ICO reviews approach to public sector – PublicTechnology

After announcing two years ago that it would test a model focused on raising standards – rather than imposing fines – the watchdog will now assess the impact of the revised approach

After a two-year trial period during which no financial penalties were imposed on public sector bodies, the Information Commissioner’s Office is to review the impact of the strategy before deciding how to proceed.

The ICO first announced in June 2022 that it would be taking a “revised approach” to working with the public sector, with the watchdog focusing on helping organisations raise their data protection standards. At the same time, the regulator said it would generally avoid fining public bodies – but would increase the use of formal public reprimands for compliance breaches.

In an open letter announcing the new model, Commissioner John Edwards explained that “I am not convinced that large fines alone are as effective a deterrent in the public sector”.

“They do not impact shareholders or individual directors in the same way as in the private sector, but come directly from the service delivery budget,” he added. “The impact of a public sector fine often also affects the victims of the breach, in the form of reduced budgets for key services, rather than the perpetrators. As a result, those affected by the violation are punished twice.”

The intention was to follow the changed approach for two years and then analyze the impact. Following the end of the trial period, the ICO has announced that this review will now commence.

For now, the watchdog will continue to pursue a standards-focused approach and will provide details of its future plans in the coming weeks.

Related content

“In June 2022, we changed our approach to working with public sector organizations and began a two-year trial period, in line with what we set out in our open letter at the time,” the ICO said in a statement. “While we continue to impose fines on public bodies when appropriate, we have also used our other regulatory tools to ensure that people’s information is handled appropriately and that money is not diverted from what is most needed. We will now review the two-year trial period before deciding on a public sector approach in the autumn. In the meantime, we will continue to apply this approach to our regulatory activities in relation to public sector organizations.”

In an interview for Public Technology Last year – some 15 months after the trial began – ICO Deputy Commissioner for Regulatory Oversight Stephen Bonner said the regulator would be a “good scientist” in assessing the impact of the changed approach and its effectiveness in the future.

But he added that anecdotal evidence so far suggests that without the specter of financial loss hanging over every mistake, organisations are less likely to take a “how to avoid a fine” approach and more of a “how to achieve a good result?” approach.

“It also shows that we understand the pressures that they are under and we recognize that funding may be very tight and therefore things that may further impact that funding may not be the most effective use of resources,” Bonner said. “Instead: Can we get them to the outcome they need? And can they help others do it? Because it’s not just about working with us – it’s about working with the ecosystem to raise standards everywhere. This is crucial. And a cover-up doesn’t help anyone.”