Thanks for having me here today.
I enjoy speaking to groups of ordinary citizens, and bringing to life this arcane and technical world of data protection, freedom of information and privacy by using real world examples they can relate to.
The greatest compliment I get is when someone says afterwards “I was expecting a talk about data protection to be really boring, but I didn’t realise how relevant it was to my life!”
You, however, are not ordinary citizens. You get the boring and technical. Or rather you *get* the boring and technical.
And I know you thrive on it.
So I am going to break all my normal rules of public speaking. I am going to assume a high degree of knowledge. I am going to use jargon. I am going to use acronyms. And you are going to love it!
I want to lay out for you my thinking on regulating for outcomes, the range of regulatory tools available to me, and how and when we should use those different tools. In other words, I’m going to talk about my regulatory, and enforcement philosophy.
We’re changing our approach to how we deal with public sector – you might have seen our recent reprimand to the Department for Education, which is an example of this changed approach. Under the old rules, this could have been a £10m fine. Some commentators have suggested this might be a sign of weakness, or us ‘going easy’ on government.
It’s not.
First things first. You might have seen my “Why don’t you enforce?” tweets. For a time I would retweet every @ICONews tweet about a PECR fine or prosecution or a UKGDPR penalty with the commonly levied criticism as a quote tweet.
It winds up that portion of the commentariat, but there’s a serious message here. Every time someone criticises the ICO for “not enforcing” the UK GDPR, that accusation is heavily laden with an assumption, an incorrect assumption, in my view, of what enforcement is.
The first law book I had to buy when I started studying in 1984 was the fifth edition of the Concise Oxford Dictionary, so let’s start there.
Actually let’s not – I left my copy in New Zealand, and anyway it’s 2022, so let’s look online.
Here’s the definition:
the act of compelling observance of or compliance with a law, rule, or obligation:
Article 58(2) of the GDPR lists the Commissioner’s “corrective powers”, and yes, fines are in there. They’re 58(2)(i), in a list that runs from (a) “warnings”, past (b), “reprimands”, through (c) “compliance orders”, and so on through limitation orders, erasure of data and suspension of data flows.
There’s nothing in the law or in contemporary regulatory theory that says that enforcement must equal fines. Enforcement happens across a spectrum. Rather than being one thing, it’s a series of graduated responses to non-compliance.
Let’s go back to the DfE case. There we worked closely with them on remedial action after the breach was discovered. By the time we got to the end of our investigation, the DfE had taken all of the necessary steps to ensure a breach of this scale should never happen again.
Going to the next step, and issuing an enforcement notice in this case wasn’t necessary or appropriate because it would have simply told the DfE to do what they had already done. Working through the scale of responses described in Article 58, it made sense to stop at the reprimand.
But I’m describing two things at once here. Fines are only one of a number of enforcement tools available to us. We need to be regulating for outcomes, not outputs. The number or quantum of fines is not the measure of our success or failure, nor of our impact. Getting better outcomes, and sharing those stories with the wider economy, can have a much greater effect on the lives and rights of the people of the UK than a fine might. That’s my regulatory philosophy, and I’m sticking to it.
The second thing is the change in approach to public authorities. I reviewed our position after I received a recommendation to fine an NHS trust, and asked about the funding model. That fine would have come directly from the money available to that service to deliver services to the victims of the UK GDPR non-compliance. We would further punish the very victims whose rights we are there to uphold.
We looked wider.
In central Government, fines create a ‘money-go-round’, moving funds from one department to the Treasury and then to the consolidated account. It’s not effective and can have the opposite effect to what we want. There’s very little evidence that fines on their own produce better outcomes for the people we’re protecting, and even less evidence to support the view that fines are a good way of improving compliance and data protection practices in public authorities.
Last year, my predecessor issued a fine of £500,000 to the Cabinet Office for the 2019 New Year’s Honours data breach. The Cabinet Office appealed. In light of our changed approach to monetary penalties in the public sector, and the economic and fiscal crisis, I decided to settle that matter and we substituted a reduced fine of £50,000.
My job is to make sure we’re working in the areas that will have the greatest impact. This doesn’t mean always reaching for the most flashy, headline-grabbing action that comes after the fact; sometimes it’s that behind-the-scenes work, the guidance and advice that we can offer businesses to encourage compliance and to help their understanding of the law and their obligations under it.
Monetary penalties remain an important regulatory tool, and we will use them in the instances where they are truly needed – for the breaches which cause or have the potential to cause the most harm to people, or where a business has profited from its non-compliance.
