IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

The public sector will no longer face eye-watering data breach fines, ICO confirms

The regulator will, however, increase the use of its wider powers like handing out warnings and reprimands

The Information Commissioner’s Office (ICO) has said it will take a more lenient approach to public sector organisations as part of its new three-year strategic vision.

This new strategy will see use of the Commissioner’s discretion to reduce the potential economic effect that GDPR fines can have, coupled with an approach that will focus more on sharing lessons learned and promoting good practice. The regulator said that this new strategy will be trialled over the next two years.

In practice, this will mean an increased use of its wider powers, including warnings, reprimands, and enforcement notices, with fines only issued in the most serious cases, the authority revealed this week. It will also mean a number of existing fines against public sector organisations will be substantially reduced, in some cases as much as 90%.

When a fine is considered, the ICO’s decision notice will indicate the amount the fine would have attracted. It hopes this will provide information to the wider economy about the levels of penalty others can expect from similar conduct.

The regulator is also aiming to work more closely with the public ​​sector to encourage compliance with data protection laws and prevent harms before they happen.

“I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives,” said John Edwards, the UK Information commissioner. “That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.”

The UK government has also committed to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. The ICO is also going to engage with the Devolved Administrations and the wider public sector to determine the most effective way to deliver these improvements.

The revised approach is part of a set of initiatives known as ICO25, its new three-year strategic vision, which aim to empower organisations to innovate while using people’s data responsibly.

As part of this change, the regulator has issued a reduced fine of £78,400, down from £784,800, to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients in September 2019.

Related Resource

Understanding the economics of in-cloud data protection

Data protection solutions designed with cost optimisation in mind

Whitepaper cover with title below a gradient orange pixelated banner and text and graph belowFree Download

Additionally, the ICO issued a public reprimand to NHS Blood and Transplant Service, after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. If the revised approach had not been in place, the organisation would have received a fine of £749,856.

“My office worked with both organisations to improve their data protection standards and practices. We used different enforcement tools but, crucially, both resulted in changes that better protect the public,” said Edwards.

This new approach follows the reveal of the UK government's Data Reform Bill, a proposed law that will rework the General Data Protection Regulation (GDPR) to be more flexible and less stringent, according to the government. The bill is set to scrap what the government called “red tape and pointless paperwork," and will also include a restructure of the ICO.

This restructure will force the ICO to consider factors like economic growth, innovation, and competition when making its judgements, instead of solely following the letter of the law.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million
data protection

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million

14 Jul 2022
MoJ faces £17.5m GDPR fine over subject access request backlog
data protection

MoJ faces £17.5m GDPR fine over subject access request backlog

20 Jan 2022
Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021
ICO publishes new data protection standards for the adtech industry
data protection

ICO publishes new data protection standards for the adtech industry

25 Nov 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022
UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022