Skip to main content
Hafan

Summary of responses to our consultation on the revised approach to public sector regulation

Overview

In June 2022, the Information Commissioner published an open letter to public sector leaders, where he announced a two-year trial of a revised approach to working more effectively with public authorities across the UK.

We refer to this as the ‘public sector approach’, which saw the use of the Commissioner’s discretion to reduce the impact of fines on public bodies and aimed at improving data protection standards in this sector through guidance and proactive engagement.

We reviewed the two-year trial and published our findings report, which identified that the scope and parameters of the public sector approach could be articulated more clearly. 

Considering these findings, we consulted on two proposed updates on: 

  1. the definition of organisations that fall within scope of the public sector approach; and
  2. the circumstances in which an infringement is likely to be regarded as egregious, warranting the imposition of a fine on a public authority.

In total, we received 112 responses, with 110 responding to the online survey and two submitting responses by email. Of these:

  • 44 respondents (39%) answered on behalf of a public sector organisation;
  • 43 respondents (38%) answered as an individual;
  • 5 respondents (5%) answered on behalf of a private sector organisation; 
  • 2 (2%) respondents answered on behalf of civil society organisations; and
  • 11 (10%) respondents selected ‘other’.

Organisations in scope of the public sector approach

Overall, respondents broadly agreed with the proposed scope of the public sector approach, with more than three quarters (75%, 84 respondents) agreeing with our proposed definition. Around one in ten respondents disagreed with our proposed definition, and the remaining 14% (16 respondents) were unsure or did not provide a response.

Three respondents felt the scope of the public sector approach should be narrowed to exclude specific sectors such as health providers, parts of the NHS and ambulance services. Another response noted blurred boundaries between public, private, and voluntary sectors, urging a more nuanced definition.

Five respondents called for the scope of the public sector approach to be broadened to include additional sectors such as utility companies, charities and the third sector, scientific research organisations and “bodies providing a service in the public interest”.

ICO response

We expected responses to advocate for further organisations to be included in the scope of the public sector approach, particularly third sector organisations. While some of these organisations share the attributes of public authorities, particularly around the potential impact of a fine on their services, we did not receive any comments that would lead us to changing the proposed scope that is based on the definition of ‘public authorities’ and ‘public bodies’ under section 7 of the Data Protection Act 2018 (DPA 2018).

We also note that our existing Data Protection Fining Guidance ensures flexibility in issuing effective, proportionate and dissuasive fines, including considering an organisation’s financial position. Additionally, the consistency of aligning the scope with the definition in section 7 of the DPA 2018 provides regulatory certainty and will be clearly understood by organisations and by our staff who will be applying the public sector approach in their work.

Circumstances that may lead to a fine under the public sector approach

Almost two-thirds (63%, 70 respondents) agreed with our assessment of the types of circumstances that may constitute ‘egregious’ infringements and could lead to a fine under the public sector approach, while 26% of respondents did not agree. Eleven per cent didn’t respond or responded don’t know.

Nine respondents highlighted the need for additional clarity and guidance, beyond that set out in the consultation, on the circumstances that could be regarded as egregious and lead to a fine being issued. In particular, respondents called for: 

  • An explicit definition of negligence and further examples of what constitutes a “high degree of negligence”.
  • Further guidance and details on appropriate thresholds for “significant harm”.
  • Greater clarity on what constitutes relevant recent infringements.

One respondent noted that a more lenient approach should be adopted where breaches are caused by ‘human error’ rather than an organisations’ internal controls or processes.

Two respondents also commented on the power balance between public authorities and individuals, who often have little choice whether to engage with these bodies and provide their data. Considering this power imbalance, one respondent requested that we explain “the decision to rule out an option that in specific egregious circumstances, it may sometimes be appropriate to fine public sector bodies the same as or more than private sector organisations.”

ICO response

The public sector approach is a guideline and is considered for each relevant case. The approach does not limit the Information Commissioner’s discretion to impose a fine or to determine its amount.

