What are the enforcement options currently available to the ICO?
The current ICO enforcement toolbox includes prosecutions, monetary penalties, enforcement notices requiring ICO prescribed action, and reprimands. Since January 2020, 152 enforcement actions have been taken by the ICO comprising 61 monetary penalties (the largest category of enforcement action), 45 reprimands, 43 enforcement notices and three prosecutions. The top three sectors in which enforcement action was taken were marketing, finance insurance & credit, and retail & manufacturing. However, the ICO’s approach to enforcement action has undergone recent change.
A change in approach
In a keynote speech to the National Association of Data Protection Officers’ annual conference in November 2022, the Information Commissioner – John Edwards – set out the ICO’s new strategic approach to enforcement, in particular relating to the public sector. This new approach focuses on:
- outcomes rather than outputs – the emphasis being on good results for the public rather than big financial penalties on organisations;
- a change in the approach to Monetary Penalty Notices (MPNs) for public authorities – seeking to avoid MPNs and the “money-go-round” of public funds; and
- a switch to reprimands – noting that damage to reputation and public impression can have a much bigger influence than imposing financial penalties, in particular as reprimands are now publishable (since January 2022) and cannot be appealed to the First Tier Tribunal unlike the ICO’s decision notices.
In his speech, the Commissioner explained how the definition of enforcement is a graduated response in respect of non-compliance rather than an automatic association between enforcement and fines. The Commissioner gave the example of the Department for Education detailed below where, under the old system of enforcement, the fine could have been in the region of £10 million. The Commissioner explained however, that enforcement action was based on the principles of accountability, transparency, certainty, predictability and flexibility so that organisations using personal data know what the law expects of them, how they can use personal data in terms of innovation and service or product delivery whilst remaining compliant and what will happen if they don’t comply with the law.
Examples of recent action by the ICO under the new approach
This change in approach is demonstrated by only one MPN for a public authority being issued by the ICO since January 2020. The MPN concerned was for an NHS Trust in the sum of £78,400 for sending bulk emails to over 1,000 gender identity clinic service users and highlighted the Trust’s serious failure to comply with data protection legislation.
However, it should be noted that MPNs and enforcement notices are still very much in use by the ICO for the most serious breaches of data protection law and the Commissioner explained that these will still be used where they are “truly needed”. You might have read about the recent ICO fine imposed on TikTok in the sum of £12.7m regarding children’s data on their platform and insufficient checks and balances as to the ages of the children concerned making use of the platform. In 2020, the ICO required Experian to contact every one of the individuals affected by the invisible profiling which the ICO alleged was taking place on a large scale.
A total of 45 reprimands have been issued by the ICO since January 2020 across the spectrum of private and public sector organisations, including:
- Government departments – such as the Ministry of Justice for bags of confidential waste found in an unsecured holding area in a prison and the Department of Education for failures in security allowing third party access to its database and processing of personal data including that of children, held by the DfE, without appropriate control of oversight or transparency as to the purposes for the processing by those third parties.
- Private companies – such as Virgin Media Limited – who received 9,500 Subject Access Requests (SAR) over a six-month period in 2021, 14% of which were not responded to within the statutory timeframe, and the Chartered Institute for Securities & Investment following the exploitation of a known vulnerability in the Institute’s software to leverage a cyber-attack in which malicious code was uploaded to the Institute’s website, capturing payment details of around 3,800 data subjects and other personal data such as names and email addresses.
- The NHS – including for the Blood and Transplant service for inadvertently releasing untested development code into a live system for matching transplant list patients with donated organs in August 2019 and for the permanent loss and inaccessibility of some patient records downloaded prior to the transfer from one electronic document viewing system to another.
- The Police – including the Metropolitan Police Service for an “immature” ability in its systems, to ensure that sensitive criminal records information uploaded daily to the Police National Database, were correctly loaded. Additionally, the Chief Constable of Kent Police for failure to complete 40% of SARs within the statutory deadline, with some taking over 18 months for Kent Police to respond to and, as of May 2022, in excess of 200 SARs remaining overdue.
- Local Authorities – including for non-compliance with SAR requirements under the UK GDPR and failure to respond to SARs within the statutory time limit as well as data breach situations. In one incident, a local Council sent papers prepared as a Court bundle in Child Protection legal proceedings and containing sensitive information such as medical information relating to the child and the home address of the mother and her two children, to both parents of the child in question.
Takeaway points
- No organisation, whether operating in the private or public sector is immune from ICO enforcement action and the examples of reprimand action taken since January 2020 confirms the ICO’s new approach in practice.
- As the strategy identifies, damage to reputation and public impression can indeed have a much bigger influence on compliance than imposing financial penalties.
- Whilst the new strategy might reduce the need for organisations to set aside funds for the payment of MPNs, non-compliance in the form of reprimands could still be costly.
If you would like further advice or insight on any matters relating to data protection or enforcement, please contact Emily Aggett or another member of our Data Protection & Privacy team.
