Connect with us

Tech News

ORG urges ICO to revise public sector enforcement approach

Published

on

ORG urges ICO to revise public sector enforcement approach

The Information Commissioner’s Office (ICO) approach of only fining public sector organisations “in the most serious cases” is facing criticism from privacy campaigners at Open Rights Group (ORG), who argue that there is an “urgent need” to challenge the regulator’s assertion that fines are not an effective deterrent for public sector bodies.

The campaigners contend that the ICO’s strategy of restricting fines to public sector bodies for only the most severe data protection issues is ineffective, as issues often persist even after less severe enforcement actions have been taken.

“In an increasingly digital world, data protection is crucial for our personal security. The ICO’s hesitancy to take enforcement action, coupled with its policy of not confronting public sector organisations when necessary, is failing,” said ORG chief executive Jim Killock.

“As we witness the advancement of AI technology and its growing use by public sector organisations, we need robust data protection laws and a proactive regulator that serves as the primary line of defense for the British public.”

In July 2022, the ICO introduced a “revised” two-year trial approach to collaborating with public authorities, with commissioner John Edwards arguing in an open letter that fines do not effectively ensure data protection compliance because they indirectly penalize victims of data breaches “by diverting funds from essential services.”

In July 2024, the ICO released its Annual report and financial statements for the 2023-24 financial year, detailing its performance during that period. The report outlines the ICO’s investigations into public and private entities, as well as the outcomes of these investigations, including reprimands, enforcement notices, and fines.

See also  Man jailed for carrying Legend of Zelda Master Sword replica in public, prompting suspicions that Ganondorf runs the Warwickshire fuzz

Regarding its actions against public sector bodies for data protection breaches, the ICO imposed one fine (on the Ministry of Defence for a data leak exposing the identities of 245 Afghan individuals), issued two enforcement notices (one for the mishandling of child abuse case files at the Crown Prosecution Service and another for the GPS tagging of refugees by the Home Office), and issued 28 reprimands.

Examples of these reprimands include Thames Valley Police disclosing a witness’s address to suspected criminals, leading the individual to relocate; the University Hospital of Derby and Burton NHS Trust failing to process outpatient data promptly, resulting in delays of up to two years in medical treatments for some patients; and West Midlands Police facing data mix-ups that caused officers to attend incorrect addresses.

Other instances include two reprimands for the Ministry of Justice, one for disclosing adoption details against court orders and another for leaving confidential waste unsecured in a prison holding area accessible to both inmates and staff.

Given the significant number of reprimands for harmful data practices compared to the low number of fines and enforcement notices, ORG is urging the ICO to utilize its full powers against public sector bodies, including enforcement notices and fines as necessary.

Computer Weekly reached out to the ICO regarding ORG’s analysis and arguments and was referred to an ICO statement on its public sector approach from June 2024.

“While we have continued to levy fines on public bodies when appropriate, we have also employed other regulatory tools to ensure proper handling of people’s information without diverting funds from critical areas,” the statement read.

See also  Seventh Sense Unveils Revolutionary Privacy-Preserving Face-Based Public Key Infrastructure and eID Solution - Latest Hacking News

“We will assess the two-year trial before making a decision on the public sector approach in the autumn. In the interim, we will maintain this approach in our regulatory activities concerning public sector organisations.”

On 20 November 2022, in relation to the ICO’s enforcement in the private sector, information commissioner John Edwards remarked to The Times that the substantial financial penalties often imposed by European regulators tend to lead to prolonged legal battles, which could strain regulators’ resources and weaken their ability to enforce meaningful changes.

“I don’t believe that the amount or frequency of fines is indicative of impact,” he stated. “While they may generate headlines and league tables, I do not believe this approach necessarily has the greatest impact.”

He added that the ICO prefers engaging with companies to promote compliance rather than issuing fines worth hundreds of millions of pounds.

‘Reprimands not good enough’

Based on ORG’s analysis of the ICO’s latest annual report, the enforcement actions taken underscore the seriousness of data mismanagement in the public sector and suggest that reprimands do not lead to meaningful change despite their increased use.

“The ICO should employ its full range of enforcement powers in the public sector until alternative approaches demonstrate substantial improvement in data protection compliance,” one of ORG’s recommendations to the ICO stated.

ORG also proposed that the ICO disclose all evidence from the two-year ‘public sector approach trial’ where public sector organizations were fined only as a last resort, followed by an independent external audit to validate the findings.

See also  Hamas negotiator urges U.S. to 'exert real pressure' on Israel for Gaza truce

Additionally, ORG suggested amending the proposed Data Use and Access Bill (DUAB) by prohibiting the ICO from issuing more than one reprimand to an organization: “Subsequent breaches should trigger escalated action rather than additional ‘final reprimands’ that undermine the initial reprimand’s premise and have minimal impact on behavior.”

The DUAB should also mandate the ICO to publish a league table of public sector bodies’ performance in responding to subject access requests (SARs) so that organizations consistently failing to meet statutory response times can be prioritized for enforcement action.

“SARs are crucial for safeguarding individuals’ privacy and security,” ORG emphasized. “However, since 2018, the ICO has been unsuccessful in addressing SAR backlogs at three authorities. Six years after the issue first arose, Plymouth City Council, Devon and Cornwall Police, and Dorset Police each received a ‘final reprimand’.”

This year marks the first time the ICO has publicly disclosed the number of reprimands in an annual report, following a commitment made in December 2022 after a freedom of information request from Jon Baines, a senior data protection specialist at Mishcon de Reya, revealed that the regulator had not disclosed most of the 42 reprimands issued to public sector bodies between May 2018 and November 2021.

A subsequent freedom of information request from Baines in June 2022 revealed an additional 15 reprimands issued since November 2021 that had not been publicly disclosed until then.

Trending