Category: Enforcement

ICO Public Sector Enforcement Policy to Continue

Last month, the Information Commissioner’s Office (ICO) announced that it will continue its controversial approach to enforcement of the UK GDPR against public sector organisations.   

A trial of the approach was launched in June 2022, in an open letter to public authorities from John Edwards. In the letter Mr Edwards indicated that greater use would be made of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases. This approach has seen much criticism levelled at the ICO. Opponents say that it reduces the importance of data protection and gives special treatment to the public sector.  

One example of the approach, is the ICO’s action (or lack of it) in the Ministry of Defence’s Afghan Data breach. This involved an MoD official mistakenly emailing a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy.  The breach was only discovered in August 2023, when excerpts of the data appeared on Facebook. By then, the damage was done. A new resettlement scheme for those on the leaked list was set up and has seen 4,500 Afghans arrive in the UK so far. The Afghan Relocation Route has cost £400m so far, and the Government has said it is expected to cost a further £450m. Despite the scale and sensitivity of the breach, the ICO decided not to take any regulatory action; not even a reprimand! In its press release, the ICO praised the MoD’s internal investigation and mitigation efforts, stating that “no further regulatory action is required at this time”.  

Following a review last year, and despite strong criticism of its enforcement track record, the ICO has now announced that it will continue its public sector enforcement approach. In his blog post, John Edwards, said: 

“Fines in the public sector, particularly in local government, risk punishing the same people harmed by a breach by reducing budgets for vital services. They still have their place in some cases, but so do other enforcement tools.  

The review of our public sector approach trial reaffirmed that reprimands drive change and publishing them creates strong reputational incentives for compliance, while also offering other organisations valuable lessons from the mistakes of others… 

Focusing on a proactive approach of working with organisations to identify risks and implement improvements can influence sustainable change, protect public trust, and ensure taxpayer money is invested in prevention rather than punishment. The net benefit of this approach is higher data protection standards and faster remediation, backed by sanctions when necessary.” 

Following a consultation earlier this year, the ICO has also published a clearer definition of organisations in scope and the circumstances under which a fine may be issued.  

STOP PRESS: The law firm, Handley Gill, has just published an analysis of the ICO’s Public Sector Approach trial and the new version of it, essentially concluding that reprimands unaccompanied by enforcement notices won’t achieve the stated objective of driving up data protection standards in the public sector.

Revised GDPR Handbook  

  The data protection landscape continues to evolve. With the Data (Use and Access) Act 2025 now in force, practitioners need to ensure their materials reflect the latest changes to the UK GDPR, Data Protection Act 2018, and PECR.  

The newly updated UK GDPR Handbook (2nd edition) brings these developments together in one practical reference. It includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw that help make sense of the reforms in context. We have included relevant provisions of the amended DPA 2018 to support a deeper understanding of how the laws interact. Delegates on our future GDPR certificate courses will receive a complimentary copy of the UK GDPR Handbook as part of their course materials.   

If you are looking to implement the changes made by the DUA Act to the UK data protection regime, consider our very popular half day workshop. 

ICO to Review Public Sector GDPR Compliance Enforcement Approach

In June 2022, the Information Commissioner’s Office (ICO) revised its approach to enforcement of the UK GDPR against public sector organisations.  The two-year trial was announced in an open letter from the Information Commissioner, John Edwards, to public authorities in which he indicated that greater use would be made of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases. Mr Edwards said:

“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

This new approach has seen the Commissioner over the last two years issue more reprimands than fines. One example of this approach was the issuing of reprimand to the Department for Education (DfE) following its misuse of the personal data of up to 28 million children. The ICO said at the time that, had the new trial approach not been in place, the DfE would have been issued with a fine of over £10 million. Some would say that the DFE got off very lightly and, given their past record, perhaps more stringent sanctions should have been imposed. Two years ago, the ICO criticised the DfE for secretly sharing children’s personal data with the Home Office, triggering fears it could be used for immigration enforcement as part of the government’s hostile environment policy.

More recently the ICO was criticised for only issuing a  reprimand to the Electoral Commission following the discovery that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and control systems. The Commission estimated the register for each year contained the details of around 40 million people. The ICO reprimand revealed that the Commission did not take basic security steps to ensure the protection of personal data.

On 26th June 2024, the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the autumn. It will be interesting to see whether the ICO views the approach as a success and if it will be continued or even extended to the private sector.

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

FOI Enforcement Action Against the Police

Under section 10 of the the Freedom of Information Act 2000 (FOI) public authorities, have 20 working days to answer a request for information. Last week we wrote about a new report by openDemocracy, Transparency Under Threat: Monitoring FOI compliance in the UK, which claims that many authorities are consistently failing to comply with the statutory deadline. 

