The UK’s new data protection regulator has signaled a fresh approach to public sector enforcement which will see his office likely levy fewer financial penalties and lower sums.
Information commissioner, John Edwards, said last week that such fines ultimately end up negatively impacting public services.
“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services,” he said in an open letter.
“The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”
As a result, the Information Commissioner’s Office (ICO) is set to trial a new two-year policy which will see more discretion used to minimize the impact of fines on the public.
“In practice this will mean an increase in public reprimands and the use of my wider powers, including enforcement notices, with fines only issued in the most egregious cases,” Edwards continued.
“However, the ICO will continue to investigate data breaches in the same way and will follow up with organisations to ensure the required improvements are made. We will also do more to publicise these cases, sharing the value of the fine that would have been levied, so there is wider learning.”
However, Edwards warned that “this is not a one-way street” and said he expects government data protection leaders to do their bit.
“In return, I expect to see greater engagement from the public sector, including senior leaders, with our data protection agenda,” he said.
“I also expect to see investment of time, money and resources in ensuring data protection practices remain fit for the future. This is a two-year trial and, if I do not see the improvements that I hope to see, then I will look again.”
The ICO claimed to have received a commitment from the UK government to create a cross-Whitehall senior leadership group tasked with encouraging compliance with high data protection standards.
As part of its new approach, the ICO has already reduced a massive £784,400 fine levied against the Tavistock and Portman NHS Foundation Trust to just £78,400, a drop of over 900%.
That penalty came after the trust accidentally failed to use the BCC field in an email, disclosing 1781 email addresses belonging to adult gender identity patients. A screenshot of the email was subsequently shared on social media, identifying some of the recipients.