The public sector will no longer face eye-watering data breach fines, ICO confirms

A close up image of a smartphone with the ICO webpage displayed on screen
(Image credit: Shutterstock)

The Information Commissioner’s Office (ICO) has said it will take a more lenient approach to public sector organisations as part of its new three-year strategic vision.

This new strategy will see use of the Commissioner’s discretion to reduce the potential economic effect that GDPR fines can have, coupled with an approach that will focus more on sharing lessons learned and promoting good practice. The regulator said that this new strategy will be trialled over the next two years.

In practice, this will mean an increased use of its wider powers, including warnings, reprimands, and enforcement notices, with fines only issued in the most serious cases, the authority revealed this week. It will also mean a number of existing fines against public sector organisations will be substantially reduced, in some cases as much as 90%.

When a fine is considered, the ICO’s decision notice will indicate the amount the fine would have attracted. It hopes this will provide information to the wider economy about the levels of penalty others can expect from similar conduct.

The regulator is also aiming to work more closely with the public ​​sector to encourage compliance with data protection laws and prevent harms before they happen.

“I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives,” said John Edwards, the UK Information commissioner. “That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.”

The UK government has also committed to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. The ICO is also going to engage with the Devolved Administrations and the wider public sector to determine the most effective way to deliver these improvements.

The revised approach is part of a set of initiatives known as ICO25, its new three-year strategic vision, which aim to empower organisations to innovate while using people’s data responsibly.

As part of this change, the regulator has issued a reduced fine of £78,400, down from £784,800, to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients in September 2019.


Understanding the economics of in-cloud data protection

Data protection solutions designed with cost optimisation in mind


Additionally, the ICO issued a public reprimand to NHS Blood and Transplant Service, after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. If the revised approach had not been in place, the organisation would have received a fine of £749,856.

“My office worked with both organisations to improve their data protection standards and practices. We used different enforcement tools but, crucially, both resulted in changes that better protect the public,” said Edwards.

This new approach follows the reveal of the UK government's Data Reform Bill, a proposed law that will rework the General Data Protection Regulation (GDPR) to be more flexible and less stringent, according to the government. The bill is set to scrap what the government called “red tape and pointless paperwork," and will also include a restructure of the ICO.

This restructure will force the ICO to consider factors like economic growth, innovation, and competition when making its judgements, instead of solely following the letter of the law.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.