swarblaw.co.uk

[Spankymonkey]

What is the best next step if a section 10 DPA notice is ignored by a local authority? 21 days have elapsed, yet the local authority has failed to respond. The letter was addressed to the data controller, but never acknowledged.

Should a letter of claim be sent giving the authority further time under threat of court action? Or is this something that the ICO could enforce?

Are there other alternatives I should consider?

[atticus]

See s10(4) - suggests you need to apply to the Court.

However, I think the ICO can deal with this. Try their helpline, it usually is helpful.

Write a letter to the LA giving a final 7 days to comply?

[b1969]

ICO says it only has jurisdiction to determine whether or not the data controller has complied with its obligation to respond within twenty one days. It takes the view that a decision on the merits can only be made by the court. I'm not sure that's correct as a matter of law (section 42 of the Data Protection Act 1998 requires ICO to make an assessment as to whether it is likely or unlikely that processing has been or is being carried out in compliance with the provisions of the DPA. I can't see anything which ousts ICO from determining whether processing is likely to cause substantial damage or substantial distress (and from taking action to require a data controller to cease, or not begin, such processing)).

Nonetheless, that is the apparent position of the ICO. See this site, where the ICO internal "lines to take" have been uploaded (after they were disclosed in response to an FOI request).

The "line to take" on section 10 is here.

[Spankymonkey]

Most helpful. I thank you both.

As time is of the essence and I would probably have delays getting the ICO to assist in the first instance, I shall first send a letter giving the LA 7 days to respond, under threat of appealing to the ICO.