Is the ICO’s Public Sector Approach Really Working?

Phil Muncaster asks whether the information commissioner is pulling his punches or taking a laudably pragmatic view to regulatory enforcement

For two years, the UK’s data protection regulator has been operating what de facto amounts to two separate approaches to enforcement. A controversial trial begun in late 2022 has seen public sector authorities face far lower fines than they have historically. There were no such dispensations for private enterprises. In December, the information commissioner made a long-awaited decision to broadly continue with this approach.

The question is, whether it has genuinely had the desired impact, or is unfairly letting the public sector off the hook while blunting an important regulatory tool designed to improve compliance.

Slashing fines

According to ICO data analysed by law firm Mischon de Reya, there was an 8000% increase in the number of individuals impacted by data breaches in central government in the period 2019-2023. This included 195 million people affected by breaches related to “economic or financial data” in 2023. Yet at the same time, the regulator has significantly reduced or eliminated fines entirely for incidents at:

• The Police Service of Northern Ireland (PSNI), which leaked sensitive information on serving officers which could have put lives at risk. A potential fineof £5.6m was reduced to £750,000
• The Tavistock and Portman NHS Foundation Trust, which accidentally leaked the email addresses of 1,781 Gender Identity Clinic patients, some of whom were publicly identified. A would-be fine was cut from £784,800 to just £78,400
• The Cabinet Office, which exposedthe names and unredacted addresses of over 1,000 people announced in the New Year Honours list, including various celebrities. A £500,000 fine was reduced to £50,000
• The Ministry of Defence (MoD), which leaked sensitive information on people seeking relocation to the UK after the Taliban took control of Afghanistan. A £1m fine was cut to £350,000
• NHS Highland,which emailed 37 people likely to be accessing HIV services, sharing their details with each other. A fine of £35,000 was reduced to a reprimand
• The Electoral Commission, which suffered a major breach of voting data on 40 million citizens after hackers took advantage of basic security failings. It also received a reprimand rather than a fine

“For the Police Service of Northern Ireland a potential fine of £5.6m was reduced to just £750,000”

This is not to say that the public sector has survived completely unscathed. According to compliance specialists URM Consulting Services, the only two GDPR-related fines issued by the ICO in the first half of 2024 were levied on a government department (the Ministry of Defence) and a charity (the Central YMCA).

Still, there’s a stark disparity between, say, the fines levied against the likes of NHS Highland and the Tavistock and Portman NHS Foundation Trust – which only just top £113,000 – and that proposed for NHS supplier Advanced Computer Software Group. The latter, a private sector business, is facing a £6m financial penalty after security failures at the firm led to a ransomware breach of personal data on 82,946 individuals and the downing of the NHS 111 service.

What the information commissioner says

Information commissioner, John Edwards, argues in a statement dated December that the idea of the public sector approach is partly to ensure that big regulatory fines don’t end up penalising citizens by taking money earmarked for public services. Instead, his approach is designed to make increased use of other powers, including “warnings, reprimands and enforcement notices”, with fines only issued as a last resort.

Edwards defends the approach, citing a recent review which collected the opinions of public sector leaders.

“Fines have their place, but so do other ways of regulating. Different incentives and disincentives work in different ways in different sectors of the economy,” he says.

“There’s a compelling argument that the public sector has at least a measure of immunity from reputational damage”Jon Baines

“The review showed that central government and wider public sector echoed the sentiment around the impact of fines on frontline services, and how it disproportionately affects the budget of smaller organisations and devolved administrations.”

The public sector trial doesn’t just mean lower fines and greater use of other discretionary powers that the Information Commissioner’s Office (ICO) holds. It also introduces a new practice of publishing public sector reprimands on the ICO website – of which there have been around 60 over the past two years.

