In June 2022, the Information Commissioner published an open letter to public sector leaders, where he announced a two-year trial of a revised approach to working more effectively with public authorities across the UK.
We refer to this as the ‘public sector approach’, which saw the use of the Commissioner’s discretion to reduce the impact of fines on public bodies and aimed at improving data protection standards in this sector through guidance and proactive engagement.
We reviewed the two-year trial and published our findings report, which presents evidence on impact and learning from the trial to inform our future decisions on regulating public sector organisations. The review also identified that the scope and parameters of the public sector approach could be articulated more clearly.
Based on the findings, we are now inviting all stakeholders who may have an interest in our approach to help inform some proposed updates to the public sector approach.
In the meantime, we will continue to apply the approach outlined by the Commissioner in his June 2022 open letter.
Proposed updates to the public sector approach
The Commissioner intends to continue with the public sector approach as a standard part of our overall regulatory approach. Although the aims of the approach remain the same, we intend to adjust it in line with the learnings from the trial period and the responses and input received from this consultation.
We want to provide greater clarity to organisations on how the public sector approach should be applied, and we have identified two areas where stakeholders have asked for further guidance. We are seeking views on:
1) Organisations in scope of the public sector approach
We recognise that the term ‘public sector’ is broad in scope and is open to interpretation. To provide certainty to organisations in understanding if they fall under the scope of the public sector approach, we will use the definition of ‘public authorities’ and ‘public bodies’ under section 7 of the Data Protection Act 2018 (DPA 2018).
We also recognise that there are organisations in the wider not-for-profit sector, such as charities and social enterprises, and other public bodies such as parish councils, which are not public authorities for the purposes of the DPA 2018 but that services might be similarly impacted by a fine. Our Data Protection Fining Guidance explains how we take these factors into account when setting an appropriate fine.
2) Circumstances that will lead to a fine under the public sector approach
We will only issue a fine to a public authority in the most egregious cases, that is where the infringements are especially serious.
Our Data Protection Fining Guidance sets out the legal framework and explains how we decide to issue penalties and calculate fines. This includes whether the imposition of a fine would be effective, proportionate and dissuasive; the nature and gravity of the infringement, including any actual or potential harm suffered by the victims of the infringement; and any mitigating actions taken by the organisation to limit damage suffered by people. This assessment takes into account whether the controller or processor is a public authority.
If the Commissioner decides to issue a monetary penalty notice, the fine amount will be calculated by applying the five-step approach set out in the guidance. In particular, the fact an organisation is a public authority is relevant to the assessment of the nature of the processing, to the maximum amount of the fine, and to the financial position used to assess the fine’s starting point. Taking into account these considerations ensure a consistent approach for public authorities.
When considering whether, in all the circumstances of a case, the infringement by a public authority is egregious and warrants a fine, the Commissioner will take into account the seriousness of the infringements, any relevant aggravating or mitigating factors, as well as the overarching requirement to ensure the fine is effective, proportionate and dissuasive.
While not intended to be an exhaustive list, the following may be illustrative of the types of cases which would be considered to be egregious:
- Actual or potential harm to people: this could be physical or bodily harm, psychological harm, economic or financial harm, discrimination, reputational harm or loss of human dignity. For example, evidence of:
- a high risk of actual or potential harm to affected people or their family members, including a threat to life following a data breach;
- actual or potential distress or loss of dignity as a result of illegal monitoring of people; and
- actual or potential discrimination or bias arising from automated decision-making.
- Intentional or negligence character of the infringement, where there is evidence of intent on the part of the controller or a high degree of negligence; and
- Relevant previous infringements, or recent infringements, by the controller or processor.
Where the Commissioner is satisfied that an infringement by a public authority is egregious and therefore it warrants the imposition of a fine to a public authority, the fine will be calculated using the Data Protection Fining Guidance while ensuring the level of the fine is consistent with the public sector approach.
Consultation
We are consulting on the above updates, as well as on the application and effect of the public sector approach to date, to inform and finalise our approach.
In particular, we want to hear views on:
- the definition of those organisations that will fall within scope of the public sector approach; and
- the circumstances of an infringement that is likely to be regarded as egregious, leading to the issuing of a fine to a public authority.
Please respond to this consultation using this online survey by 31 January 2025.
Following the consultation, we will publish our final public sector approach posture.
Privacy statement
For this consultation we may publish a summary of the responses but will remove any personal data before publication. We will not publish responses from individuals. For more information about what we do with personal data please see our privacy notice.