The head of the UK’s data protection watchdog has defended a contentious new policy of scaling back fines levied at government entities, claiming that more constructive approaches improve compliance.
Information commissioner, John Edwards, argued during a speech at the National Association of Data Protection Officers (NADPO) annual conference yesterday that government fines create a “money-go-round” of funds.
“It’s not effective and can have the opposite effect to what we want,” he added.
“There’s very little evidence that fines on their own produce better outcomes for the people we’re protecting, and even less evidence to support the view that fines are a good way of improving compliance and data protection practices in public authorities.”
Rather than resort to “headline-grabbing action” like fines, the Information Commissioner’s Office (ICO) is therefore now focusing its government engagements on more behind-the-scenes work. That is, “the guidance and advice that we can offer businesses to encourage compliance and to help their understanding of the law and their obligations under it.”
The ICO has come under fire in recent weeks for taking a softer line on two incidents in central government.
First, it slashed a proposed £500,000 fine to just £50,000 after the Cabinet Office accidentally leaked the addresses of individuals named on the New Year Honours list in 2019.
In the same week, it decided to hand the Department for Education (DfE) a reprimand for due diligence failings related to which companies could access the learning records service (LRS) database, while claiming the DfE should have been fined £10m ($11.9m).
“By saying that we would have fined DfE £10 million under our previous system, we are signalling a ‘tariff’ to those who might be thinking about taking a shortcut to save money on compliance,” Edwards argued by way of defense. “This shows that, in their case, it might well be a false economy.”
However, the private sector is still in for a tough ride from the ICO if firms attempt to profit by breaking the General Data Protection Regulation (GDPR).
In October, leading catalog retailer Easylife was fined £1.35m for illegally profiling customers before cold-calling them.
“Monetary penalties remain an important regulatory tool, and we will use them in the instances where they are truly needed – for the breaches which cause or have the potential to cause the most harm to people, or where a business has profited from its non-compliance,” said Edwards.