The public sector will no longer face eye-watering data breach fines, ICO confirms

The Information Commissioner’s Office (ICO) has said it will take a more lenient approach to public sector organisations as part of its new three-year strategic vision.

This new strategy will see use of the Commissioner’s discretion to reduce the potential economic effect that GDPR fines can have, coupled with an approach that will focus more on sharing lessons learned and promoting good practice. The regulator said that this new strategy will be trialled over the next two years.

In practice, this will mean an increased use of its wider powers, including warnings, reprimands, and enforcement notices, with fines only issued in the most serious cases, the authority revealed this week. It will also mean a number of existing fines against public sector organisations will be substantially reduced, in some cases as much as 90%.

When a fine is considered, the ICO’s decision notice will indicate the amount the fine would have attracted. It hopes this will provide information to the wider economy about the levels of penalty others can expect from similar conduct.

The regulator is also aiming to work more closely with the public ​​sector to encourage compliance with data protection laws and prevent harms before they happen.

“I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives,” said John Edwards, the UK Information commissioner. “That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.”

The UK government has also committed to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. The ICO is also going to engage with the Devolved Administrations and the wider public sector to determine the most effective way to deliver these improvements.

The revised approach is part of a set of initiatives known as ICO25, its new three-year strategic vision, which aim to empower organisations to innovate while using people’s data responsibly.

As part of this change, the regulator has issued a reduced fine of £78,400, down from £784,800, to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients in September 2019.

Additionally, the ICO issued a public reprimand to NHS Blood and Transplant Service, after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. If the revised approach had not been in place, the organisation would have received a fine of £749,856.

“My office worked with both organisations to improve their data protection standards and practices. We used different enforcement tools but, crucially, both resulted in changes that better protect the public,” said Edwards.

This new approach follows the reveal of the UK government's Data Reform Bill, a proposed law that will rework the General Data Protection Regulation (GDPR) to be more flexible and less stringent, according to the government. The bill is set to scrap what the government called “red tape and pointless paperwork," and will also include a restructure of the ICO.

This restructure will force the ICO to consider factors like economic growth, innovation, and competition when making its judgements, instead of solely following the letter of the law.