After a two-year trial period, the Information Commissioner’s Office is to stick with a policy of minimising the use of financial penalties for the public sector – albeit with “greater clarity on [the] parameters” of this strategy.
The data-protection regulator first announced in summer 2022 that it would be trialling a new “public sector approach” focused on raising standards, rather than issuing fines. Following the conclusion of this trial, and a subsequent review, the ICO has decided to continue with the revised model.
While it has generally avoided monetary punishments in the past two years – which, the watchdog believes, often end up only compounding the harm caused to citizens by the original offence – there has been a marked increase in the use of public reprimands.
About 60 public sector organisations have been scolded in this way since the launch of the new approach and an update provided this week by commissioner John Edwards said that “we’ve seen significant changes made by organisations following a reprimand”.
He added: “[This ranges] from a local council updating its procedures to prevent inappropriate disclosure of children’s information and an NHS Trust stopping sending bulk emails with sensitive information; to an advisory body improving its security measures to prevent unlawful access and a hospital implementing a decommissioning policy so personal details wouldn’t be lost when filing systems were terminated.”
The two-year trial period concluded in June and the ICO has since been conducting a review of the impact of the approach, which found “that public authorities saw the publication of reprimands as effective deterrents”. This effectiveness was “mainly due to reputational damage and potential impact on public trust, and how they can be used to capture the attention of senior leaders”.
Edwards added: “Central government departments cited increased engagement and positive changes on the back of reprimands, particularly with our regular interaction with the government’s Chief Operation Officers Network. But wider public sector organisations displayed limited awareness, which means we must do more to share best practice and lessons learned.”
Although the modified approach to public bodies has seen the reprimands deployed as the watchdog’s primary weapon in its arsenal, “we also used our other regulatory tools when needed, such as issuing an enforcement notice to the Home Office and fining the Ministry of Defence and Police Service of Northern Ireland for breaking data protection law”, Edwards said.
While these penalties added up to a cumulative £1.2m, this figure could have been as high as £23.2m had the ICO not been trialling a new way of working with the public sector.
While the review of the approach found that government entities shared the regulator’s original concerns “around the impact of fines on frontline services, and how it disproportionately affects the budget of smaller organisations… [it] also highlighted potential areas for improvement, specifically how we should make clearer which organisations fall within the scope of the public sector approach and what type of infringements could lead to a fine”.
To help make these improvements – and, ultimately, “provide greater clarity on [the] parameters” of the public sector approach – the data watchdog has launched a consultation process. Until the end of next month, the ICO is inviting feedback “on the scope of the approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority”. The insights gained from this procedure will “inform and finalise our approach”, according to Edwards.
“I’m also committed to improve our engagement beyond central government and to ensure that senior leaders are taking accountability for their role in achieving greater data protection compliance,” he added. “I expect to see more investment of time and resources in protecting people’s information, and I have been assured by the permanent secretary of the Department for Science, Innovation and Technology, on behalf of Whitehall leaders, that they are committed to continuing our engagement on the approach. As we have done with the trial, we will keep the public sector approach under review, and I will reconsider it if necessary.”
Sam Trendall is editor of PublicTechnology, where a version of this story first appeared