The Information Commissioner’s Office (ICO) approach of solely fining public sector organisations “in essentially the most critical instances” is underneath hearth from privateness campaigners at Open Rights Group (ORG), who say there may be an “pressing want” to check the regulator’s claims that fines don’t act as an efficient deterrent for public sector our bodies.
The campaigners say the ICO’s approach of limiting fines to public sector our bodies for less than essentially the most critical information safety points is “not working”, as issues typically persist nicely after different, less-severe enforcement actions have been taken.
“In an more and more digital world, information safety is significant for our private safety. The ICO’s reluctance to take enforcement motion, alongside its coverage of not difficult public sector organisations the place wanted, just isn’t working,” stated ORG chief government Jim Killock.
“As we see the event of AI know-how and its elevated use by public sector organisations, we’d like robust information safety legal guidelines and a robust regulator who will act as the primary line of defence for the British public.”
In July 2022, the ICO adopted a “revised” two-year trial approach to working with public authorities, with commissioner John Edwards arguing in an open letter that fines are ineffective in guaranteeing information safety compliance due to how they not directly punish victims of information breaches “within the type of decreased budgets for important companies”.
In July 2024, the ICO then printed its Annual report and financial statements for the 2023-24 financial year, by which the info regulator critiques its efficiency over that interval. It exhibits the place the ICO has investigated public and personal our bodies, and the proportion of those investigations which have resulted in reprimands, enforcement notices (that obligate recipients to change their information practices), or fines.
In phrases of its actions towards public sector our bodies for information safety breaches, the ICO issued one high-quality (to the Ministry of Defence over a knowledge leak that uncovered the identities of 245 Afghanis), two enforcement notices (one relating to the lack of management of kid abuse case recordsdata on the Crown Prosecution Service, and one other towards the Home Office for its GPS tagging of refugees), and 28 reprimands.
Examples of those reprimands embrace one for Thames Valley Police for disclosing a witnesses address to suspected criminals, which compelled the particular person to transfer home; one for the University Hospital of Derby and Burton NHS Trust for failing to course of outpatient information in a well timed style, which delayed medical therapies for some sufferers for up to two years; and one for West Midlands Police over a number of incidents the place the info mix-ups meant officers attended the flawed addresses.
Other cases embrace two reprimands for the Ministry of Justice, one over the disclosure of adoption particulars towards courtroom directions, and one other for leaving four bags of confidential waste in an unsecured holding area in the prison, which each prisoners and employees had entry to.
Given the variety of reprimands handed out for clearly dangerous information practices as compared to the low variety of fines and enforcement notices, the ORG is subsequently calling on the ICO to use its full powers towards public sector organisations, together with enforcement notices and fines the place mandatory.
Computer Weekly contacted the ICO in regards to the ORG’s evaluation and arguments, and was directed to an ICO statement on its public sector approach from June 2024.
“While now we have continued to difficulty fines to public our bodies the place applicable, now we have additionally been utilizing our different regulatory instruments to guarantee folks’s info is dealt with appropriately and cash isn’t diverted away from the place it’s wanted essentially the most,” it stated.
“We will now assessment the two-year trial earlier than making a call on the public sector approach within the autumn. In the meantime, we’ll proceed to apply this approach to our regulatory actions in relation to public sector organisations.”
On 20 November 2022, in reference to the ICO’s personal sector enforcement, info commissioner John Edwards advised The Times that the massive monetary penalties typically issued by European regulators have a tendency to lead to prolonged authorized battles, which might drain regulators’ sources and in the end weaken their potential to implement significant adjustments.
“I don’t imagine that the quantum or quantity of fines is a proxy for impression,” he stated. “You know, they get loads of headlines. It’s simple to compile league tables, however I really don’t imagine that approach is essentially the one which has the best impression.”
He added that the ICO prefers to have interaction with corporations to encourage compliance fairly than difficulty fines price a whole lot of tens of millions of kilos.
‘Reprimands not ok’
According to an ORG analysis of the ICO’s latest annual report, the cases of enforcement motion which have taken place present the gravity of the public sector’s information mispractice, and that there’s little proof reprimands lead to real change regardless of the elevated reliance on them.
“The ICO ought to use the complete vary of its enforcement powers within the public sector – till and except it might show various approaches lead to a considerable enchancment in information safety compliance,” stated ORG in certainly one of its suggestions for the ICO.
It added that the regulator ought to publish “all proof ensuing from the two-year ‘public sector approach trial’ the place public sector organisations have been solely fined as a final resort”, and that this needs to be adopted up by externally carried out unbiased audit to validate the findings.
ORG additional added that there needs to be amendments to the brand new Labour authorities’s proposed Data Use and Access Bill (DUAB), in order that the ICO is banned from issuing a couple of reprimand to an organisation: “Any subsequent breaches ought to lead to an escalation of motion – not further ‘closing reprimands’ that each undermine the premise of the preliminary reprimand and have little impression on behaviour.”
The DUAB ought to additional be amended to require the ICO to publish a league desk of public sector our bodies’ subject-access request (SAR) efficiency, in order that organisations which consistently fail to respond within the statutory times frame may be prioritised for enforcement motion.
“SARs are an necessary automobile for guaranteeing people’ privateness and security,” it stated. “Since 2018, nevertheless, the ICO has additionally been making an attempt to get three authorities to take care of their SAR backlogs with out success. This yr, six years after drawback first turned obvious, Plymouth City Council, Devon and Cornwall Police and Dorset Police have been every despatched a ‘closing reprimand’.”
This yr marks the primary time the variety of reprimands have been printed by the ICO in an annual report, which it dedicated to doing in December 2022 after a freedom of knowledge request from Jon Baines – a senior information safety specialist at legislation agency Mishcon de Reya – revealed the regulator had failed to disclose the majority of the 42 reprimands it had issued to public sector bodies between May 2018 and November 2021.
A comply with up freedom on info request from Baines from June 2022 discovered an additional 15 reprimands since November 2021 that had not been publicly disclosed up to that time.
