A government department has been fined £12,250 for breaching GDPR rules.
It’s the first fine to be issued by the Information Commissioner since new data protection legislation was introduced in 2018.
The Department of Home Affairs was fined for failing to comply with the right of access to personal data.
A request to the DHA was made in August last year for personal data contained in an email by the department’s deputy chief executive.
.jpeg?width=209&height=140&crop=209:145,smart&quality=75)
The DHA provided some but not all of the information requested. It said it would not disclose information related to third parties.
But an investigation by the Information Commissioner concluded that the department had not demonstrated that the restriction it had placed on access to the data was ’necessary and proportionate’.
The Commissioner issued an enforcement notice in December last year requiring the DHA to provide the individual with the personal data they had requested, which it did so the following month.
But the investigation found that there had been undue delay to comply with the request, which was done in piecemeal fashion and with the full information not provided until five months after the request.
An aggravating factor was that personal data sought was readily available and had been requested in a straightforward and precise way.
The DHA was already subject to an enforcement notice dating back to 2015 over a previous failure to comply with the right of access to personal data.
There were mitigating factors - the department co-operated and complied with the December 2019 enforcement notice.
Legislation
Since the introduction of new data protection legislation in 2018, complaints about failures to comply with the right of access to personal data have resulted in the issue of 13 reprimands, three enforcement notices and the one administrative fine.
Information Commissioner Iain McDonald said: ’The imposition of an administrative fine is intended to be an effective, proportionate and dissuasive measure in preventing infringements of data protection legislation.
’In this instance there has been a repeated failure to comply with the fundamental right of access to personal data. An administrative fine has been imposed to dissuade any future infringement.’
Comments
This article has no comments yet. Be the first to leave a comment.