The Information Commissioner’s Office (ICO) has said it will take a more lenient approach to public sector organisations as part of its new three-year strategic vision.
This new strategy will see use of the Commissioner’s discretion to reduce the potential economic effect that GDPR fines can have, coupled with an approach that will focus more on sharing lessons learned and promoting good practice. The regulator said that this new strategy will be trialled over the next two years.
UK unveils Data Reform Bill, scrapping parts of GDPR and promising £1 billion in savings DCMS lifts the lid on UK GDPR reforms, including ICO restructure GDPR fines: Where does the money go?
In practice, this will mean an increased use of its wider powers, including warnings, reprimands, and enforcement notices, with fines only issued in the most serious cases, the authority revealed this week. It will also mean a number of existing fines against public sector organisations will be substantially reduced, in some cases as much as 90%.
When a fine is considered, the ICO’s decision notice will indicate the amount the fine would have attracted. It hopes this will provide information to the wider economy about the levels of penalty others can expect from similar conduct.
The regulator is also aiming to work more closely with the public sector to encourage compliance with data protection laws and prevent harms before they happen.
“I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives,” said John Edwards, the UK Information commissioner. “That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.”
The UK government has also committed to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. The ICO is also going to engage with the Devolved Administrations and the wider public sector to determine the most effective way to deliver these improvements.
The revised approach is part of a set of initiatives known as ICO25, its new three-year strategic vision, which aim to empower organisations to innovate while using people’s data responsibly.
As part of this change, the regulator has issued a reduced fine of £78,400, down from £784,800, to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients in September 2019.
RELATED RESOURCE
Understanding the economics of in-cloud data protection
Data protection solutions designed with cost optimisation in mind
Additionally, the ICO issued a public reprimand to NHS Blood and Transplant Service, after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. If the revised approach had not been in place, the organisation would have received a fine of £749,856.
“My office worked with both organisations to improve their data protection standards and practices. We used different enforcement tools but, crucially, both resulted in changes that better protect the public,” said Edwards.
This new approach follows the reveal of the UK government's Data Reform Bill, a proposed law that will rework the General Data Protection Regulation (GDPR) to be more flexible and less stringent, according to the government. The bill is set to scrap what the government called “red tape and pointless paperwork," and will also include a restructure of the ICO.
This restructure will force the ICO to consider factors like economic growth, innovation, and competition when making its judgements, instead of solely following the letter of the law.
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
