Logo

ICO will reserve the power to fine for most “egregious cases” in new approach to enforcement of data protection

The Information Commissioner, John Edwards, has said that a change in approach to the enforcement of data protection within the public sector will put more emphasis on “calling out bad practice” rather than issuing fines.

Speaking at a meeting yesterday of the House of Lords’ Public Services Committee meeting, the Information Commissioner also reiterated that public bodies will “not be punished when sharing data to protect children from harm".

In June 2022, the Information Commissioner’s Office (ICO) set out a revised approach to working more effectively with public authorities, to include the use of the Commissioner’s discretion to reduce the impact of fines on the public sector, together with better engagement including publicising lessons learned and sharing good practice.

This ‘revised approach’ is currently being trialled over two years.

The Information Commissioner told the committee that he has seen past examples of public sector fines, such as on NHS trusts "effectively punishing for the second time the victims of that breach", with fines taking money from the system itself, rather than the perpetrators.

Lord Bichard, a member of the Public Services Committee, asked the Commissioner about the public enforcement trial and its impact so far.

The Commissioner told the meeting that although it was hard to measure whether the new approach had been effective yet, he outlined an example whereby the Department for Education were publicly held to account following a data breach, and issued with a “reprimand” rather than a fine by the ICO.

He noted that the organisation has since “really elevated its data protection” and now has a minister responsible for the oversight of data protection.

Speaking on the topic of child protection and the importance of data sharing when appropriate, the Information Commissioner noted that "a degree of mythology creeps up around the legislation that it is there to prevent information sharing."

He reiterated to the committee that “if you hold information about a child who may be in need of care or safeguarding who may be vulnerable and you tell an authority who can deal with the issue, you will not experience repercussions or fall foul of UK GDPR”.

He added that “not one fine has been issued during the life of UK GDPR when an authority has shared information in pursuit of the safeguarding of a child".

Edwards told the committee that in a confirmation hearing with the Digital, Cultural Media and Sport Committee, he described the UK GDPR as a 'how-to', not a 'don't do'.

It was also announced that the Information Commissioner’s Office is collaborating with the Children's Commissioner for England to produce resources that will be ready by the summer.

A workshop was held in which the ICO asked practitioners what the issues were that they faced on a day-to-day basis, and how they could be supported in achieving the information sharing that is “necessary to properly keep children from harm”, the meeting was told.

Lottie Winson
(c) HB Editorial Services Ltd 2009-2022