“We’ve seen significant changes made by organisations following a reprimand,” Edwards claims. “From a local council updating its procedures to prevent inappropriate disclosure of children’s information and an NHS Trust stopping sending bulk emails with sensitive information; to an advisory body improving its security measures to prevent unlawful access, and a hospital implementing a decommissioning policy so personal details wouldn’t be lost when filing systems were terminated.”

Do fines work?

Sarah Pearce, partner at Hunton Andrews Kurth, is broadly sympathetic to the ICO’s approach.

“Certainly, public reprimands can be useful, much in the same way as the imposition of fines, to increase engagement and encourage compliance which goes beyond a simple deterrent,” she tells Assured Intelligence. “The approach taken by the regulator in the past couple of years has been to work proactively with the public sector to encourage data protection compliance and prevent harms rather than simply to issue fewer and lower fines.”

However, legal experts aren’t wholly in agreement. Jon Baines, senior data protection specialist at Mischon de Reya, argues that public sector leaders have a vested interest in claiming that lower fines work better for their organisation. He adds that there’s no empirical evidence to support the proposition that statutory reprimands are more effective than more stringent regulatory enforcement.

“Fines have their place, but so do other ways of regulating”John Edwards

“There’s a compelling argument that the public sector has at least a measure of immunity from reputational damage and reduced public trust – after all, most customers of the public sector have no choice as to which provider they use – in contrast to the private/commercial sector,” he tells Assured Intelligence.

“In my experience, as someone who has spent more than 15 years working in data protection in the public sector, nothing is more effective in driving better compliance than strong enforcement.”

Lisa Dargan, director at URM Consulting Services, argues that reprimands can cause reputational damage to public authorities and therefore do act as a deterrent, up to a point. But she questions whether they, and other non-financial penalties, represent a “sufficiently effective” check.

“On that question the jury is still out,” she tells Assured Intelligence. “The true test of the public sector approach, as with the efficacy of all regulation, will be whether the instances of data loss and other breaches of personal data by the public sector start to decline. There is, as yet, no evidence of this.”

What happens next?

Going forward, the ICO recognises the need for more clarity on which organisations fall within the scope of the public sector approach and what type of infringements could lead to a fine. That’s why it is launching another consultation to elicit more industry feedback on these two issues.

However, Mischon de Reya’s Baines would like to see the ICO go back to basics on whether the approach itself is the right one.

“I would like to see a proper analysis of why the public sector should receive favourable treatment, based on economic factors and considerations, as well as based on empirical data as to the efficacy of fines. And whether there is any difference between the public sector and the private when it comes to the efficacy of fines,” he concludes.

“I would expect this to be a robust academic analysis, and not, as I fear the current approach has been, based on assumptions and innate preferences.”

URM Consulting Services’ Dargan says she would like to see more focus from the regulator on follow-up checks for reprimanded public sector authorities, to bring the ICO more in line with the work of its French, Spanish and other European peers.

“In the UK, there appears to be a perception that the ICO does not consistently conduct follow-up visits to organisations after issuing reprimands”Lisa Durgan

“In the UK, there appears to be a perception that the ICO does not consistently conduct follow-up visits to organisations, including public sector bodies, after issuing reprimands.  Furthermore, the ICO does not seem to actively counter this perception by, for instance, routinely publicising such visits,” she explains.

“This is unfortunate in our opinion, as the prospect or assurance of follow-up checks could significantly enhance the effectiveness of reprimands, strengthening their deterrent value.  Such an approach would align with the intended objectives of non-monetary enforcement in the public sector. Moreover, it could address concerns held by some that the UK does not prioritise GDPR compliance as robustly as other European nations.”

The point of the public sector approach is a noble one: with the UK’s economy in such a state, public authorities can do with all the help they can get financially. Yet if there is a perception that non-financial penalties are failing to improve data protection practices, the narrative could be hard to shift. Business leaders have thus far remained relatively restrained about the whole affair. But their patience may be tested over the coming months. If the ICO is seen to be pulling its punches, it will only undermine the regulator’s authority further, and make the private sector more determined to contest any fines it’s landed with.