John Edwards, UK Information Commissioner, on the public sector approach:
Two years ago, I set out my vision of working more effectively with public authorities across the UK so they could better protect people’s information, while transforming public services and improving outcomes for their communities.
I introduced a two-year trial of an approach where we would work proactively with senior leaders across the public sector to encourage data protection compliance, prevent harms before they occur and learn lessons when things have gone wrong. I wanted my office to be part of the conversations early on, instead of being on the outside looking in.
The trial would also see a greater use of my discretion when it came to fines. In practice, that meant we would increase the use of my wider powers, including warnings, reprimands and enforcement notices, with fines only issued when necessary. That’s so victims of a data breach are not being punished twice in the form of reduced budgets for vital public services.
As the trial progressed, I have been conscious of the diversity of opinion on the approach and its impact. That’s why it was important that we reviewed the trial to gain insight into the outcomes and learn from it before deciding on next steps.
Impact of the public sector approach
Published today, the review of the two-year trial shows the public sector approach has had an impact, with some notable achievements, areas with more to do, unexpected challenges and unintended consequences.
There is clear evidence from the review of how regulation happens across a spectrum, backed up by policy theory but also different approaches taken by international data protection authorities. Rather than being one definitive action, regulation is a series of activities such as guidance, engagement, public campaigning and enforcement, which can work together to drive change. Fines have their place, but so do other ways of regulating. Different incentives and disincentives work in different ways in different sectors of the economy.
During the trial period we decided to start publishing reprimands on our website, with around 60 reprimands issued to public bodies. We've seen significant changes made by organisations following a reprimand. From a local council updating its procedures to prevent inappropriate disclosure of children’s information and an NHS Trust stopping sending bulk emails with sensitive information; to an advisory body improving its security measures to prevent unlawful access and a hospital implementing a decommissioning policy so personal details wouldn’t be lost when filing systems were terminated.
Feedback from the review said that public authorities saw the publication of reprimands as effective deterrents, mainly due to reputational damage and potential impact on public trust, and how they can be used to capture the attention of senior leaders. Central government departments cited increased engagement and positive changes on the back of reprimands, particularly with our regular interaction with the government’s Chief Operating Officers Network. But wider public sector organisations displayed limited awareness, which means we must do more to share best practice and lessons learned.
While reprimands had an impact, we also used our other regulatory tools when needed, such as issuing an enforcement notice to the Home Office and fining the Ministry of Defence and Police Service of Northern Ireland for breaking data protection law. If the public sector approach had not been applied, the fines could have reached £23.2m, instead of £1.2m. The review showed that central government and wider public sector echoed the sentiment around the impact of fines on frontline services, and how it disproportionately affects the budget of smaller organisations and devolved administrations.
The review also highlighted potential areas for improvement, specifically how we should make clearer which organisations fall within the scope of the public sector approach and what type of infringements could lead to a fine. It also showed there is more work to be done to reach wider public sector organisations and deliver targeted interventions.
You can read the full review report here.
Next steps
Reflecting on the past two years and based on the evidence from the review, I have decided to continue with the public sector approach. But I also have listened to the feedback and will provide greater clarity on its parameters.
That’s why I’m launching a consultation on the scope of the approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority. You can read more about it and respond to our consultation on our website by 31 January 2025. We will use the input received to inform and finalise our approach.
I’m also committed to improve our engagement beyond central government and to ensure that senior leaders are taking accountability for their role in achieving greater data protection compliance. I expect to see more investment of time and resources in protecting people’s information, and I have been assured by the Permanent Secretary of DSIT, on behalf of Whitehall leaders, that they are committed to continuing our engagement on the approach.
As we have done with the trial, we will keep the public sector approach under review, and I will reconsider it if necessary.