Late last year, the UK Information Commissioner, John Edwards gave a keynote speech at the National Association of Data Protection Officers’ Annual Conference in relation to the ICO’s new approach to regulatory action.
Less intense focus on monetary penalties
The speech dealt with the question of monetary penalties, with Mr Edwards being keen to point out that the number or quantum of fines issued by the ICO does not measure the success or failure of its ability to regulate or judge the impact it has on data protection. He stated that “there is very little evidence that fines on their own produce better outcomes for the people we are protecting and even less evidence to support the view that fines are a good way of improving compliance and data protection in practices in public authorities”.
Significant fines where warranted
Mr Edwards stressed the importance of the guidance and advice that the ICO can offer to organisations and advised that monetary penalties would be used where they are truly needed, where breaches have the potential to cause the most harm to people or where there is profiting from non-compliance.
Mr Edwards referred to a recent action against Easylife (a catalogue retailer) for nuisance calls. The fine for this was £130,000, but Easylife was also fined £1.35 million in relation to profiling its customers before calling them. Mr Edwards was keen to point out that the use of health and medical conditions without consent to target advertising is viewed in a very dim light by the ICO.
Publicising enforcement actions
In relation to the publication of fines, Mr Edwards said he wanted the general public to know that the ICO is holding organisations to account and that the organisations have changed their practices. He also envisaged that publishing fines and reprimands could increase the certainty for organisations when they are dealing with personal information, helping them to understand the ICO’s approach to enforcement. There will no longer be any excuse that an organisation didn’t know that the ICO would treat certain matters as seriously as they do.
His final thought was that publication of enforcement actions has the potential to improve flexibility: giving organisations information on what the parameters are will allow them to innovate within those parameters in a confident manner.
New approach to the public sector
In relation to the public sector, Mr Edwards was keen to point out that the ICO is shifting away from large fines, as seen with the recent action against the Department for Education (DfE) (where the DfE was issued with a reprimand rather than a fine, which would have been in the region of £10 million).
Mr Edwards added that when large fines are issued to public bodies the money that is used to pay those fines would otherwise be used to provide those essential public services to the data subjects who were victims and so, in a sense, the victims would be punished.
Engaging with organisations to encourage innovation
Mr Edwards stated that he was conscious of the fact that certainty in terms of the ICO’s approach needs to be there from the beginning of projects and he referenced the launch of the new advice service for innovators and the use of “sandboxes” to assist with this. Mr Edwards recognised that having advice at the early stages of innovative projects would be more useful than swingeing regulatory action when the projects had been launched.
In relation to freedom of information requests the ICO acknowledged that this system was at breaking point and so the ICO are making changes where possible.
Mr Edwards ended by saying that the ICO had commissioned some research which showed that awareness of what the ICO does is low compared to other regulators and that the 3-year strategy ICO25 was focussed on that.