Information commissioner John Edwards has asserted that his office’s new approach to working with public bodies does not mean the watchdog is now “going easy on government”.
Earlier this year Edwards trailed a new strategy to working with the public sector, in which the regulator would focus on supporting organisations in raising data-protection standards. The amended approach would likely mean fewer and smaller fines – but more public reprimands – for those failing to meet their obligations.
In a speech delivered last week, Edwards illustrated the impact of the new approach by citing a recent reprimand issued to the Department for Education for a breach that enabled third parties to gain unlawful access to the personal data of 28 million children.
The commissioner, who was addressing the annual conference of the National Association of Data Protection Officers, said that the ICO might previously have punished such a breach with a fine of up to £10m.
He added: “Some commentators have suggested this [new approach] might be a sign of weakness, or us ‘going easy’ on government. It's not.”
Edwards said that bemoaning a perceived lack of enforcement on was now “commonly levied criticism” on the ICO.
But he claimed that these accusations are “heavily laden with an assumption – an incorrect assumption, in my view – of what enforcement is”.
“There’s nothing in the law or in contemporary regulatory theory that says that enforcement must equal fines. Enforcement happens across a spectrum. Rather than being one thing, it’s a series of graduated responses to non-compliance,” he said.
The data protection chief added that fines were not a meaningful measure of his office’s success or impact, and “we need to be regulating for outcomes, not outputs”.
“Let’s go back to the DfE case,” he said. “There we worked closely with them on remedial action after the breach was discovered. By the time we got to the end of our investigation, the DfE had taken all of the necessary steps to ensure a breach of this scale should never happen again. Going to the next step, and issuing an enforcement notice in this case wasn’t necessary or appropriate because it would have simply told the DfE to do what they had already done.”
‘Money-go-round’
In the case of enforcing data-protection regulations in central government, imposing financial penalties simply creates a “money-go-round, moving funds from one department to the Treasury and then to the consolidated account”.
In the wider public sector, meanwhile, issuing fines may cause additional harm for those impacted by the original offence.
“I reviewed our position after I received a recommendation to fine an NHS trust, and asked about the funding model,” Edwards said. “That fine would have come directly from the money available to that service to deliver services to the victims of the UK GDPR non-compliance. We would further punish the very victims whose rights we are there to uphold.”
The commissioner added that, beyond the public sector, “monetary penalties remain an important regulatory tool” and will continue to be imposed for the most harmful breaches, “or where a business has profited from its non-compliance”.
The ICO is also changing its approach to reprimands which were previously not typically published – but will now be made publicly available in all instances, “unless there is a good reason not to”.
This policy – which has already resulted in high-profile public censures for several government departments and local authorities – will also be retroactively applied to all reprimands issued from the start of 2022 onward.
“Firstly, [this is] about accountability,” Edwards said. “Members of the public, and those affected by a breach or infringement, are entitled to know that we’ve held the business or organisation to account, and that they’ve changed their practices as a result. Secondly, the rest of the economy need to know what’s happened, why it infringed the UK GDPR or another law, and what we did about it. In line with the revised public sector approach, when a fine was considered but we issued a reprimand to a public authority, we will give an indication of the amount of the fine. By saying that we would have fined DfE £10 million under our previous system, we are signalling a ‘tariff’ to those who might be thinking about taking a shortcut to save money on compliance. This shows that, in their case, it might well be a false economy. ”
Sam Trendall is editor of CSW's sister title PublicTechnology, where this story first appeared