Dear public sector colleagues,
The role of UK Information Commissioner comes with responsibilities, powers, and discretions. Since starting my role in January, I have been touring the UK listening to businesses, organisations and the public about their expectations of me and my office. These conversations have informed my early views on how I can ensure the Information Commissioner’s Office (ICO) remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives.
Based on my experience as a regulator, informed by what I have seen and heard since taking up my post in January, I am today setting out a revised approach to working more effectively with public authorities across the UK to empower you to look after people’s information, while supporting you to transform public services and improve the lives of the people you serve.
Raising data protection standards
The revised approach will include working proactively with senior leaders across the public sector to encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong. To achieve this, we must work in partnership to address the underlying issues that continue to result in avoidable data breaches on an all too regular basis. Whether it’s due to not following a data protection by design approach on the development of new services, or something as simple as not having processes in place to stop sensitive information being sent to the wrong recipient – many of these issues are all too common.
We will still call out non-compliance and take robust enforcement action where necessary, but in future our primary focus will be on raising data protection standards across the board and preventing harms from occurring in the first place.
But we cannot do this on our own. There must be accountability to deliver these improvements on all sides.
The National Data Strategy already proposes a joined up and strategic approach to the use of data across government. Building on this work, I received a commitment from the UK Government, specifically from the Cabinet Office and the Department for Digital, Culture, Media and Sport, to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. High standards that address these underlying issues mentioned and raise the bar even higher when it comes to the way public authorities use and handle people’s information. We will be having discussions with colleagues in the UK Government and exploring similar in the Devolved Administrations, as well as the wider public sector, over the next few weeks to determine the most effective way to deliver these improvements.
This approach of raising data protection standards is just one of the initiatives I will be setting out in the coming weeks as part of ICO25 – the ICO’s new three-year strategic vision – to empower organisations to innovate while using people’s data responsibly.
Enforcing the law
While I want to adopt a more proactive approach with public authorities to raise data protection standards, I also have a responsibility as a regulator to enforce the law around compliance issues that continue to happen. The powers I hold are there to act as a remedy and deterrent to data breaches, not, as is often thought, to act only as a punishment.
I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.
I am therefore writing to you today to confirm that for the next two years the ICO will also be trialling an approach that will see a greater use of my discretion to reduce the impact of fines on the public. In practice this will mean an increase in public reprimands and the use of my wider powers, including enforcement notices, with fines only issued in the most egregious cases. However, the ICO will continue to investigate data breaches in the same way and will follow up with organisations to ensure the required improvements are made. We will also do more to publicise these cases, sharing the value of the fine that would have been levied, so there is wider learning.
But this is not a one-way street. In return, I expect to see greater engagement from the public sector, including senior leaders, with our data protection agenda. I also expect to see investment of time, money and resources in ensuring data protection practices remain fit for the future. This is a two-year trial and, if I do not see the improvements that I hope to see, then I will look again.
I hope that this change will enable the ICO to be more agile and that by communicating this change at an early stage, I am giving you more certainty about what you can expect from my office.
John Edwards
UK Information Commissioner