Image source: Privacymaven, CC BY SA 4.0 Wikimedia Commons
The information commissioner has said that he is sticking with the policy of public reprimands rather than heavy fines for public sector bodies found guilty of serious errors in data protection.
John Edwards has published a statement on his position along with a report on the impact of the policy that came into effect on a trial basis two years ago.
The Information Commissioner’s Office (ICO) has also begun a public consultation on the further development of the policy.
It was introduced on a trial basis in 2022, replacing the emphasis on stiff fines with public reprimands for organisations, and an effort to work proactively with senior leaders across the public sector to encourage data protection compliance, prevent harms before they occur and learn lessons when things have gone wrong.
During the trial around 60 reprimands have been issued to public bodies and made available on the ICO website. Edwards said this has produced noticeable results, with organisations subsequently making significant changes.
Examples include a local authority updating its procedures to prevent inappropriate disclosure of children’s information, and an NHS trust no longer sending bulk emails with sensitive information.
Effective deterrents
“Feedback from the review said that public authorities saw the publication of reprimands as effective deterrents, mainly due to reputational damage and potential impact on public trust, and how they can be used to capture the attention of senior leaders,” Edwards said, adding:
“Reflecting on the past two years and based on the evidence from the review, I have decided to continue with the public sector approach. But I also have listened to the feedback and will provide greater clarity on its parameters.
“That’s why I’m launching a consultation on the scope of the approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority.”
He said the results of the consultation will be used to refine the approach.
The ICO retained the right to impose fines for data protection failings, and in the two-year period these totalled £1.2 million, compared to a possible high of £23.2 million under the previous policy.
Negative impact
The review showed that central government and wider public sector echoed the sentiment around the negative impact of fines on frontline services, and how it disproportionately affects the budget of smaller organisations and devolved administrations.
It also highlighted potential areas for improvement, specifically how to make clearer which organisations fall within the scope of the public sector approach and what type of infringements could lead to a fine. It also showed there is more work to be done to reach wider public sector organisations and deliver targeted interventions.
“Central government departments cited increased engagement and positive changes on the back of reprimands, particularly with our regular interaction with the government’s Chief Operation Officers Network,” Edwards said. “But wider public sector organisations displayed limited awareness, which means we must do more to share best practice and lessons learned.”
He added: “I’m also committed to improve our engagement beyond central government and to ensure that senior leaders are taking accountability for their role in achieving greater data protection compliance.
“I expect to see more investment of time and resources in protecting people’s information, and I have been assured by the permanent secretary of the Department for Science, Innovation and Technology, on behalf of Whitehall leaders, that they are committed to continuing our engagement on the approach.”