The Information Commissioner’s Office (ICO) has set out plans to place more of an emphasis on warnings, reprimands and enforcement notices rather than fines in dealing with the public sector.
Information Commissioner John Edwards has outlined the approach in an open letter to public authorities, saying that in practice it will involve an increased use of the ICO’s wider powers.
It will be trialled over the next two years.
When a fine is considered, the decision notice will give an indication of the amount of the fine the case would have attracted. This is intended to provide information to the wider economy about the levels of penalty others can expect from similar conduct.
Additionally, the ICO will be working more closely with the public sector to encourage compliance with data protection law and prevent harms before they happen.
Cross-Whitehall group
The organisation said it has received a commitment from the UK Government, specifically from the Cabinet Office and the Department for Digital, Culture, Media and Sport, to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards.
It will also engage with the devolved administrations and the wider public sector to determine the most effective way to deliver these improvements in these areas.
This revised approach is just one of the initiatives that will be set out in the coming weeks as part of ICO25 – the ICO’s new three-year strategic vision – to empower organisations to innovate while using people’s data responsibly.
Edwards said: “I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives. That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.”
In light of the change, the ICO has issued a reduced fine of £78,400 to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients.
The 2019 breach happened because the trust failed to use the ‘Bcc’ field and, within 30 minutes of the mailing, a screenshot of the email was shared on social media including the email addresses of some of the people affected.
Blood and transplant reprimand
Another recent ICO enforcement action is a reprimand issued to the NHS Blood and Transplant Service, after it inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019.
This error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest possible opportunity. The organisation remedied the error within a week, and none of the patients involved experienced any harm as a result.
Commenting on the two cases, Edwards said: “My office worked with both organisations to improve their data protection standards and practices. We used different enforcement tools but, crucially, both resulted in changes that better protect the public.”
