IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ICO: The public sector isn’t getting 'an easier ride' with GDPR penalties

The UK’s information commissioner outlines his new approach to regulation and why the most constructive punishments will always be favoured

The Information Commissioner's Office (ICO) has announced that it will be changing its approach to punishing data protection offences committed within the UK’s public sector.

Information Commissioner John Edwards said that the organisation’s regulatory approach will focus more on fixing the underlying issues and that issuing monetary penalties is ultimately counter-intuitive in many cases.

Citing an incident where he was recommended to fine an NHS Trust, Edwards told delegates at the National Association of Data Protection Officers (NADPO) annual conference on Tuesday that fining the Trust would have just harmed the quality of service given to patients, punishing them. 

“That fine would have come directly from the money available to that service to deliver services to the victims of the UK GDPR non-compliance,” he said. “We would further punish the very victims whose rights we are there to uphold.”

The same ‘gentler’ approach will be applied across all areas of the public sector, not just the emergency or other critical services.

Issuing fines to organisations in central government is often also ineffective, Edwards said, and previous cases have shown little evidence to support the idea that fines lead to better outcomes or overall compliance. 

The Cabinet Office was fined £500,000 by the ICO in 2021 for the 2019 New Year’s Honours breach in which more than 1,000 individuals’ had their home addresses leaked.

It was decided the most effective course of punishment was to reduce this fine to £50,000 after an appeal, given the economic challenges the public sector currently faces.

The Department for Education (DfE) most recently escaped a monetary penalty for its incident in November which saw school pupils’ learning records used by gambling companies to conduct age-verification checks.

Edwards said this would usually garner a £10m fine but the new approach took into consideration that the DfE enacted all the required changes to prevent future data protection breaches of this kind before the ICO could even issue the instruction to do so. 

As a result, the department received just a formal reprimand and no fine, a punishment the ICO deemed appropriate given the department’s proactivity in remediating the issues.

Related Resource

Data governance and privacy for data leaders

Create your ideal governance and privacy solution

Whitepaper library with title and logo and man cycling over a bridgeFree Download

“Some commentators have suggested this might be a sign of weakness, or us ‘going easy’ on government. It's not,” said Edwards at the conference.

“My job is to make sure we’re working in the areas that will have the greatest impact. This doesn’t mean always reaching for the most flashy, headline-grabbing action that comes after the fact; sometimes it’s that behind-the-scenes work, the guidance and advice that we can offer businesses to encourage compliance and to help their understanding of the law and their obligations under it."

Monetary penalties will be reserved for organisations that have the potential to harm the most people. Edwards pointed to the recent fines against catalogue retailer Easylife - one worth £130,000 for “predatory marketing calls” and another worth £1.35 million for profiling customers before illegally calling them.

This is an example, Edwards said, of a case where fines can promote compliance - hurting money-making enterprises by impeding their money-making potential.

Further regulatory changes

Another change to Edwards’ approach is to begin publishing all reprimands to the ICO’s website, “unless there is a good reason not to” - something it currently does not do.

This is for the purposes of promoting accountability and transparency - the public and wider economy should be aware of any transgressions and why the ICO issued the punishment it chose.

Non-monetary enforcement actions available to the ICO, aside from fines, include warnings (when violations are likely to be committed), reprimands (formal expressions of disapproval towards conduct when the threshold for a fine hasn’t been met), and compliance orders (instructions to offenders that changes need to be made to re-establish compliance).

Edwards also said he wanted the regulatory process to be more predictable and certain, and the increased emphasis on transparency would help inform organisations what the law requires of them.

In addition, the new approach aims to be more flexible. Tied with the ideas of certainty and predictability, Edwards believes that organisations should be free to innovate their products and services with confidence that they still meet compliance criteria.

The ICO will soon be launching a new advice service dedicated to supporting organisations with their planned innovations in areas to support further investment, like new business models.

“Our advice service will offer direct, fast-paced answers and support to those looking to move quickly and innovate within the guardrails of the law,” he said. “This will do more to improve outcomes for the consumers of those services than aggressive regulatory action after the fact would, after the harm has been done. ”

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download


ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million
data protection

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million

14 Jul 2022

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
What we can learn from the supercomputer revolution

What we can learn from the supercomputer revolution

1 Dec 2022
What medium and large enterprises can learn from supercomputing

What medium and large enterprises can learn from supercomputing

6 Dec 2022