General News

The End of Public Sector ICO Fines?

In the future, there could be less fines being handed out to Public sector organisations, according to the ICO’s new data protection regulator. The thought behind this comes from the idea that using fines as a punishment for sufficient data breaches only harm the public services that receive them, and therefore fewer financial penalties will be handed out, and the ones that are will be generally speaking of a lower amount.

In an open letter, John Edwards who is the ICO’s new data protection regulator said:

“I am not convinced that large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provisions of services.”

Edwards also puts forward the argument that the victims of the breach are ultimately the ones that suffer as a result of these fines, as the budgets for the public service is reduced. Therefore, those who are victims of a breach in these circumstances suffer twice. The ICO are therefore looking to conduct a two year trial where they will use higher levels of discretion to reduce the number of fines they give out to public sector organisations, with the aim of reducing the impact they have on the public, and the services that they use.

Edwards also highlights however that the ICO will continue to investigate data breaches in the same way they always have, and the proposed changes to fines will not impact this, and there will always be follow us checks to ensure that organisations who have committed a breach have taken the necessary steps that the ICO had decided they should. More effort will also be put into publicising breaches and the action that was issued, with the aim being to increase awareness of the ways in which organisations can avoid breaches, and improve learning. In return however, Edwards said that he “expects to see greater engagement from the public sector, including senior leaders, with our data protection agenda.” 

In Edwards’ eyes, the ‘greater levels of commitment’ would come in the form of investment of time, money and resources when it comes to data protection compliance, to ensure that an organisation’s practices are fit for the future. After the conclusion of the two year trial, if Edwards does not see the progress he wants to see, then the ICO will look at other options. As part of its new approach, the ICO has already reduced a massive £784,400 fine levied against the Tavistock and Portman NHS Foundation Trust to just £78,400, a drop of over 900%. In this breach, the trust failed to use BCC in an email, which resulted in the email addresses of 1781 adult gender identity patients being disclosed. As well as this, the email had been screenshotted and posted onto social media, with the screenshot identifying some of the patients.

It remains unclear as to how this change in policy will affect the overall compliance across the public sector. If, as Edwards hopes, it results in more effort being put into data protection compliance across the board, then reducing fines may be something that the ICO employs after the two year trial has finished.