On 30 June 2022, the Information Commissioner’s Office (ICO) published a statement addressed to the public sector. This statement is just one of the initiatives that the ICO will set out in the coming weeks as part of its three-year strategic vision, ICO25.
What is ICO25?
The purpose of ICO25 is to empower organisations to innovate while using people’s data responsibly. This vision is in line with the recently announced Data Reform Bill which aims to create a…
“…world-class data right regime…that reduces burdens on businesses, boosts the economy, helps scientists to innovate, and improves the lives of people in the UK”.
Within the statement published by the ICO on 30 June 2022, they have confirmed that they will be taking a revised approach to how they deal with data within the public sector. The “revised approach” will include working with senior leaders across the public sector to encourage compliance, prevent breaches before they occur, and learn from any mistakes when things go wrong.
Whilst the ICO is still intending to call out any non-compliance with enforcement action where necessary (as discussed below), its primary focus is to try to raise the data protection standards to prevent breaches from occurring in the first place.
How are they intending to do this?
The ICO has confirmed that the National Data Strategy already proposes a joined-up and strategic approach to the use of data across Government. They have received a commitment from the UK Government to create a senior leadership group to encourage compliance. The ICO has further confirmed that they intend to have discussions with colleagues in the UK Government, as well as the wider public sector, to determine the most effective way to deliver these improvements.
Enforcement
Within the statement, the ICO has indicated that they intend to take a more lenient approach with public sector organisations.
Why has the ICO decided to take this approach? John Edwards, the current UK Information Commissioner, has explained within the statement:
“I am not convinced large fines on their own is as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”
This is an interesting interpretation of the effects of enforcement action on the public sector. This is again in line with what is trying to be achieved with the proposed reforms under the Data Reform Bill. Namely, the need to move away from a one size fits all approach and instead look to the outcome.
This approach will be trialled by the ICO over the next two years. This however does not mean that the ICO cannot and will not issue fines. They have simply confirmed that they will only issue fines in the most serious of cases and they will instead seek to utilise their wider powers such as enforcement notices.
Interestingly, the ICO has also indicated that in line with this new approach they will be reviewing a number of existing fines against public sector organisations and substantially reducing these.
John Edwards has made it clear within his statement:
“[T]his is not a one-way street. In return, I expect to see a greater engagement from the public sector, including senior leaders, with our data protection agenda. I also expect to see an investment of time, money, and resources in ensuring data protection practices remain fit for the future. This is a two-year trial and, if I do not see the improvements that I hope to see, then I will look again.”
Comment
This is just one of the many initiatives set to be announced by the ICO in the coming weeks. It will be interesting to see what other proposals they will be putting forward. It is clear from the statement, that the ICO has taken on board the message within the Data Reform Bill and started to adapt in an attempt to start building the “world-class data right regime” that is envisaged.
How Nelsons can help
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us