ICO: The public sector isn’t getting 'an easier ride' with GDPR penalties

The Information Commissioner's Office (ICO) has announced that it will be changing its approach to punishing data protection offences committed within the UK’s public sector.

Information Commissioner John Edwards said that the organisation’s regulatory approach will focus more on fixing the underlying issues and that issuing monetary penalties is ultimately counter-intuitive in many cases.

Citing an incident where he was recommended to fine an NHS Trust, Edwards told delegates at the National Association of Data Protection Officers (NADPO) annual conference on Tuesday that fining the Trust would have just harmed the quality of service given to patients, punishing them.

“That fine would have come directly from the money available to that service to deliver services to the victims of the UK GDPR non-compliance,” he said. “We would further punish the very victims whose rights we are there to uphold.”

The same ‘gentler’ approach will be applied across all areas of the public sector, not just the emergency or other critical services.

Issuing fines to organisations in central government is often also ineffective, Edwards said, and previous cases have shown little evidence to support the idea that fines lead to better outcomes or overall compliance.

The Cabinet Office was fined £500,000 by the ICO in 2021 for the 2019 New Year’s Honours breach in which more than 1,000 individuals’ had their home addresses leaked.

It was decided the most effective course of punishment was to reduce this fine to £50,000 after an appeal, given the economic challenges the public sector currently faces.

The Department for Education (DfE) most recently escaped a monetary penalty for its incident in November which saw school pupils’ learning records used by gambling companies to conduct age-verification checks.

Edwards said this would usually garner a £10m fine but the new approach took into consideration that the DfE enacted all the required changes to prevent future data protection breaches of this kind before the ICO could even issue the instruction to do so.

As a result, the department received just a formal reprimand and no fine, a punishment the ICO deemed appropriate given the department’s proactivity in remediating the issues.

“Some commentators have suggested this might be a sign of weakness, or us ‘going easy’ on government. It's not,” said Edwards at the conference.

“My job is to make sure we’re working in the areas that will have the greatest impact. This doesn’t mean always reaching for the most flashy, headline-grabbing action that comes after the fact; sometimes it’s that behind-the-scenes work, the guidance and advice that we can offer businesses to encourage compliance and to help their understanding of the law and their obligations under it."

Monetary penalties will be reserved for organisations that have the potential to harm the most people. Edwards pointed to the recent fines against catalogue retailer Easylife - one worth £130,000 for “predatory marketing calls” and another worth £1.35 million for profiling customers before illegally calling them.

This is an example, Edwards said, of a case where fines can promote compliance - hurting money-making enterprises by impeding their money-making potential.

Further regulatory changes

Another change to Edwards’ approach is to begin publishing all reprimands to the ICO’s website, “unless there is a good reason not to” - something it currently does not do.

This is for the purposes of promoting accountability and transparency - the public and wider economy should be aware of any transgressions and why the ICO issued the punishment it chose.

Non-monetary enforcement actions available to the ICO, aside from fines, include warnings (when violations are likely to be committed), reprimands (formal expressions of disapproval towards conduct when the threshold for a fine hasn’t been met), and compliance orders (instructions to offenders that changes need to be made to re-establish compliance).

Edwards also said he wanted the regulatory process to be more predictable and certain, and the increased emphasis on transparency would help inform organisations what the law requires of them.

In addition, the new approach aims to be more flexible. Tied with the ideas of certainty and predictability, Edwards believes that organisations should be free to innovate their products and services with confidence that they still meet compliance criteria.

The ICO will soon be launching a new advice service dedicated to supporting organisations with their planned innovations in areas to support further investment, like new business models.

“Our advice service will offer direct, fast-paced answers and support to those looking to move quickly and innovate within the guardrails of the law,” he said. “This will do more to improve outcomes for the consumers of those services than aggressive regulatory action after the fact would, after the harm has been done. ”