For example, we recently fined Easylife, a catalogue retailer, £130,000 for making predatory marketing calls. That’s our bread and butter, our usual enforcement – people are used to us taking action on nuisance calls. What’s not as usual is us also fining Easylife £1.35m under the UK GDPR for profiling their customers before illegally calling them. The company were making assumptions about people’s lives – their health and any medical conditions they had – and then targeting them with products linked to those conditions without consent. That’s an unacceptable use of some of people’s most sensitive information, and that’s when we take action.
Whatever regulatory action we take, whether it is a reprimand or a fine, its value goes far beyond the individual organisation. Every regulatory action must be a lesson learned by the rest of the economy and play a role in behaviour change.
Our website says that reprimands will not usually be published. That changes now. We will publish all reprimands going forward, including reprimands issued from January 2022 onwards, unless there is a good reason not to.
There are a few reasons for this, which I’ll set out below.
Firstly, it’s about accountability. Members of the public, and those affected by a breach or infringement are entitled to know that we’ve held the business or organisation to account, and that they’ve changed their practices as a result.
Secondly, the rest of the economy need to know what’s happened, why it infringed the UK GDPR or another law, and what we did about it. In line with the revised public sector approach, when a fine was considered but we issued a reprimand to a public authority, we will give an indication of the amount of the fine. By saying that we would have fined DfE £10 million under our previous system, we are signalling a “tariff” to those who might be thinking about taking a shortcut to save money on compliance. This shows that, in their case, it might well be a false economy.
The next part of my regulatory philosophy involves providing certainty. That’s what I came here to do, and that’s what I want organisations across the UK to feel when they’re dealing with people’s personal information.
They should have certainty in what the law requires from them.
We, as the regulator, expect them to treat people’s information with care and respect, and to not use it in ways that people wouldn’t expect.
We also want to have a predictable approach to enforcement, as I touched on before – by publicising and explaining our enforcement action, organisations won’t be able to rely on the ‘I didn’t know any better’ defence. Our approach to enforcement should not be a surprise, either to other organisations or to the public. Certainty breeds trust.
This certainty applies to the public, too; by being transparent about what the law requires, and when we’ll take action, it helps the public to feel more informed and more in control of their data, and to be able to call out bad actors and bad practice when they see it by reporting it to us.
Coupled with that certainty is the idea of flexibility. If organisations know what to expect from the law and from us, they know the parameters within which they can innovate and improve their products or services, whilst still remaining compliant. Flexibility breeds confidence. Confidence breeds innovation.
And we’re helping with that innovation – our recent Sandbox projects include a digital-ID centred online platform which enables ex-service personnel to share their information safely to access support with housing and employment. We’re also working with a company to develop age estimation technology to support the creation of children-only services.
We’re also in the process of launching a new advice service for innovators. This stems directly from feedback I heard about providing that certainty I spoke about at an early stage. Early support around new business models, products and services will encourage investment from organisations and raise standards. Our advice service will offer direct, fast-paced answers and support to those looking to move quickly and innovate within the guardrails of the law. This will do more to improve outcomes for the consumers of those services than aggressive regulatory action after the fact would, after the harm has been done.
I should comment briefly on our freedom of information role. The FOI caseload is stretched to breaking point right across the public sector. We had large backlogs and people were waiting months for responses to their requests, which wasn’t good enough. Limited funding, an increase in FOI cases and an increased need to support stretched public authorities created ‘a perfect storm’.
So, we’re making changes where we can.
A couple of weeks ago we launched a consultation explaining how we propose to prioritise and fast-track FOI and EIR appeals going forward. Put simply, those appeals where there is a clear public interest in the information in question – whether that’s a high-profile or new issue, a requester whose work supports vulnerable people or a request that would have operational benefits – will be prioritised by the team. We want to know what you think about this new approach, so definitely take a look at the consultation and let us know.
This consultation is an early delivery against our new three-year strategy, which is called ICO25. It’s ambitious, but something that I fully believe in. It’s informed by the views of those smart people I surround myself with, both in the office, and in the data protection and freedom of information community. It’s informed by what you told me, where you were candid and fiercely honest about what works and what didn’t. And it’s informed by our desire to empower people – both members of the public and businesses across the UK.
We help businesses to help people. And part of that will come from people knowing that we exist.
We commissioned some public research work recently that showed that awareness of the ICO and the work we do is fairly low compared to other regulators. We know that we need to improve here – we need to shout louder about our achievements, be more visible, listen more and act on people’s behalf. And that is what ICO25 is all about.
So, a recommendation from me: read ICO25. It may not be a riveting page-turner but it’s important. It shows you the direction of travel for the ICO for the next three years, and it shows you how we’re going to get there. It shows you the importance of people to our work, and it shows you how we’re working to empower them through information.
Thank you.