Information Commissioner to continue with revised public sector approach despite mixed responses to trial

The Information Commissioner's Office (ICO) has announced it will continue with its revised public sector approach (PSA) despite it not being a "straightforward success or failure".

Writing in a post-implementation review of the two-year trial, the Commissioner, John Edwards, said: "Reflecting on the past two years and based on the evidence from the review, I have decided to continue with the public sector approach. But I also have listened to the feedback and will provide greater clarity on its parameters."

He also announced a consultation on the scope of the approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority.

The ICO's trial was launched in June 2022 and included plans to increase the use of the ICO's wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases.

According to the review, the ICO issued approximately 77 reprimands during the trial period, with 80% targeting the public sector.

The report said: "This marked a significant shift in the ICO's enforcement activity, with a 54% increase in reprimands compared to the previous two-year period.

"However, the use of other powers like enforcement notices and warnings has been limited to date."

Four monetary penalty notices with fines totalling £1.2 million were issued to public organisations during the trial.

The report noted that without the PSA and the associated increased use of reprimands, fines could have reached £23.2 million, indicating an estimated £22 million difference due to the PSA.

Published reprimands were seen as effective deterrents, "mainly due to reputational damage, and helped DPOs [data protection officers] capture senior leaders' attention", according to the report.

Reprimands were also seen as a useful regulatory tool for raising standards of data protection through sharing best practices and lessons learned.

The report did note that awareness of published reprimands "remained limited across the wider public sector".

The ICO said there was "widespread agreement in the public sector that fines reduce budgets for public services, leading to support for a different regulatory approach, especially among central government [data protection officers]".

However, it noted that feedback from some organisations in the wider public sector, including local authorities, was more negative about the impact of the PSA.

The report said: "The evidence presented in this review shows that the PSA was an ambitious and challenging trial to deliver over two years with a limited lead-in time. The trial's outcome isn't a straightforward success or failure.

"Overall, the PSA has been impactful. It has driven changes that have increased data protection standards, albeit across a smaller population than anticipated.

"There is clear evidence of how upstream and downstream regulatory activities can work together to drive change. The PSA's effect on the status of data protection varied, likely due to the central government focus of the targeted upstream activities."

Adam Carey
4-5 Grays Inn Square Governance