After a two-year trial in which it has avoided issuing financial penalties to public sector entities, the Information Commissioner’s Office is to review the impact of this strategy before deciding how to proceed.
The ICO first announced in June 2022 that it would be adopting a “revised approach” to working with the public sector, in which the watchdog would focus on supporting organisations to raise data-protection standards. Concurrently, the regulator said that it would generally avoiding fining public bodies – but would increase the use of formal public reprimands for compliance breaches.
In an open letter announcing the new model, commissioner John Edwards explained that “I am not convinced large fines on their own are as effective a deterrent within the public sector”.
“They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services,” he added. “The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”
The intention was to follow the revised approach for two years, and then review the impact. With the trial period now having passed, the ICO has announced that this assessment will now begin.
The watchdog will continue to follow the standards-focused approach for the time being, before providing details of its future plans in the coming weeks.
“In June 2022 we revised our approach to working with public sector organisations and started a two-year trial, as set out in our open letter at the time,” the ICO said in a statement.
“While we have continued to issue fines to public bodies where appropriate, we have also been using our other regulatory tools to ensure people’s information is handled appropriately and money isn’t diverted away from where it’s needed the most.
"We will now review the two-year trial before making a decision on the public sector approach in the autumn. In the meantime, we will continue to apply this approach to our regulatory activities in relation to public sector organisations.”
In an interview with CSW's sister title PublicTechnology last year – about 15 months into the trial period – the ICO’s deputy commissioner for regulatory supervision Stephen Bonner said that the regulator would be “good scientists” in assessing the impact of the revised approach and its efficacy going forward.
But he added that the – anecdotal – evidence so far had suggested that, without the spectre of financial losses looming over every mistake, organisations has been less likely to take an approach of “how do we avoid the fine, rather than how do we get to a good outcome?”.
“It also shows we understand the pressures they’re under and recognise that funding may be very tight, and therefore things that might impact on that funding further may not be the most effective use of resources,” Bonner said.
“Instead: can we get them to the outcome that they need? And can they then help others to do that? Because it’s not just cooperation with us – it’s cooperation with the ecosystem, to raise standards everywhere. That is vital. And cover-ups don’t help anyone.”