University of Leicester defies Information Commissioner (and gets away with it)

The University of Leicester has refused to implement a decision issued by the Information Commissioner's Office (ICO) recommending that the University should provide me with my personal data held in manual files, which the ICO has found to constitute a relevant filing system containing a single category of information, namely, employment matters pertaining to me. 

The data includes job application material such as references, and documentation related to grievances lodged by me and the associated legal proceedings against the University and others.  (On my legal proceedings, see on this website:  'About the University of Leicester', 21 January 2010;  'Legal and other costs - the University of Leicester and others', 17 April 2010;  'Professor Bob Burgess (Vice-Chancellor, University of Leicester) and the honours system', 23 January 2011.)

The ICO's recommendation was issued after investigation of a complaint received from me in 2012, the ICO concluding that the University was likely to have breached the Data Protection Act in withholding the personal data when I presented a subject access request.  The ICO also asked the University to take steps to prevent the situation from happening again.

The University responded by requesting a review of the ICO's decision, arguing that the information was unstructured personal data related to personnel matters and as such was exempt from disclosure by virtue of section 33A of the Data Protection Act.  Having informed the ICO that since it did not agree with the ICO's assessment it did not intend to disclose the information to me, the University subsequently promised that it would 'clearly implement any final decision fully'.  But when the final decision, upholding the earlier decision, was delivered, the University reneged on that promise, informing me by letter that it would not supply the data.

The ICO's hands are not tied in such a situation:  it could serve an enforcement notice on the data controller requiring it to disclose the information to the data subject.  (Failure to comply with an enforcement notice is a criminal offence.)  But the ICO has chosen not to do this, also not responding to certain of my representations about its position in this regard or to questions about the content of a telephone conversation between it and the University just before the University sent me the letter mentioned above advising that it would not disclose the data.  (How can the ICO promote openness if it struggles to apply the concept to its own operations?)

In addition, the ICO has not adequately addressed other problems such as apparent unlawful disclosure by the University of my sensitive personal data.

The strength of the ICO's commitment to promoting the relevant standards has been questioned by Members of Parliament and others in various contexts.  Matters raised by MPs have included concerns relating to the ICO's investigation into blacklisting in the construction industry.

Glynis M. Truter