Since last year, the Information Commissioner’s Office (ICO) has pursued a tougher FOI enforcement policy. Recently it issued Enforcement Notices against three police forces for poor FOI performance which has led to significant backlogs in their responses:

  • Dyfed Powys Police (DPP) – Compliance levels fell as low as 6% (June 2023) and the Information Commissioner received 13 complaints in 2023 in relation to timeliness of responses. By 9 November 2024, DPP is required to respond to all information requests which were outside of 20 working days when the Enforcement Notice was served on 9 May 2024.
  • Metropolitan Police Service (MPS) – Compliance levels were consistently low between 60% to 67% from April 2023 to February 2024. By 1 November 2024, MPS is required to respond to the backlog of 362 cases which were outside of 20 working days when the enforcement notice was served on 1 May 2024.
  • South Wales Police (SWP) – Compliance levels fell to 45% in July 2023 and as of 31 April 2024 167 requests were overdue, with one case being 122 days old. By 20 December 2024, SWP is required to respond to all information requests which were outside of 20 working days when the enforcement notice was served on 20 June 2024.

This and other FOI developments will be discussed in detail on our forthcoming FOI Update workshop.

The ICO’s Tougher FOI Enforcement Policy 

By Martin Rosenbaum 

Last month the Information Commissioner’s Office announced it was issuing another two Enforcement Notices against public authorities with extreme backlogs of FOI and EIR requests; the Ministry of Defence and the Environment Agency. From the published notices it is clear that both authorities had consistently failed to tackle their excessive delays, despite extensive discussions over many months with the ICO. 

The ICO also issued Practice Recommendations, a lower level of sanction, to three authorities with a poor track record on FOI; Liverpool Council, Tower Hamlets Council and the Medicines and Healthcare Products Regulatory Agency. This brings the total of Enforcement Notices in the past year or so to six, and the number of Practice Recommendations to 12.
As Warren Seddon, the ICO’s Director of FOI, proclaimed in his blog on the subject, both these figures exceed the numbers previously issued by the ICO in the entire 17 years since the FOI Act came into force. 

From my point of view, as a frequent requestor, this is good news.
For requestors, the ICO’s current activity represents a welcome tougher stance on FOI regulation adopted by Seddon and also the Commissioner, John Edwards, since the latter took over at the start of last year.  

Under the previous Commissioner Elizabeth Denham, any strategic enforcement regarding FOI and failing authorities had dwindled to nothing. The experience of requestors was that the FOI system was beset by persistent lengthy delays, both from many authorities and also at the level of ICO complaints.  

The ICO’s Decision Notices would frequently comment on obstruction and incompetence from certain public bodies, as I reported when I was a BBC journalist, but without the regulator then making any serious systematic attempt to change the culture and operations of these authorities.
Under Denham the ICO had also ceased its previous policy of regularly and publicly revealing a list of authorities it was ‘monitoring’ due to their inadequate processing of FOI requests. Although this was in any case a weaker step than issuing formal enforcement notices and practice recommendations, in some cases it did have a positive effect.
Working at the BBC at the time I saw how, when the BBC was put into monitoring by the ICO, it greatly annoyed the information rights section, who brought in extra resources and made sure the BBC was released from it at the first opportunity.  

On the other hand, other public authorities with long-lasting deficiencies, such as the Home Office and the Metropolitan Police, were kept in ICO monitoring repeatedly, without improving significantly and without further, more effective action being taken against them.  

The ICO’s FOI team has also made important progress in the past year in rectifying its own defects in processing complaints, speeding things up and tackling its backlog. This led to a rapid rush of decision notices.
One result is that delay has been shifted further up the system, as the
First-tier Tribunal has been struggling to cope with a concomitant increase in the number of decisions appealed. I understand that the proportion of decisions appealed did not change, although I don’t know if the balance between requestor appeals and authority appeals has altered. 

Another consequence has been that decision notices now tend to be shorter than they used to be, especially those which support the stance of the public authority and thus require less interventionist argument from the ICO. Requestors may need to be reassured that the pressure on ICO staff for speedier decisions does not mean that finely balanced cases end up predominantly being decided on the side of the authority.  

More generally I gather there is some concern within the ICO about its decisions under sections 35 and 36 of FOI, to do with policy formulation and free and frank advice, that some staff have got into a pattern of dismissing requestors’ arguments without properly considering the specific circumstances which may favour disclosure. 

As part of its internal operational changes, a few months ago the ICO introduced a procedure for prioritisation amongst appeals and expediting selected ones. I have seen the evidence of this myself.  A complaint I made in April was prioritised and allocated to a case worker within six weeks and then a decision notice served within another six weeks (although sadly my case was rejected). All done within three months.  

On the other hand a much older appeal that I submitted to the ICO in May 2022 has extraordinarily still not even been allocated to a case worker 15 months later, from what I have been told. This is partly because it relates to the Cabinet Office, which accounts for a large proportion of the ICO’s oldest casework and has been allowed a longer period of time to work through old cases.  

