subject access request

Subscribe to subject access request via RSS

ICO brings prosecution against SCL Elections

By Cynthia O’Donoghue & Curtis McCluskey on 23 January 2019

Earlier this month, the Information Commissioner’s Office (ICO) brought a criminal prosecution against the parent company of Cambridge Analytica, SCL Elections, for failing to comply with an enforcement notice issued by the ICO. SCL was fined £15,000 and ordered to pay costs.

The criminal prosecution may not sound surprising – after all, SCL had failed to comply with an enforcement notice. Clearly the ICO is taking a hard-line approach to enforcement. SCL, however, was in administration at the time of the enforcement notice and therefore a key point to note here is that a company is still required to ensure it complies with its data protection responsibilities, including any enforcement, even when it is in administration.

Background

In January 2017, U.S. citizen Professor David Carroll made a subject access request to SCL. SCL responded disclosing some personal data, but Professor Carroll suspected that SCL had not disclosed everything. The response from SCL also contained inadequate information about where the data had been obtained and how it would be used. He complained to the ICO, who shared his concerns.

The ICO contacted SCL in September 2017 to ask for further information. SCL was not cooperative, incorrectly claiming that Professor Carroll had no legal right to access the data because he was not a UK citizen or based in the United Kingdom. In rejecting SCL’s claim that a U.S. citizen has no legal right to access the data, the ICO confirmed that “anyone who requests their personal information from a UK-based company or organisation is legally entitled to have that request answered, in full, under UK data protection law.”

Continue Reading ICO brings prosecution against SCL Elections

The Subject Access Request That Led to a Security Breach, or Why Having a System to Respond to Access Requests Is Essential

By Kate Brimsted on 10 November 2016

In August, the UK’s data protection regulator, the ICO, fined a Hertfordshire GP practice £40,000 under the Data Protection Act 1998 (“DPA”) after a subject access request (“SAR”) went badly wrong. A lack of process, training and supervision resulted in confidential details about a patient being sent to her estranged ex-partner, who then used them…

Ireland and the UK ban forced subject access requests

By Cynthia O’Donoghue & Kate Brimsted on 19 September 2014

The practice of employers forcing employees or applicants to exercise subject access rights has been described by the UK’s Information Commissioner’s Office (‘ICO’) as a “clear perversion of an individual’s own rights”. It is now set to become a thing of the past in the UK and Ireland, as both jurisdictions bring laws into effect…

ICO to check out websites for adequate Subject Access Request wording

By Katalina Bateman on 12 August 2013

Following a public consultation in December 2012 on a draft version, the Information Commissioner’s Office (ICO) published its final Subject Access Code of Practice on 8 August 2013.

Like all other data protection laws in the EU, the Data Protection Act 1998 (DPA) includes the principle that anyone has the right to find out what…

Technology Law Dispatch

subject access request

ICO brings prosecution against SCL Elections

The Subject Access Request That Led to a Security Breach, or Why Having a System to Respond to Access Requests Is Essential

Ireland and the UK ban forced subject access requests

ICO to check out websites for adequate Subject Access Request wording

About Our Firm

Topics

Archives