ICO set to issue fewer public sector fines to avoid ‘data breach victims being punished twice’

Written by Suzannah Brecknell on 1 July 2022 in News
News

Penalties for public bodies often impact services – rather than shareholders – according to commissioner John Edwards

Credit: Nick Youngson/CC BY-SA 3.0/Pix4free.org

The Information Commissioner’s Office has set out plans to improve the way it works with public sector bodies, focusing on raising standards and sharing good practice while reducing the impact of fines.

In an open letter, commissioner John Edwards said that the ICO will “still call out non-compliance and take robust enforcement action where necessary, but in future our primary focus will be on raising data protection standards across the board and preventing harms from occurring in the first place".

The new approach, to be trialled over the next two years, will see the ICO issue fines to public authorities in only the most serious cases. Instead, the watchdog will make greater use of wider powers such as warnings, reprimands and enforcement notices when a public body is found to have breached data protection rules.

“I am not convinced large fines on their own are as effective a deterrent within the public sector,” Edwards wrote. “They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”


Related content


Under the new approach, if the ICO considers giving a fine for a particular breach but decides against doing so, it will indicate this in its decision notice. This will include publishing the size of the fine the case would have attracted, with the aim of informing the wider economy about the levels of penalty others can expect from similar conduct.

Edwards said the new approach will “include working proactively with senior leaders across the public sector to encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong”.

But, he added, the ICO “cannot do this on our own”, and he called for “accountability to deliver these improvements on all sides”.

To support this change, the Cabinet Office and Department for Digital, Culture, Media and Sport have agreed to create a cross-government senior leadership group to encourage compliance with high data protection standards. The ICO will also engage with the devolved administrations and the wider public sector to determine the most effective way to deliver improvements in these areas.

This revised approach is the first of several new initiatives that will be set out in the coming weeks as part of ICO25 – the ICO’s new three-year strategic vision – to empower organisations to innovate while using people’s data responsibly.

 

About the author

Suzannah Brecknell is editor of PublicTechnology sister publication Civil Service World, where this story first appeared. She tweets as @SuzannahCSW.

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

Internet firms offered DWP benefit-checking service in bid to cut household broadband bills
15 August 2022

Government claims that only 1.2% of eligible recipients have so far taken advantage of social tariff 

‘Vital for national security’ – former minister urges rethink on plan to diverge on EU data laws
15 August 2022

Lord Kirkhope claims costs of failing to maintain close ties with Europe will outweigh even the government’s claimed benefits of £11bn

Ministers slammed over failures to respond to consultations
10 August 2022

Labour claims Conservatives are operating as a ‘zombie government’ as 15 online feedback-gathering exercises have been left dormant since 2019 election

Customer support contractors at DBS set to strike
9 August 2022

Workers delivering webchat and telephone service via outsourced deal vote for six-day walkout