My employer has refused my request for information. What can I do?

privacy

Your request for information (subject access request), goes to your employer (the data controller). If your subject access request is not carried out properly or ignored, you have two options.

  1. Complain to the Information Commissioners Office
  2. Complain to the court

The Information Commissioners Office (ICO) has several powers of enforcement under the Data Protection Act 1998 (DPA 1998). These powers rely on breaches being brought to the attention of the ICO.

The ICO can;

  • Serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
  • Issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
  • Serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
  • Conduct consensual assessments (audits) to check organisations are complying;
  • Serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only);
  • Issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010, or serious breaches of the Privacy and Electronic Communications Regulations occurring on or after 26 May 2011;
  • Prosecute those who commit criminal offences under the Act; and
  • Report to Parliament on data protection issues of concern.

Complaining to the Information Commissioners Office

Section 42 (1) of the DPA 1998 gives you the right to ask the ICO for a “compliance assessment”.

A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.

You can ask for a compliance assessment HERE 

 

What can the ICO do?

The ICO can issue the following notices to your employer;

Information Notice – S43 DPA 1998

An information notice will ask your employer to give the ICO specific information about your request for a compliance assessment, or as reasonably required for the ICO to assess your employer’s compliance.

Enforcement Notice – S40 DPA 1998

In addition or alternatively, the ICO can issue an enforcement notice compelling your employer to give you the information you have requested, where there is evidence that your employer has breached or intends to breach any of the data protection principles.

S40(2) says that in deciding whether or not to serve an enforcement notice, the ICO will consider whether the breach has caused or is likely to cause any personal damage or distress.

Monetary Penalty Notice – S55A DPA 1998

The ICO cannot award you compensation, but it can fine your employer. The ICO has the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010, and serious breaches of the Privacy and Electronic Communications Regulations.

Details of enforcement action that the ICO has taken can be found HERE

Under DPA 1998, S48 & S55B, your employer can appeal a decision of the ICO to the First-tier Tribunal (Information Rights).

 

Complaining to the court

You can apply to the High Court or County Court to order your employer to comply with the DPA 1998 for the following reasons;

Your right to get your information (subject access)-

S7(9) DPA 1998

 

Your right to prevent processing likely to cause damage or distress –

 

S10(4)DPA 1998

 

Your right to prevent processing for direct marketing purposes-

S11(2)DPA 1998

 

Your rights in relation to automated decision-making –

 

S12(8) DPA 1998

 

Your right to rectify, block, erase and destroy inaccurate data or an expression of opinion based on the inaccurate data –

 

S14 DPA 1998

 

 

What can the Courts do?

The Courts have the power to award you compensation if you can show evidence of;

  • Damage caused you by the breach – S 13(1)DPA 1998
  • Distress in addition to the damage, or evidence that the breach relates to processing for special purposes (journalistic, artistic or literary) – S13(2)DPA 1998

Your employer can defend a claim for compensation with evidence that all care had been taken as was reasonably required in the circumstances to avoid the breach- S13 (3) DPA 1998)

In the case of Halliday v Creation Consumer Finance [2013],  Mr Halliday had sued Creation Consumer Finance under Section 13 of the Data Protection Act 1998 when they accidentally and temporarily passed to a credit reference agency incorrect information about his allegedly having an unpaid debt of £1500. In the first case, although he won, Mr Halliday received nothing much in damages because the judge was not satisfied that there was evidence of reputational harm or prejudice to Mr Halliday.

Mr Halliday went to the Court of Appeal because he was unhappy with the nominal damages that the first judge gave him. Mr Halliday’s argument was based on Article 24 of Directive 95/46/EC which provides that member states must provide for sanctions where data protection rights have been infringed. The Court of Appeal said that he could not seek direct enforcement of that provision in private proceedings, and that it was not the function of the civil courts to impose sanctions on data controllers – rather, their function under S13 of the DPA 19989 was to compensate data subjects.

Mr Halliday’s appeal was allowed. The Court set nominal damages under s13 (1) DPA 1998 at £1. This then entitled Mr Halliday to compensation for distress under S13 (2) DPA 1998. The Court awarded him £750 for his distress and frustration at Creation Consumer Finance’s wrongful processing, but there was no evidence of him having suffered injury to feelings at the time. Also, the breach was a technical error rather than an intentional misstatement, hence the somewhat insubstantial sum by way of substantial damages.

The Court of Appeal said that in relation to awards of compensation for distress under section 13 of the DPA 1998, as a general principle, where there has been a compliance failure there ought to be an award. But the sum awarded should be relatively modest in nature, since it is not the intention of the legislation to produce some kind of substantial award and it is intended to be compensation for actual proven distress.

Case Study

In the Scottish case of Collins v First Quench Retailing Ltd [2003], Ms Jacqueline Collins was awarded £179,000 from her employers when the off-license she managed was robbed. Ms Collins had been the manager of Victoria Wine, run by First Quench Retailing, for about ten years. When Mrs Collins started in the shop she had been concerned about security and raised this with management. Since 1977 there had been 13 reported crimes at the shop, including five thefts, one minor assault, one serious assault and one assault with intent to rob. There were two armed robberies in 1994 and four... Read More
Ms Jacqueline Collins was awarded £179,000 from her employers when the off-license she managed was robbed.Collins v First Quench Retailing Ltd
Business, Finance & Law