Earlier this month, Liverpool Council was fined £300 after pleading guilty to an offence under the Data Protection Act. It had failed to respond to repeated requests from the ICO to supply data that it may have held on a former employee.
This former employee had made a 'subject access request' under the Data Protection Act for personal information held on her by the Council. After receiving some information from the Council, she then complained to the ICO that some sensitive material relating to her health was missing.
The ICO launched an investigation, but repeated attempts to contact Liverpool Council by phone and letter received no reply. It then issued an information notice demanding a response from the council's chief executive, but again no response was made. Failure to comply with such an information notice is a criminal offence.
"The Data Protection Act gives us all important rights, including the opportunity to find out what information is held on us by an organisation. This right is the very cornerstone of the Act and that is why the legislation is so important," said Mick Gorrill, head of the Regulatory Action Division at the Information Commissioner’s Office.
"Today’s successful prosecution serves as a very useful reminder to organisations that they must comply with subject access requests appropriately and that it is a criminal offence to ignore information notices served by the Information Commissioner," Gorrill added.
The Data Protection Act places a range of obligations on organisations which hold or use personal data. They must keep data up to date, destroy it when it is no longer needed, and answer subject access requests received from individuals.
In practice, this means an added burden on IT staff to ensure that data is securely stored, and can be recovered when needed.
A survey earlier this year found that many UK companies are breaking the DPA, by using live customer data in test environments.