Could the ICO really fine the Welsh Government half a billion pounds?

Jon Belcher, Excello Law partner in data protection and IP governance, highlights crucial points on the risks of inadvertent publication of personal data.

Tucked away on page 106 of the 276-page Explanatory Memorandum to the proposed Health and Social Care (Wales) Bill, is the following paragraph (my emphasis in bold):

Should CIW inadvertently publish annual returns containing personal information, such as the names of people living at a regulated service, they may be in breach of UK GDPR. The cost to Welsh Government of a data breach could be very significant, as the Information Commissioner’s Office (ICO) has the power to issue fines to organisations who breach data protection laws. Any fine would be based on Welsh Government’s turnover and the maximum fine could be £0.5bn. However, due to the mitigating factors CIW has put in place … a fine of this level is extremely unlikely.”[1]

So, could the ICO really fine the Welsh Government half a billion pounds? Of course not. Even the paragraph above recognises that a fine of this level is extremely unlikely. But is this figure even theoretically correct? And is it really helpful for a government to be framing data protection risks solely in terms of potential mega fines?

To answer these questions, we need to take a step back. The context of the above paragraph is a proposed new law. Currently, care providers are required to submit annual returns to Care Inspectorate Wales (CIW), a part of Welsh Government. CIW then publishes statistical information based on aggregated data. Welsh Government is proposing to make changes that would require each individual provider, rather than CIW, to publish their own information.

None of the data to be published should include personal data, but we know that many organisations get themselves into trouble by inadvertently publishing personal data. So there are data protection risks here. The above paragraph identifies a risk with maintaining the status quo. CIW could inadvertently publish personal data, in breach of the UK GDPR. So far, so good.

But then the paragraph immediately jumps to the possibility of Welsh Government being fined by the ICO. The ICO does have fining powers, set out in Article 83 of the UK GDPR. For breaches falling into the higher tier, the maximum fine is set as “£17,500,000, or in the case of an undertaking, up to 4% of worldwide turnover of the preceding financial year, whichever is higher”.

The £0.5 billion figure in the above paragraph is presumably based on 4% of the Welsh Government budget. But this maximum only applies to ‘undertakings’, which are entities engaged in an economic activity (i.e. offering goods or services in the marketplace).  It is difficult to see how the collation and publication of statistical information relating to the care sector could be seen as an economic activity. The ICO’s recent monetary penalty notice issued to the Ministry of Defence states that “As a government department, which is not an undertaking and which has no annual turnover, the maximum penalty amount …  would be £17.5 million”.[2] The same maximum would apply to the Welsh Government.

But that’s not the end of the story. The ICO does not have complete freedom to issue fines up to the statutory maximum for any breach. All fines must be “effective, proportionate and dissuasive”, and the ICO must take into account various factors, including the intentional or negligent character of the infringement. The risk set out in the above paragraph is of inadvertent publication, which may or may not be negligent, but would certainly not be intentional. It is impossible to see how the maximum fine would be proportionate in those circumstances. Any fine would be significantly below £17.5 million.

And then there’s the ICO’s actual record on fines. The ICO only issues fines in the most serious cases and, since June 2022, has taken the approach of only issuing fines to public sector bodies as a last resort. Whilst there have been some fines in the public sector, they have been heavily discounted. In February 2024, the Ministry of Defence was fined £350,000 for a serious breach that revealed the identities of 245 individuals who had been part of the Afghan Relocations and Assistance Policy, putting their lives at risk. The fine would have been £1 million without this public sector discount.

More recently, the ICO indicated its intention to fine the Police Service of Northern Ireland (PSNI) £750,000 for a serious breach that involved inadvertent publication of the identities of all 9,483 employees. The data found its way into the hands of dissident republicans, who have a history of targeting and murdering police officers. In this case, the ICO stated that the fine would have been £5.6 million without the public sector discount.

It is hard to see how any inadvertent publication of CIW data by Welsh Government could have the seriousness of either the MoD or PSNI cases, and in these cases the fines (or potential fine for PSNI) are in the hundreds of thousands of pounds. That’s not insignificant, but its certainly not £0.5 billion. About a thousand times less.

As a post script, the PSNI has announced that it will be offering a one-off payment of £500 to every individual affected by the breach. That hasn’t been enough to stop a significant number of claims for compensation being brought relating to the breach. The cost to PSNI of compensating individuals and handling these claims will far exceed the cost of paying the ICO fine. This is not unusual when organisations suffer major data breaches. And yet this particular risk is not mentioned in the Welsh Government document.

If organisations really want to quantify the costs of a potential data protection breach, they should consider compensation to individuals and reputational damage rather than focusing narrowly on theoretical ICO mega fines that simply won’t happen. And they should get their calculations right.

[1] Paragraph 7.205

[2] See paragraph 155(b)