On 30 June 2022, the Information Commissioner’s Office (ICO) set out its revised approach to working more effectively with public authorities, which will be trialled over the next two years. The approach was outlined in an open letter from the UK Information Commissioner John Edwards to public authorities and is one of the initiatives forming part of ICO25 – the ICO’s new three-year strategic vision to empower organisations without comprising the responsible use of people’s data.
Underpinning the changes aimed at raising data protection standards is a collaborative and proactive attitude to encouraging compliance with data protection regimes, preventing harm occurring, and learning from previous mistakes.
What will enforcement look like for public sector organisations?
In his open letter, the Information Commissioner explained that enforcing the law around compliance will involve a greater use of the Commissioner’s discretion to reduce the impact of fines on the public sector. In doing so, the ICO will lean on its wider powers including warnings, public reprimands and enforcement notices. Fines will be reserved for the most serious cases. However, the UK Information Commissioner was keen to reiterate that his powers served to “act as a remedy and deterrent to data breaches, not, as is often thought, to act only as a punishment.”
Separately, the ICO will continue to investigate data breaches and engage with offending organisations to ensure that any necessary improvements are made. More effort will also be made to publicise such cases and the value of the fine that would have been levied for wider awareness to other organisations.
The response from the UK government
The UK government has demonstrated its support to the revised approach in the form a commitment from the Cabinet Office and the Department for Digital, Culture, Media and Sport, to create a cross-Whitehall senior leadership group aimed at encouraging compliance with high data protection standards. The ICO will also engage with the Devolved Administrations and the wider public sector to determine the most effective way to deliver the relevant improvements.
If you'd like to discuss in more detail, please contact Lucy Pegler, Olivia Ward or another member of our data protection team.
Written by Pooja Bokhiria and Olivia Ward
“I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives. That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities." John Edwards, UK Information Commissioner