The UK’s data protection regulator is trialling a new approach to public bodies that eschews fines but demands improved standards and the sharing of lessons learned. PublicTechnology finds out more.
In the years, months and weeks that preceded the implementation of the General Data Protection Regulation, attention seemed to be largely focused on the question of how those who contravened the new law might be punished.
Which, the analysis and media coverage seemed to agree, would be severely, and squarely in the wallet.
When it came into effect five years ago, the legislation – a facsimile of which was, effectively, passed into UK law after Brexit – provided for organisations to be hit with fines of up £17.5m or 4% of their global turnover. Which, in the case of Facebook or Google, for example, would respectively equate to about £3.8bn and £9.6bn.
In the latter case, this number is about 19,000 times higher than the flat figure of £500,000 that, until 2018, represented the maximum financial penalty that was available to the Information Commissioner’s Office.
Perhaps, then, it is no wonder that all the pre-GDPR headlines focused on kind of astronomical sums the regulator would soon be able to demand from those that broke the rules.
What few expected was that the ICO would decide, in one important area of its work, to actually reduce the scale of the fines issued. And, in those cases, by approximately 100%.
But, in June 2022, commissioner John Edwards announced that the watchdog would be taking a “revised approach” to working with the public sector. The new model, which is now a little way past the halfway point of a two-year trial, focuses not on fines but on working with organisations to raise standards.
Since adopting this approach, the regulator has not imposed a single monetary penalty on a government body. But it has ramped its use of formal public reprimands and, in many cases, these have been accompanied by media commentary reminding those being censured of their data-protection responsibilities, and the potential consequences of failing to meet them.
This was exemplified by a recent announcement in which the ICO warned about the potentially life-endangering impact of data breaches, as it revealed details of seven recent reprimands issued following incidents that had involved the personal information of domestic abuse victims. Among the organisations named and shamed were the Department for Work and Pensions and South Wales Police, joining a growing number of public bodies that have been reprimanded in the past 15 months or so.
“For people in the market end of the economy, it’s the shareholders who suffer, rather than the customers… but, if it’s service users of a public service, there’s a risk of fines further [impacting] the victims of the data breach’.”Stephen Bonner, ICO
Stephen Bonner, deputy commissioner for regulatory supervision at ICO – a role which includes overseeing enforcement activities – tells PublicTechnology that the aim of the new approach is to ensure effective deterrence, while not further punishing those impacted by the original offence.
“For commercial entities, fines are a very effective deterrent; if you have shareholders, if you have bonuses for senior executives based on their financial performance, then the incentive to avoid regulatory fines is built in,” he says. “But harming profits is not an effective deterrent within [the public sector]. So, we are much more interested in using tools within our toolkit that do impact those organisations – and particularly… the reprimand, which is drawing public attention. And we’ve definitely seen many organisations in the public sector arguing with strength and passion that the reprimand would harm trust – and that there is a consequence for them. So, we are comfortable that the aim of this experiment has been to see, for those that are not profit-seeking, can we use other tools in our toolbox that would more effective at changing their behaviour?”
He adds: “For people in the market end of the economy, it’s the shareholders who suffer, rather than the customers – because they have freedom of choice move to competitors if the price of that product goes up because they’re having to pay extra fines. But, if it’s service users of a public service, there’s a risk of fines further [impacting] the victims of the data breach.”
Date on which the ICO embarked on its ‘revised approach’ to the public sector
Proportion of an organisation’s turnover that the regulator can now issue a fine equating to
Number of organisations recently reprimanded for data breaches relating to domestic abuse victims
Length of trial of ICO’s new public sector approach
Bonner stresses that ‘experiment’ is the appropriate word to describe the initiative and that the ICO’s team are dedicated to being “good scientists” who, once the two-year year trial has reached its conclusion, will study the evidence to ascertain the impact. And will not make an ultimate judgement on its success – or how its learnings may be carried forward – before then.
But he adds that the – anecdotal – evidence so far is that, without the spectre of financial losses looming over every mistake, organisations are less likely to take an approach of “how do we avoid the fine, rather than how do we get to a good outcome?”.
“It also shows we understand the pressures they’re under and recognise that funding may be very tight, and therefore things that might impact on that funding further may not be the most effective use of resources,” Bonner says. “Instead: can we get them to the outcome that they need? And can they then help others to do that? Because it’s not just cooperation with us – it’s cooperation with the ecosystem, to raise standards everywhere. That is vital. And cover-ups don’t help anyone.”
Such cooperation is now supported by a various groups of public sector leaders – including one of senior managers from various Whitehall senior managers – that have been created to help define and perpetuate “data protection practices that are fit for the future – across the public sector”.
“There’s an interest in getting this right and making sure that lessons are learned,” Bonner adds. “And we’ve seen as we’ve taken people through reprimands, they’ve made sure their outcomes are shared into these kinds of bodies. We have some convening power – but we also recognise that some groups would be more apt to talk about things without us in the room. And we’re OK with that.”
To BCC or not to BCC
Among the most pressing lessons that many public sector organisations – particularly smaller entities – may still need to learn is not to use the ‘BCC’ function of their email application which, according to Bonner, has been the cause of more than 1,000 data breaches logged by the ICO. This is particularly important for messages concerning the provision of public services related to domestic abuse, or care for various health conditions.
The ICO enforcement chief says: “It’s one that can – at very low cost by just using mail merge, rather than BCC – be engineered out. That capability is included in the main email packages… so, that is one that we hope soon to see disappear. Because it is avoidable, and the consequences can be quite horrific.”
While no fines have been issued to public bodies since the new approach was implement, the regulator has not completely precluded financial enforcement, but will seek to limit its use to penalising the “most egregious” breaches – which are liable to include incidents that might pose a risk to life or constitute those “stepping over not even into negligence, but into willful non-compliance”.
Nevertheless – and as evidenced by a blog written by commissioner Edwards late last year declaring that the ICO is “not ‘going easy on government” – the data watchdog’s new approach to the public sector is going up against a school of thought that inherently “equates big fines with being regulated”, according to Bonner.
“And, if there are fewer big fines, that must mean [organisations] are not getting as regulated. But I absolutely reject that,” he says. “It makes a great soundbite, to have harsher penalties. But, actually reflecting on why these things happen, it is very, very rare that an organisation goes: ‘You know what? We’re going to leak all this data. And we’re not that bothered about [it]… we can budget for the fines [as a] cost of doing business, and we’ll carry on doing that’.”
He adds: “Having sat on the boards of organisations, that isn’t how those decisions are made.”
When asked how the affect of the ICO’s new-look approach to government could be measured, Bonner reinforces the importance of enabling and ensuring better decisions. The success of the strategy can be measured in “outputs and outcomes”, he says.
“If organisations understand the risks they face, they make better risk decisions,” he adds. “Many of the choices people have made that have led to these incidents were generally not a [case of]: ‘We don’t care about users, we’re going to just do this – and they’re going to suffer, but it will let us achieve what we want to do”.
“They have a misguided a conception of the risks they’re facing that is, unfortunately, inaccurate. So, one of the outputs we expect is greater sharing, and greater knowledge, with the public sector coming together to share experiences and learn from the mistakes of others, so they don’t to be repeated… then the outcome of that, we hope, is that it leads to reduction in harm.”