The feedback was valuable in helping us test if we got the balance right between being too prescriptive, which may require us to update our guidance repeatedly if circumstances change, and providing enough clarity to public sector organisations on how we define ‘egregious’. We believe that our proposed wording, which we note is not exhaustive, helps organisations understand what types of circumstances we would consider to be egregious and provides sufficient clarity to our staff.

Our enforcement action helps provide certainty by providing examples of what we have found to be, or not to be, egregious. We will continue work to ensure these are easily accessible, relevant and promoted to public sector organisations. For example, we changed our website retention policy, so enforcement decisions are available for six years. Additionally, our guidance often includes case studies and real-world examples.

While we understand the points raised about how human error and identical actions (for example, BCC breaches) can lead to different results, we believe organisations should be identifying risks and ensuring that where the risk is higher, the more mitigations, controls and staff training should be in place.  

We also understand that organisations may want more information on what might make previous infringements relevant. Our Data Protection Fining Guidance (paragraphs 82 to 85) provides information on relevant previous infringements, albeit not a detailed account on the types of infringement.

Other feedback

While the consultation was clear that the Information Commissioner intended to continue with the public sector approach, nine respondents who disagreed with the approach called for public authorities responsible for data breaches to face tougher enforcement, including more extensive use of fines. The main points raised by respondents included: 

  • Reputational damage from reprimands being insufficient in driving higher standards of data protection in the public sector; and
  • The reduced threat of a fine undermining the case for data protection resources in public authorities.

Two respondents questioned how the public sector approach is legally supported by the UK GDPR, with one suggesting that the policy is inconsistent with Article 83(1) which they considered obliges the Commissioner to impose fines when read together with recital 148.

Other respondents offered suggestions on how the public sector approach could be amended, including:  

  • The ring-fencing of fines that would otherwise be issued to an organisation to cover the costs of putting in place improvement to data protection processes and procedures.  
  • Formalising public reprimands as formal enforcement tools in legislation and putting in place an accompanying appeals process.
  • Publishing information alongside reprimands as to how the issue(s) identified have been addressed or improved by the specific organisation, or within the public sector more widely.
  • Obtaining regular feedback from data protection officers and information governance teams in the public sector on whether they feel their organisations are properly addressing data privacy issues that have been raised.
  • Adopting a ‘three strikes policy’ where a public authority that reports three significant breaches in an 18-month period would be issued with a fine.
  • Requiring public authorities that have had a significant data breach to undergo an independent audit with results to be provided to the ICO.
  • Having a panel of public sector practitioners that work for the ICO to support organisations in making improvements to data protection processes and procedures with learnings to the wider sector shared via case studies or template guidance and documents.
  • Monitoring public sector organisations using a traffic light system to ensure data protection issues are addressed promptly. 

ICO response

We welcome the debate about how to improve data protection standards in the public sector. The Information Commissioner believes that fining public authorities reduces funding for those organisations and adversely impacts services to the public. The Commissioner therefore considers that there is a strong justification for not fining public authorities except in the most egregious cases, and the Commissioner has a broad discretion as to how to exercise his enforcement powers, including determining the amount of any fine to be imposed. Additionally, our review of the two-year trial does not support the view that not fining public authorities is ineffective, and the review concluded the trial has had an impact, with some notable achievements, areas with more to do, unexpected challenges and unintended consequences.

We also welcome suggestions on how the public sector approach could be amended. Some of these suggestions are around our regulatory posture, while others are about how we can work more effectively with public authorities. For example, we believe that a ‘three strikes policy’ is already covered by our ‘relevant previous infringements’ provision within the definition of the circumstances that could lead to a fine. This is also covered in our Data Protection Fining Guidance. In relation to reprimands, they are a formal tool set out in Article 58(2) UK GDPR and include information about how an organisation has responded to the breach and recommendations for improvement. However, on other points, it’s unlikely that we would have the regulatory power to require an organisation to ring-fence the amount that they could have been fined. We will continue to explore whether these suggestions can be implemented as part of our work of improving data protection standards in the public sector.

Next steps

The public sector approach will continue with the further clarification on organisations in scope and the circumstances that may lead to a fine under approach. These are set out on our website.