tiero - Fotolia

ICO to cut back on fines for public sector data breaches

Information commissioner John Edwards sets out a revised approach to how the ICO handles data breaches in the public sector, saying fining victims risks punishing the public twice over

The UK’s newly-appointed information commissioner, John Edwards, has written to public sector bodies across the UK to set out a revised approach to how the Information Commissioner’s Office (ICO) works with the public sector, and to inform them that for the next two years at least, the regulator will cut back on issuing fines.

Edwards said that while he wants to be more proactive about raising data protection standards in the public sector, as a regulator he is responsible for enforcing compliance laws, but in doing so, his role is not only to act as a punishment, but as a remedy and a deterrent.

“I am not convinced large fines on their own are as effective a deterrent within the public sector,” he wrote. “They do not impact shareholders or individual directors in the same way as they do in the private sector, but come directly from the budget for the provision of services.

“The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

Edwards added: “I am therefore writing to you today to confirm that for the next two years, the ICO will also be trialling an approach that will see a greater use of my discretion to reduce the impact of fines on the public.

“In practice, this will mean an increase in public reprimands and the use of my wider powers, including enforcement notices, with fines only issued in the most egregious cases.”

However, said Edwards, the ICO’s overall approach to investigations will not change, and the regulator will also do more to publicise data breaches, and in particular will make people aware of the fine that could or would have been levied.

“But this is not a one-way street. In return, I expect to see greater engagement from the public sector, including senior leaders, with our data protection agenda,” he wrote.

Read more about the ICO’s work

“I also expect to see investment of time, money and resources in ensuring data protection practices remain fit for the future. This is a two-year trial and if I do not see the improvements that I hope to see, then I will look again.”

Since taking office in January – the previous incumbent, Elizabeth Denham, having had her appointment extended due to the Covid pandemic – Edwards has been conducting a listening exercise across the UK, and said his decision-making has been informed by the feedback he has received.

His proposed revised approach will see the ICO work with public sector leadership to encourage compliance, prevent breaches or harms before they happen, and learn from when things go wrong.

To achieve this, said Edwards, all concerned must work to address the underlying issues, whether that be failure to observe data protection by design principles when developing new services, or not having processes in place to stop sensitive information being sent to the wrong people – a frequent cause of public sector data breach incidents in particular.

He reiterated that non-compliance will still be called out, and enforcement action taken when necessary, but that going forward, this will play second fiddle to raising data protection standards and stopping breaches before they happen.

Building on the work already done in the National Data Strategy, Edwards also revealed that he has secured a commitment from the Cabinet Office and the Department for Digital, Culture, Media and Sport to set up a senior leadership group to encourage data protection compliance at Westminster. He said he hopes to begin similar discussions with the wider public sector and the devolved administrations in the near future.

Read more on Privacy and data protection