A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 7 julio 2022
As set out in a recent open letter, the UK’s data regulator, the Information Commissioner’s Office (ICO), is trialling a fresh approach to data breach enforcement against public authorities. It intends to impose fines only in the most serious cases and, even then, to reduce the level of those fines to lessen the potential impact on the provision of public services.
We look at what’s changing and what to expect next.
The current Information Commissioner has only been in post since the start of this year but is wasting no time in seeking to usher in a new chapter in the ICO’s relationship with public authorities.
The ICO has a range of enforcement powers which can be used in the event of a data protection breach, such as incidents involving personal data being lost or sent to the wrong recipient. This includes a power to impose a monetary penalty. However, according to his recent open letter to public authorities, the Information Commissioner is “not convinced that large fines on their own are as effective a deterrent within the public sector”, with the impact of public sector fines often “visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators”.
Therefore, whilst the ICO will continue to investigate data breaches and will follow up with organisations to ensure the required improvements are made, it will be trialling a new approach over the next 2 years, aimed at reducing the impact of fines on public authorities.
In practice, this will mean:
Importantly, however, the Information Commissioner’s letter underlines that, ‘in return’, the ICO expects to see greater engagement by public sector senior leaders in raising data protection standards, including investment of time, money and resources into ensuring that data protection practices remain fit for the future.
As set out in the ICO’s press release on this, the impact of the new approach has already been felt in two cases involving NHS bodies - in one case the ICO issued a reduced fine of £78,400 (down from £784,400) and, in the other, a fine of £749,856 was reduced under the new approach to a public reprimand.
These cases are likely to reflect the position going forward - i.e. fewer data breach fines for public authorities and, when they do happen, lower figures involved.
However, the Information Commissioner is keen to underline the importance of data protection standards being raised across the public sector, supported by the sharing of good practice and lessons learned. The ICO wants to work more proactively with public authorities to achieve this. The detail on how it will do so is yet to be developed, although the ICO says it has received a commitment from the Cabinet Office and the Department for Digital, Culture, Media and Sport to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards.
The Information Commissioner’s open letter concludes with a stark reminder that this new approach to enforcement action for public authority data breaches is a trial and “if I do not see the improvements that I hope to see, then I will look again”.
While these recent developments may be of some comfort to public sector organisations, if you find yourself dealing with a data breach, or want to discuss how you can increase your data protection standards, our specialist public sector information law team can help.
+44(0)191 404 4192
London - Walbrook
+44 (0)20 7894 6125
+44 (0) 191 404 4006
Beth Brown, Ceri Fuller
Peter Merchant, Robina Ewbank, Gemma Brannigan
Alison McAdams, Hamza Drabu, Olya Melnitchouk
Alison McAdams, Hamza Drabu, Darryn Hale
Emma-Jane Dalley, Hannah McElroy
Phoebe Baxter, Katherine Calder
Emma-Jane Dalley, Alistair Robertson, Anne-Marie Gregory, Rachael Kemp
Sophie Devlin, Amy Smith
Katherine Calder, Sarah Foster, Stephanie Tones
Helen Kingston, Gill Weatherill, Sarah Woods
Sophie Devlin, Darryn Hale, Abigail Gray
Hamza Drabu, Carol Sumner, Louise Kane
Stuart Wallace, Heather Durston-Hillyer, Charlotte Kistell-Gough
Darryn Hale, David Hill, Sophie Devlin