ICO revises its policy regarding fines for the public sector with future impact for all sectors

The ICO announced today that the Commissioner will use his discretion to reduce fines on the public sector.

“In practice, this will mean an increased use of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases.”

“When a fine is considered, the decision notice will give an indication on the amount of the fine the case would have attracted. This will provide information to the wider economy about the levels of penalty others can expect from similar conduct,” the ICO says.

For example, a recent case regarding the Tavistock and Portman NHS Foundation Trust’s data breach saw the fine reduced from £784,800 to £78,400. Although the Trust had, when failing to use the ‘Bcc’ field in an email, disclosed 1,781 email addresses of Gender Identity Clinic service users, the ICO acknowledged that the Trust took prompt action to remedy the breach. The Trust sent an email to all affected individuals, including an apology and contact details for recipients to seek support or make a formal complaint, and a request to delete the message that had been sent. The Trust also notified the ICO immediately.

This revised approach to public sector enforcement is part of ICO25, a new three-year strategic vision that will be launched on 14 July. The new approach to enforcement will be trialled over the next two years.


Privacy Laws & Business 35th International Conference 4-6 July 2022 includes the session:
The rise of sectoral regulation for BigTech – What does the future hold?’ with Claudia Berg, General Counsel, ICO, UK