SCL Elections, the parent firm of Cambridge Analytica, has received a fine after failing to comply with an enforcement notice from the ICO. The enforcement notice obliged SCL Elections to respond to a subject access request made by a US citizen, who had complained to the ICO after SCL Elections refused to disclose all personal data he was entitled to under the Data Protection Act 1998 (now superseded by the GDPR and the Data Protection Act 2018). An ICO enforcement notice requires organisations to take certain action in the event of a breach of the law. Failure to comply is a criminal offence.
The action by the ICO is significant as it demonstrates the importance of complying with subject access requests and highlights that individuals from any country in the world have the right to make a subject access request where their personal data are being processed by an organisation in the EU/UK. It is also a component in the ICO’s ongoing investigation into the use of data analytics for political purposes.
What happened?
Professor David Carroll, a US academic, made a subject access request to ascertain what information the company held about him and how his personal data had been used to generate a “voter profile”. SCL Elections disclosed some of this data, but not everything Carroll was entitled to receive, such as data used to create the voter profile.
This led to the ICO’s enforcement notice in May 2018, which ordered SCL Elections to respond fully to Carroll’s subject access request. However, the day prior to the enforcement notice being issued, SCL Elections went into administration. At a court hearing, the company’s administrators pled guilty to the company breaching the Data Protection Act 1998. In relation to this incident, the company received a fine of £15,000 and was also required to pay £6,000 in costs and a £170 victim surcharge.
How is this relevant to your organisation?
This case firstly illustrates the importance the ICO places on subject access requests. If your organisation has not and/or does not comply with such a request, the ICO may take action.
Elizabeth Denham, the Information Commissioner, has stated: “This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law…Organisations that handle personal data must respect people's legal privacy rights. Where that does not happen and companies ignore ICO enforcement notices, we will take action."
The case also serves as a reminder that all individuals, wherever they live, have rights under UK data protection legislation where their personal data are processed in the UK. In this case, SCL Elections refused Carroll’s subject access request on the basis of his US citizenship, claiming Professor Carroll "had no right to make an SAR [subject access request] any more than a member of the Taliban sitting in a cave in the remotest part of Afghanistan.” SCL Elections clearly erred in taking this approach.
What else must your organisation know about subject access requests?
To ensure that you comply with the rules on subject access requests, you should be aware of the following:
- Since the GDPR came into force, the time to respond has shortened – you must respond within one calendar month.
- Subject access requests may be made verbally and do not require to be in writing to be valid. Therefore, it is good practice to record SARs received, especially those requests that are not in writing.
- Requests need not be directed at a specific individual/department: a valid SAR can be directed at anyone in your organisation. They can even be made via social media and without using the phrase “subject access request.”
- You may no longer charge a fee unless the request is manifestly unfounded or excessive.
- Aside from ICO enforcement action, individuals have the right to seek compensation for a failure to comply with the rules.
Given the potential consequences for non-compliance, you should have a Subject Access Request Policy and Procedure and ensure that all staff are aware of the rules and the timescales involved and to whom requests should be passed in your organisation.
For more information, visit our GDPR & Cyber Security page.