The Information Commissioner’s Office has set out a new approach to working with public authorities, focusing on raising data protection standards and sharing good practice while reducing the impact of fines.
The Information Commissioner, John Edwards, outlined the revised approach in an open letter to public authorities where he said the ICO “…will still call out non-compliance and take robust enforcement actions, where necessary but in future our primary focus will be on raising data protection standards across the board and preventing harms from occurring in the first place.”
The new approach
NHS leaders can expect to see an increased use of the regulator’s wider powers from warnings and reprimands to enforcement notices, with fines reserved for the most serious of cases. The ICO’s new approach will be trialled over the next two years.
In Edwards’ letter, he said “I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”
The ICO will continue to investigate data breaches in the same way and will follow up with organisations to ensure improvements are made. However, when a fine is considered, the decision notice will give an indication on the amount of the fine the case would have attracted, with the aim of informing the wider health and care sector about the levels of penalty others can expect from similar conduct.
The NHS can expect the watchdog to work with senior leaders across the health and care sector to encourage compliance, prevent harms before they occur and learn lessons when things go wrong. Edwards said to achieve this “we must work in partnership to address the underlying issues that continue to result in avoidable data breaches on an all too regular basis”. There must be accountability to deliver improvements on all sides, said Edwards.
The new approach in practice
In light of this change, the ICO issued a reduced fine of £78,400 (from £784,800) to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients.
Another recent ICO enforcement action includes a reprimand issued to NHS Blood and Transplant Service after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs. If the revised approach had not been in place, NHSBTS would have received a fine of £749,856.
Supporting this change
The ICO has received a commitment from the Cabinet Office and the Department for Digital, Culture, Media and Sport to create a cross Whitehall senior leadership group to encourage compliance with data protection standards. These commitments echo the commitments set out in the recently published National Data Strategy.
Do get in touch if you would like support with your data protection policies and procedures – we have a friendly and expert team ready to help you.