John Edwards

This approach, which is outlined in an open letter from the UK Information Commissioner John Edwards to public authorities, will see use of the commissioner’s discretion to reduce the impact of fines on the public sector, coupled with better engagement including publicising lessons learned and sharing good practice. It will be trialled over the next two years.

In practice, this will mean an increased use of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases.

When a fine is considered, the decision notice will give an indication on the amount of the fine the case would have attracted. This will provide information to the wider economy about the levels of penalty others can expect from similar conduct.

Additionally, the ICO will be working more closely with the public sector to encourage compliance with data protection law and prevent harms before they happen.

In support of this approach, the ICO has received a commitment from the UK government, specifically from the Cabinet Office and the Department for Digital, Culture, Media and Sport, to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. The ICO will also engage with the devolved administrations and the wider public sector to determine the most effective way to deliver these improvements in these areas.

This revised approach is just one of the initiatives that will be set out in the coming weeks as part of ICO25 – the ICO’s new three-year strategic vision – to empower organisations to innovate while using people’s data responsibly.

In light of this change, the ICO has issued a reduced fine of £78,400 to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients. The 2019 breach happened because the trust failed to use the ‘Bcc’ field and, within 30 minutes of the mailing, a screenshot of the email was shared on social media including the email addresses of some of the people affected.

Another recent ICO enforcement action includes a reprimand issued to NHS Blood and Transplant Service, after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. This error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest possible opportunity. The organisation remedied the error within a week, and none of the patients involved experienced any harm as a result.

Mr Edwards said: “I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives. That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.

“In the case of Tavistock and Portman NHS Foundation Trust, the breach revealed much more than people’s email addresses. Knowing about someone’s relationship with a gender identity clinic could be hugely dangerous and damaging to the patients’ well-being and personal safety. The trust also failed to learn from previous incidents.

“The NHS Blood and Transplant Service already had good data protection policies and systems in place, but a single human error that went undetected contributed to an incident that could have caused potential harm to people on the non-urgent transplant list.

“My office worked with both organisations to improve their data protection standards and practices. We used different enforcement tools but, crucially, both resulted in changes that better protect the public.”