As set out in a recent open letter, the UK’s data regulator, the Information Commissioner’s Office (ICO), is trialling a fresh approach to data breach enforcement against public authorities. It intends to impose fines only in the most serious cases and, even then, to reduce the level of those fines to lessen the potential impact on the provision of public services.
We look at what’s changing and what to expect next.
What’s changing?
The current Information Commissioner has only been in post since the start of this year but is wasting no time in seeking to usher in a new chapter in the ICO’s relationship with public authorities.
The ICO has a range of enforcement powers which can be used in the event of a data protection breach, such as incidents involving personal data being lost or sent to the wrong recipient. This includes a power to impose a monetary penalty. However, according to his recent open letter to public authorities, the Information Commissioner is “not convinced that large fines on their own are as effective a deterrent within the public sector”, with the impact of public sector fines often “visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators”.
Therefore, whilst the ICO will continue to investigate data breaches and will follow up with organisations to ensure the required improvements are made, it will be trialling a new approach over the next 2 years, aimed at reducing the impact of fines on public authorities.
In practice, this will mean:
- Fines will only be issued against public authorities in the most ‘egregious’/serious cases
- As a consequence, we are likely to see the ICO using alternatives to fines more regularly, including the use of public reprimands and enforcement notices
- Where a fine is to be issued against a public authority, the ICO will use its discretion to reduce the level of fine that would have been imposed for similar conduct in the private sector and, for wider learning, decision notices will indicate what level of fine the case would have attracted had it not involved a public authority
Importantly, however, the Information Commissioner’s letter underlines that, ‘in return’, the ICO expects to see greater engagement by public sector senior leaders in raising data protection standards, including investment of time, money and resources into ensuring that data protection practices remain fit for the future.
What next?
As set out in the ICO’s press release on this, the impact of the new approach has already been felt in two cases involving NHS bodies - in one case the ICO issued a reduced fine of £78,400 (down from £784,400) and, in the other, a fine of £749,856 was reduced under the new approach to a public reprimand.
These cases are likely to reflect the position going forward - i.e. fewer data breach fines for public authorities and, when they do happen, lower figures involved.
However, the Information Commissioner is keen to underline the importance of data protection standards being raised across the public sector, supported by the sharing of good practice and lessons learned. The ICO wants to work more proactively with public authorities to achieve this. The detail on how it will do so is yet to be developed, although the ICO says it has received a commitment from the Cabinet Office and the Department for Digital, Culture, Media and Sport to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards.
The Information Commissioner’s open letter concludes with a stark reminder that this new approach to enforcement action for public authority data breaches is a trial and “if I do not see the improvements that I hope to see, then I will look again”.
While these recent developments may be of some comfort to public sector organisations, if you find yourself dealing with a data breach, or want to discuss how you can increase your data protection standards, our specialist public sector information law team can help.