RISK

NEWS

ICO reduces public sector fines for data breaches

5 Jul 2022

The Information Commissioner’s Office (ICO) has set out a revised approach to working more effectively with public authorities, including reducing the level of fines.

The approach, outlined in an open letter from the UK Information Commissioner John Edwards to public authorities, will see use of the Commissioner’s discretion to reduce the impact of fines on the public sector, coupled with better engagement including publicising lessons learned and sharing good practice. It will be trialled over the next two years.

In practice, this will mean an increased use of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases.

When a fine is considered, the decision notice will give an indication on the amount of the fine the case would have attracted. This will provide information to the wider economy about the levels of penalty others can expect from similar conduct. Additionally, the ICO will work more closely with the public sector to encourage compliance with data protection law and prevent harms before they happen.

In support of this approach, the ICO has received a commitment from the UK Government, specifically from the Cabinet Office and the Department for Digital, Culture, Media and Sport, to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards.

In light of this change, the ICO has issued a reduced fine of £78,400 to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients. The 2019 breach happened because the trust failed to use the ‘Bcc’ field and, within 30 minutes of the mailing, a screenshot of the email was shared on social media including the email addresses of some of the people affected.

The original fine was £784,800.

Another recent ICO enforcement action includes a reprimand issued to NHS Blood and Transplant Service, after it inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. This error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest possible opportunity. The organisation remedied the error within a week, and none of the patients involved experienced any harm as a result.

If the revised approach had not been in place, NHS Blood and Transplant would have received a fine of £749,856. The Information Commissioner exercised its discretion to reduce the proposed fine to a public reprimand.

John Edwards, UK Information Commissioner, said:

“I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives. That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.

“In the case of Tavistock and Portman NHS Foundation Trust, the breach revealed much more than people’s email addresses. Knowing about someone’s relationship with a gender identity clinic could be hugely dangerous and damaging to the patients’ well-being and personal safety. The trust also failed to learn from previous incidents.

“The NHS Blood and Transplant Service already had good data protection policies and systems in place, but a single human error that went undetected contributed to an incident that could have caused potential harm to people on the non-urgent transplant list.

“My office worked with both organisations to improve their data protection standards and practices. We used different enforcement tools but, crucially, both resulted in changes that better protect the public.”

For businesses in the private sector, both online and paper-based data breaches can result in hefty fines – up to 4% of annual turnover by the UK’s GDPR. In certain cases, prison sentences can be imposed.