Stephen Eckersley: Providing certainty on how ICO enforces the laws it regulates
Stephen Eckersley, ICO director of investigations, discusses the rationale behind the decision to begin publishing reprimands.
John Edwards, UK Information Commissioner, recently set out our strategic approach to regulatory action when he said: “Members of the public, and those affected by a breach or infringement, are entitled to know that we have held the business or organisation to account, and that they have changed their practices as a result.”
Until now, we would normally publish enforcement notices, fines and summaries of our audit reports on our website. But now we will also publish all reprimands going forward, including reprimands issued from January 2022 onwards, unless there is a good reason not to, such as matters of national security or that it is likely to jeopardise any ongoing investigation. As with any enforcement action, we expect organisations to improve their practices as set out in the reprimands and we follow up to make sure our recommendations are implemented.
While fines may grab people’s attention, every one of these reprimands represents a time we have taken action to raise data protection standards. The time we helped a local council improve its cyber security, or when we warned a telecommunications company to improve its responses to the public when asked for personal information held about them, or the time we protected people’s data by ordering the police to improve how they handle victims’ personal information.
Ultimately, we want to be transparent with the public when we hold a business or organisation to account and what they need to do to improve their practices.
We also want the wider economy to learn from those reprimands. By reading about where an organisation failed to comply with data protection laws, we hope that others will understand what went wrong and what they need to do if they find themselves in a similar scenario.
This will provide certainty to businesses and organisations in what the law requires from them and has already been set out in our ICO25 regulatory approach. It will also provide certainty to people about their rights and our approach, as they will be better informed to call out bad practices and make a complaint to us.
Our revised public sector approach
We are currently underway with our two-year pilot of working more effectively with public authorities, which is part of ICO25 – our new three-year strategic vision. This approach aims to reduce the impact of fines on the public by working more closely with the public sector, encouraging compliance with data protection law to prevent harms before they happen. We will still use the full range of our enforcement tools, but with fines only being issued where they are truly needed.
For example, we issued a reprimand earlier in the year to NHS Blood and Transplant Service, instead of a £749,856 fine, for a coding error that could have caused potential harm to people on the non-urgent transplant list. We also reprimanded the Department of Education, instead of issuing a £10m fine, for failing to properly look after children’s data in one of its databases. By the time we issued these reprimands, both organisations had already made significant changes to their data protection practices, so a reprimand was an appropriate enforcement tool in these specific cases.
Building on this approach of working with public bodies, the UK government is creating a cross-Whitehall senior leadership group to encourage compliance with high data protection standards within the public sector, aiming to improve the way public authorities handle people’s information.
With any pilot, we will be measuring the success of our revised approach and the improvements we hope to see. Ultimately, we want organisations to put people at the heart of their practices by investing time and resources in ensuring their information is protected and used appropriately.