale of 40 calendar days and the individual complained to the ICO.
The regulator then served an enforcement notice on the company, ordering it to comply with the law and provide the requested information. When Magnacrest failed to obey the notice, the ICO brought a criminal prosecution under s47(1) of the Data Protection Act 1998.
Magnacrest pleaded guilty to a charge of failing to comply with an enforcement notice when it appeared before Westminster Magistrates this week. The company was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.
ICO criminal enforcement manager Mike Shaw said: “The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.
“Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.”
In January, Cambridge Analytica parent company SCL Elections was fined £21,000 – including over £6,000 in costs – for failing to comply with an enforcement notice over a SAR which dated back to 2016.