Information Commissioner orders Manx Care to review data compliance

Healthcare body found to have not complied with data subject access request

Manx Care has been ordered to review how it processes requests for personal data after it was found to have failed to comply with regulations.

The Information Commissioner has issued an enforcement notice to the healthcare provider following a complaint from a former Manx Care employee who submitted a subject access request.

The commissioner found there were a number of infringements in how the request was handled by Manx Care, including that Manx Care failed to respond without undue delay, and that the searches were poorly focussed, not reasonable or insufficient.

The review also says Manx Care failed to evidence improvement to compliance after being issued with an enforcement notice for similar reasons in August 2021.

Alexandra Delaney-Bhattacharya revealed several further complaints have been made to her office since that notice was issued, showing Manx Care has not been able to bring its processing into compliance.

The investigation found the request for data was specific and clear, but Manx Care failed to undertake reasonable and focussed searches, resulting in a large quantity of irrelevant results.

Manx Care had also sought additional ID information from the subject; the commissioner said it was difficult to understand why given the nature of the request.

The individual requesting the information did not receive their data until four months after their request, something Dr Delaney-Bhattacharya described as "a significant delay that should have been easily prevented."

Manx Care now has 30 days to comply with the enforcement notice; failure to comply could lead to a penalty and the matter being referred to the high court.