It is interesting to note that the ICO does not proactively tell complainants that their case has been prioritised, even when they have specifically argued it should be at the time of submitting their complaint.
The ICO wants to avoid its staff getting sucked in to disputes about which appeals merit prioritisation. If you want to know whether your case has been prioritised, you have to ask explicitly, and then you will be told. 

The ICO has not yet officially released any statistics about the impact of its new prioritisation policy. However I understand that in the first three months about 60 cases were prioritised and allocated to a case officer to investigate within a month or so. This is a smaller number than might have been expected.  

Around 80 percent of these were prioritised in line with the criterion for the importance of the public interest involved in the issue. And about 60 percent of decisions to prioritise reflected the fact that the requestor was in a good position to disseminate further any information received, possibly as a journalist or campaigner. 

In most of the early decision notices for prioritised complaints the ICO has backed the authority and ruled against disclosure. So if you are a requestor, the fact that the ICO has decided to prioritise your appeal does certainly not mean that it has reached a preliminary decision that you are right.  

Martin Rosenbaum is the author of Freedom of Information: A practical guidebook. The book is aimed at requestors and provides thorough guidance on the workings of the law, how best to frame requests and how to challenge refusals. It will also be valuable to FOI officers and others who want a better understanding of the perspective of requestors. In the book Martin passes on the benefits of all the expertise and experience he acquired during 16 years as the leading specialist in BBC News in using FOI for journalism. 

The TikTok GDPR Fine

In recent months, TikTok has been accused of aggressive data harvesting and poor security issues. A number of governments have now taken a view that the video sharing platform represents an unacceptable risk that enables Chinese government surveillance. In March, UK government ministers were banned from using the TikTok app on their work phones. The United States, Canada, Belgium and India have all adopted similar measures. 

On 4th April 2023, the Information Commissioner’s Office (ICO) issued a £12.7 million fine to TikTok for a number of breaches of the UK General Data Protection Regulation (UK GDPR), including failing to use children’s personal data lawfully. This follows a Notice of Intent issued in September 2022.

Article 8(1) of the UK GDPR states the general rule that when a Data Controller is offering an “information society services”  (e.g. social media apps and gaming sites) directly to a child, and it is relying on consent as its lawful basis for processing, only a child aged 13 or over is able provide their own consent. For a child under 13, the Data Controller must seek consent from whoever holds parental responsibility. Article 8(2) further states:

“The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”

In issuing the fine, the ICO said TikTok had failed to comply with Article 8 even though it ought to have been aware that under 13s were using its platform. It also failed to carry out adequate checks to identify and remove underage children from its platform. The ICO estimates up to 1.4 million UK children under 13 were allowed to use the platform in 2020, despite TikTok’s own rules not allowing children of that age to create an account.

The ICO investigation found that a concern was raised internally with some senior employees about children under 13 using the platform and not being removed. In the ICO’s view TikTok did not respond adequately. John Edwards, the Information Commissioner, said:

“TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”

In addition to Article 8 the ICO found that, between May 2018 and July 2020, TikTok breached the following provisions of the UK GDPR:

  • Article 13 and 14 (Privacy Notices) – Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
  • Article 5(1)(a) (The First DP Principle) – Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner. 

Notice of Intent

It is noticeable that this fine is less than half the amount (£27 million) in the Notice of Intent. The ICO said that it had taken into consideration the representations from TikTok and decided not to pursue its provisional finding relating to the unlawful use of Special Category Data. Consequently this potential infringement was not included in the final amount of the fine.

We have been here before! In 2018 British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine in July 2020 was for £20 million. Marriott International Inc was fined £18.4 million in 2020; much lower than the £99 million set out in the original notice. Some commentators have argued that the fact that fines are often substantially reduced (from the notice to the final amount) suggests the ICO’s methodology is flawed.

An Appeal?

In a statement, a TikTok spokesperson said: 

“While we disagree with the ICO’s decision, which relates to May 2018 to July 2020, we are pleased that the fine announced today has been reduced to under half the amount proposed last year. We will continue to review the decision and are considering next steps.”

We suspect TikTok will appeal the fine and put pressure on the ICO to think about whether it has the appetite for a costly appeal process. The ICO’s record in such cases is not great. In 2021 it fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients. The Cabinet Office appealed against the amount of the fine arguing it was “wholly disproportionate”. A year later, the ICO agreed to a reduction to £50,000. Recently an appeal against the ICO’s fine of £1.35 million issued to Easylife Ltd was withdrawn, after the parties reached an agreement whereby the amount of the fine was reduced to £250,000.

