Posted by: Mike Clarke
Throughout the year we have attempted to extract insight on how the ICO are interpreting and enforcing the various regulations in our industry relating to privacy and data protection. We have done this by analysing the explanations given in the enforcement notices they have issued and how they have assigned monetary penalties. John Edwards, the UK Information Commissioner, recently gave a speech to the National Association of Data Protection Officers, and what he had to say confirmed some insights we’ve had into the ICO’s approach to enforcement as well as introducing some new changes that are coming.
What We Expected
When it was announced John Edwards was taking the role of UK Information Commissioner, we speculated what this could mean for the ICO’s approach to enforcement. Previously, John Edwards was the Information Commissioner for New Zealand, so we were able to look at his past approach to understand a bit more about him and how he may approach the role here.
Shortly after his appointment to the role he announced his intentions to undertake a broad listening exercise to understand ways in which the ICO could support industries across the UK to better serve our consumers within the bounds of existing regulations.
This was quite a closed introduction that led us to expect a period of introspection without explicitly setting a course of action. This indicated that any further insights across the year would need to come from the enforcement notices issued to companies in breach of compliance. Based on these notices we made several summary judgements, these were:
- Intent is important
- Ignorance of the regulations is not a defence
- You need to be able to justify any data you have and access granted to it
Insights from the Keynote Address
On the 22nd November, John Edwards' gave a keynote speech at the National Association of Data Protection Officers’ (NADPO) annual conference, which shed further light on the approach they are taking.
During the speech he referred to the definition of enforcement, which he cited as "the act of compelling observance of or compliance with a law, rule, or obligation". He went on to refer to the GDPR and state that there was nothing to specify that enforcement meant a monetary penalty was required and the ICO had many other options available asides from issuing fines.
This was a clear reference to a recent enforcement notice issued against the Department for Education (DfE). John clarified that any monetary penalty would be pointless. If he were to issue a fine to the DfE, or indeed any Government body, it is an accounting exercise moving funds between government departments. Doing so would impact the consumer of the Department for Education’s services, children. He also referenced the decision not to issue a fine to an NHS Trust. “That fine would have come directly from the money available to that service to deliver services to the victims of the UK GDPR non-compliance”. Penalising the local NHS Trust would have in effect been punishing the victims further.
During the discussion on this specific enforcement, he also noted that the DfE had begun taking action to reduce access to the information it held. By engaging with the DfE and investigating the situation it was clear the ICO had achieved its goal with the enforcement notice as the DfE had adjusted to clearly comply with the regulation.
“Fines are only one of a number of enforcement tools available to us. We need to be regulating for outcomes, not outputs.” This statement from John Edwards aligns well with the enforcement actions and monetary penalties issues so far this year. Monetary penalties have been issued to make further negative actions no longer financially viable, as in the cases of Home2Sense or Clearview AI, where the companies were knowingly breaching the regulations for profit. We have seen smaller penalties issued where there was a clear desire to change behaviour in the interest of the consumer and we have seen previously issued penalties reduced significantly if they did not serve to protect the consumer.
What can we expect next?
The statements made by John Edwards and the actions from the ICO we have seen this year are very much aligned. The wellbeing of the consumer will always be the primary goal. It is not about penalizing companies or making headlines with high figure penalties but about the impact it can have for citizens.
However, Mr Edwards also stated during his speech that the ICO was changing its policy regarding publishing details of reprimands, where they had taken action but not issued a fine. Their current policy has been not to publish details of such action, but this is changing and will include details of all reprimands issued from January 2022 onward, unless there is good reason not to. This “name and shame” approach gives the ICO a further string to its bow short of monetary penalties and means that issuing reprimands to companies could now be far more impactful than they have in the past. This means we’re likely to see more such actions taken as an alternative to issuing a fine, but it also means that receiving a reprimand instead of a fine won’t be the perceived “win” that it once was for companies on the receiving end.
The ICO has clearly shown that it is capable of taking action that will send shockwaves through entire industries when justified and that any action is about changing behaviour of these industries as opposed to the individual at fault. Recent action has demonstrated that the ICO reserves its most severe penalties for companies caught intentionally breaching regulations, especially those relating to misuse of sensitive data such as health records, and in these cases it will issue punishing fines and not just a reprimand based on agreeing to behave in future.
As always, staying informed on the regulations, being aware of the ICO’s actions and, most importantly, considering the consumer in all your actions are the best steps you can take to ensure you remain compliant.