HomeInsightsInformation Commissioner’s Office sets out revised approach to public sector enforcement

Article by

The ICO has set out a revised approach to working more effectively with public authorities. This approach, which is outlined in an open letter from the UK Information Commissioner John Edwards to public authorities, will see use of the Commissioner’s discretion to reduce the impact of fines on the public sector coupled with better engagement, including publicising lessons learned and sharing good practice. It will be trialled over the next two years.

In practice, this will mean an increased use of the ICO’s wider powers, including warnings, reprimands and enforcement notices, and fines will only be issued in the most serious cases.

When a fine is considered, the decision notice will give an indication of the amount of the fine the case would have attracted. This will provide information to the wider economy about the levels of penalty others can expect from similar conduct.

Additionally, the ICO will be working more closely with the public sector to encourage compliance with data protection law and prevent harms before they happen.

In support of this approach, the ICO has received a commitment from the UK Government, specifically from the Cabinet Office and the Department for Digital, Culture, Media and Sport, to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. The ICO will also engage with the Devolved Administrations and the wider public sector to determine the most effective way to deliver these improvements in these areas.

The ICO says that this revised approach is just one of the initiatives that will be set out in the coming weeks as part of “ICO25”, the ICO’s new three-year strategic vision, which it will set out on 14 July 2022, to empower organisations to innovate while using people’s data responsibly.

In light of this change, the ICO has issued a reduced fine of £78,400 to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients. The 2019 breach happened because the trust failed to use the “Bcc” field and, within 30 minutes of the mailing, a screenshot of the email was shared on social media including the email addresses of some of the people affected.

Another recent ICO enforcement action includes a reprimand issued to NHS Blood and Transplant Service, after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. This error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest possible opportunity. The organisation remedied the error within a week, and none of the patients involved experienced any harm as a result. To read the ICO’s news release in full, click here.