Ascannio - stock.adobe.com

ORG urges ICO to revise public sector enforcement approach

The Open Rights Group is urging the Information Commissioner’s Office to revise its light touch approach to public sector data protection issues, arguing that its experimental policy of limiting its enforcement actions to reprimands and notices, rather issuing fines, is allowing bad practices to continue largely unabated

The Information Commissioner’s Office (ICO) approach of only fining public sector organisations “in the most serious cases” is under fire from privacy campaigners at Open Rights Group (ORG), who say there is an “urgent need” to test the regulator’s claims that fines do not act as an effective deterrent for public sector bodies.

The campaigners say the ICO’s approach of limiting fines to public sector bodies for only the most serious data protection issues is “not working”, as problems often persist well after other, less-severe enforcement actions have been taken.

“In an increasingly digital world, data protection is vital for our personal security. The ICO’s reluctance to take enforcement action, alongside its policy of not challenging public sector organisations where needed, is not working,” said ORG chief executive Jim Killock.

“As we see the development of AI technology and its increased use by public sector organisations, we need strong data protection laws and a strong regulator who will act as the first line of defence for the British public.”

In July 2022, the ICO adopted a “revised” two-year trial approach to working with public authorities, with commissioner John Edwards arguing in an open letter that fines are ineffective in ensuring data protection compliance because of how they indirectly punish victims of data breaches “in the form of reduced budgets for vital services”.

In July 2024, the ICO then published its Annual report and financial statements for the 2023-24 financial year, in which the data regulator reviews its performance over that period. It shows where the ICO has investigated public and private bodies, and the proportion of these investigations that have resulted in reprimands, enforcement notices (that obligate recipients to change their data practices), or fines.

In terms of its actions against public sector bodies for data protection breaches, the ICO issued one fine (to the Ministry of Defence over a data leak that exposed the identities of 245 Afghanis), two enforcement notices (one regarding the loss of control of child abuse case files at the Crown Prosecution Service, and another against the Home Office for its GPS tagging of refugees), and 28 reprimands.

Examples of these reprimands include one for Thames Valley Police for disclosing a witnesses address to suspected criminals, which forced the person to move house; one for the University Hospital of Derby and Burton NHS Trust for failing to process outpatient data in a timely fashion, which delayed medical treatments for some patients for up to two years; and one for West Midlands Police over multiple incidents where the data mix-ups meant officers attended the wrong addresses.

Other instances include two reprimands for the Ministry of Justice, one over the disclosure of adoption details against court instructions, and another for leaving four bags of confidential waste in an unsecured holding area in the prison, which both prisoners and staff had access to.

Given the number of reprimands handed out for clearly harmful data practices in comparison to the low number of fines and enforcement notices, the ORG is therefore calling on the ICO to use its full powers against public sector organisations, including enforcement notices and fines where necessary.

Computer Weekly contacted the ICO about the ORG’s analysis and arguments, and was directed to an ICO statement on its public sector approach from June 2024.

“While we have continued to issue fines to public bodies where appropriate, we have also been using our other regulatory tools to ensure people’s information is handled appropriately and money isn’t diverted away from where it’s needed the most,” it said.

“We will now review the two-year trial before making a decision on the public sector approach in the autumn. In the meantime, we will continue to apply this approach to our regulatory activities in relation to public sector organisations.”

On 20 November 2022, in reference to the ICO’s private sector enforcement, information commissioner John Edwards told The Times that the large financial penalties often issued by European regulators tend to result in lengthy legal battles, which could drain regulators’ resources and ultimately weaken their ability to enforce meaningful changes.

“I don’t believe that the quantum or volume of fines is a proxy for impact,” he said. “You know, they get a lot of headlines. It’s easy to compile league tables, but I actually don’t believe that approach is necessarily the one that has the greatest impact.”

He added that the ICO prefers to engage with companies to encourage compliance rather than issue fines worth hundreds of millions of pounds.

‘Reprimands not good enough’

According to an ORG analysis of the ICO’s latest annual report, the instances of enforcement action that have taken place show the gravity of the public sector’s data mispractice, and that there is little evidence reprimands lead to genuine change despite the increased reliance on them.

“The ICO should use the full range of its enforcement powers in the public sector – until and unless it can prove alternative approaches result in a substantial improvement in data protection compliance,” said ORG in one of its recommendations for the ICO.

It added that the regulator should publish “all evidence resulting from the two-year ‘public sector approach trial’ where public sector organisations were only fined as a last resort”, and that this should be followed up by externally conducted independent audit to validate the findings.

ORG further added that there should be amendments to the new Labour government’s proposed Data Use and Access Bill (DUAB), so that the ICO is banned from issuing more than one reprimand to an organisation: “Any subsequent breaches should result in an escalation of action – not additional ‘final reprimands’ that both undermine the premise of the initial reprimand and have little impact on behaviour.”

The DUAB should further be amended to require the ICO to publish a league table of public sector bodies’ subject-access request (SAR) performance, so that organisations which consistently fail to respond within the statutory times frame can be prioritised for enforcement action.

“SARs are an important vehicle for ensuring individuals’ privacy and safety,” it said. “Since 2018, however, the ICO has also been attempting to get three authorities to deal with their SAR backlogs without success. This year, six years after problem first became apparent, Plymouth City Council, Devon and Cornwall Police and Dorset Police were each sent a ‘final reprimand’.”

This year marks the first time the number of reprimands have been published by the ICO in an annual report, which it committed to doing in December 2022 after a freedom of information request from Jon Baines – a senior data protection specialist at law firm Mishcon de Reya – revealed the regulator had failed to disclose the majority of the 42 reprimands it had issued to public sector bodies between May 2018 and November 2021.

A follow up freedom on information request from Baines from June 2022 found a further 15 reprimands since November 2021 that had not been publicly disclosed up to that point.

Read more about UK data protection enforcement

Read more on IT governance