To fine or not to fine? The curious case of the missing £10m

On 30 June 2022, after six months in post, the UK’s new Information Commissioner John Edwards published an open letter to public authorities in the UK. The letter set out a significant change of approach to data protection regulation in the public sector. For the next two years, rather than using his considerable enforcement powers to fine organisations that fail to comply with the law, the Commissioner will use his discretion to avoid fining public bodies.

We’re now seeing the consequences of this new policy.

On 3 November, the ICO announced that it had agreed to reduce the £500,000 fine previously imposed on the Cabinet Office to just £50,000. The original fine arose from a serious data breach leading to the inadvertent publication of personal details of recipients of New Year’s honours, and had been issued a year earlier. The Cabinet Office had appealed the fine, and the parties have now agreed to end legal action in return for the reduced fine.

And then on 6 November, the ICO issued a public reprimand to the Department for Education. This followed an investigation in which the ICO determined personal data relating to up to 28 million young people had been misused. The incident was so serious that the ICO determined that a fine of £10m would have been imposed, had it not been for the new approach to public authorities. Instead, there was no fine and only a public reprimand.

Is all this fair? Are reprimands really the best way to enforce data protection laws in the public sector?

In his June letter, Edwards insisted that his new approach wasn’t about leniency, promising:

… this will mean an increase in public reprimands and the use of my wider powers, including enforcement notices, with fines only issued in the most egregious cases. However, the ICO will continue to investigate data breaches in the same way and will follow up with organisations to ensure the required improvements are made. We will also do more to publicise these cases, sharing the value of the fine that would have been levied, so there is wider learning.”

The rationale for this approach is clear. Large fines can affect how public bodies provide their services, meaning that fines can impact negatively on service users, including those whose data may have been compromised by the original failings. And fines are paid directly to the Treasury, meaning that for central government departments, a fine would simply move money from one department to another.

All of this raises the question of the purpose of enforcement. Data protection law gives the ICO a toolkit of measures, ranging from warnings and reprimands, through enforcement notices and bans on processing, to monetary penalties, with considerable discretion as to which, if any, are appropriate. When it comes to fines, Article 83(1) of the UK General Data Protection Regulation requires fines to be “effective, proportionate and dissuasive”. To be dissuasive, a fine must be of sufficient magnitude to discourage the controller – and others – from making the same data protection mistakes.

In the Department for Education case, the breaches found by the ICO were extremely serious but had since been corrected. With no ongoing breach, there was no reason for the ICO to issue an enforcement notice, which is a formal legal document compelling an organisation to do something or stop doing something in order to remedy a breach. The ICO was effectively left with two options – impose a fine, or issue a reprimand. The ICO determined that the breach met the threshold for issuing a fine, and that the value of that fine was £10,030,000. However, applying the new approach, it chose a reprimand instead.

Data protection legislation gives the Commissioner wide discretion in the exercise of his powers. It also contains various specific provisions for public authorities. Parliament could have chosen to remove public authorities from the penalty regime, or specify lower tier fines. But that’s not how the law is drafted. The enforcement powers of the Commissioner are the same for all organisations, regardless of whether they are public, private or third sector.

The Commissioner is in a very difficult position. At a time of huge pressures on public sector budgets, large fines may seem inappropriate or even wholly counterproductive. Reducing the Cabinet Office’s fine from £500,000 to £50,000 acknowledges this, but still retains an element of punishment or deterrent.

On the other hand, it is hard to view the reprimand in the Department for Education case as anywhere near as dissuasive as a significant monetary penalty. At the time of writing, the reprimand has received very little media coverage and may well pass largely unnoticed by those outside the data protection community. That certainly wouldn’t be the case for a £10m fine.

There is a danger that the Commissioner’s policy will simply be looked upon as leniency, or letting public bodies off the hook.

Questions about how the Commissioner exercises his discretion, and how best to enforce data protection law in the public sector, are unlikely to go away.