New approach to data breaches will see ICO fine public authorities sparingly

The UK Information Commissioner has announced that fines for public authorities will be issued in only "the most egregious cases" as part of a two-year trial experimenting with a different approach to punishing public authorities for data breaches.

In an open letter announcing the decision, the UK Commissioner, John Edwards, said he is "not convinced large fines on their own are as effective a deterrent within the public sector" as they do not impact shareholders or individual directors in the say way as they do in the private sector.

Mr Edwards said the new approach would see greater use of his discretion to reduce the impact of fines on the public sector.

"In practice this will mean an increase in public reprimands and the use of my wider powers, including enforcement notices, with fines only issued in the most egregious cases," he added.

When a fine is considered, the decision notice will give an indication on the amount of the fine the case would have attracted. This will provide information to the wider economy about the levels of penalty others can expect from similar conduct.

Mr Edwards wrote that, while the ICO will still call out non-compliance and take enforcement action, its "primary focus will be on raising data protection standards across the board and preventing harms from occurring in the first place".

In light of this change, the ICO has issued a reduced fine of £78,400 to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients.

Additionally, the ICO will be working more closely with the public sector to encourage compliance with data protection law and prevent harm before it happens.

The ICO has received a commitment from the UK Government, specifically from the Cabinet Office and the Department for Digital, Culture, Media and Sport, to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. It will also engage with the Devolved Administrations and the wider public sector to determine the most effective way to deliver these improvements in these areas.

More initiatives will be set out in the coming weeks as part of a new three-year strategic vision, according to the ICO.

John Edwards, UK Information Commissioner, said: "I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people's lives. That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people's information while supporting their communities.

"In the case of Tavistock and Portman NHS Foundation Trust, the breach revealed much more than people's email addresses. Knowing about someone's relationship with a gender identity clinic could be hugely dangerous and damaging to the patients' well-being and personal safety. The trust also failed to learn from previous incidents."

Adam Carey