The Children’s Code

Since the conclusion of the ICO’s investigation of TikTok, the regulator has published the Children’s Code. This is a statutory code of practice aimed at online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. The code sets out 15 standards to ensure children have the best possible experience of online services. In September, whilst marking the Code’s anniversary, the ICO said:

“Organisations providing online services and products likely to be accessed by children must abide by the code or face tough sanctions. The ICO are currently looking into how over 50 different online services are conforming with the code, with four ongoing investigations. We have also audited nine organisations and are currently assessing their outcomes.”

With increasing concern about security and data handling practices across the tech sector (see the recent fines imposed by the Ireland’s Data Protection Commission on Meta) it is likely that more ICO regulatory action will follow. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.  

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates

GDPR Fine for Charity E Mail Blunder

A Scottish charity has been issued with a £10,000 monetary penalty notice following the inadvertent disclosure of personal data by email. 

On 18th October, HIV Scotland was found to have breached the security provisions of the UK GDPR, namely Articles 5(1)(f) and 32, when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. 

The Information Commissioner’s Office (ICO) is urging organisations to revisit their bulk email practices after its investigation found shortcomings in HIV Scotland’s email procedures. These included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy. It also found that despite HIV Scotland’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months after the incident.

On the point of training, HIV Scotland confirmed to the ICO that employees are expected to complete the “EU GDPR Awareness for All” on an annual basis.  The ICO recommended that staff should receive induction training “prior to accessing personal data and within one month of their start date.” Act Now’s e learning course, GDPR Essentials, is designed to teach employees about the key provisions of GDPR and how to keep personal data safe. The course is interactive with a quiz at the end and can be completed in just over 30 minutes. Click here to watch a preview. 

HIV Scotland was also criticised for not having a specific policy on the secure handling of personal data within the organisation. It relied on its privacy policy which was a public facing statement covering points such as cookie use, and data subject access rights; this provided no guidance to staff on the handling of personal and what they must do to ensure that it is kept secure. The Commissioner expects an organisation handling personal data, to maintain policies regarding, amongst other things, confidentiality (see our GDPR policy pack).

This is an interesting case and one which will not give reassurance to the Labour Relations Agency in Northern Ireland which had to apologise last week for sharing the email addresses and, in some cases ,the names of more than 200 service users. The agency deals confidentially with sensitive labour disputes between employees and employers. It said it had issued an apology to recipients and was currently taking advice from the ICO.

Interestingly the ICO also referenced in its ruling, the fact that HIV Scotland made a point of commenting on a similar error by another organisation 8 months prior. In June 2019, NHS Highland disclosed the email addresses of 37 people who were HIV positive. It is understood the patients in the Highlands were able to see their own and other people’s addresses in an email from NHS Highland inviting them to a support group run by a sexual health clinic. At the time HIV Scotland described the breach as “unacceptable”. 

The HIV Scotland fine is the second one the ICO has issued to a charity in the space of 4 months. On 8th July 2021, the transgender charity Mermaids was fined £25,000 for failing to keep the personal data of its users secure. The ICO found that Mermaids failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Charities need to consider these ICO fines very carefully and ensure that they have polices, procedures and training in place to avoid enforcement action by the ICO. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in January.

Data Protection Officers and Conflicts of Interest

photo-1539795845756-4fadad2905ec

In May 2018, with the implementation of GDPR, some senior managers (and many junior ones) found themselves thrown into the then unknown statutory role of Data Protection Officer (“DPO”). Two years on, some now have a better understanding of their role whilst others are still battling to manage the many different requirements of the job.

Articles 38 and 39 of the GDPR outline the role of the DPO. They should, amongst other things, be:

  • involved in data breach discussions and investigations whilst being provided with adequate resource to fulfil their obligations;
  • not dismissed for the performance of their duties as DPO;
  • able to offer secrecy and confidentiality to data subjects in relation to data protection matters within the organisation; and
  • actively involved and consulted on the data processing risks associated to proposed data processing activities within the organisation, which are usually highlighted within the Data Protection Impact Assessment (DPIA).

The law is still in its infancy, and remains largely untested in the courts, but a recent case may lead to a few DPOs feeling a little nervous about their role.

€50,000 Fine

The Belgian Data Protection Authority recently issued a €50,000 fine to an organisation after it ruled that the organisation’s DPO had a conflict of interest under Article 38(6) of GDPR. The DPO had been employed by the organisation as the Head of Compliance, Risk Management and Audit in addition to acting as DPO.

A reportable data breach lead to an investigation by the Belgian regulator who sought to dig a little deeper into the organisation’s general approach to privacy compliance.
The investigation focussed on three main potential infringements of GDPR namely:

  1. The duty to cooperate with the data protection authority
  2. The accountability obligations of the organisation in relation to data breach notifications and data protection risk assessments
  3. The requirements related to the position of the DPO

The investigation found that the organisation’s DPO appointment failed to meet the requirements of the legislation as the individual was responsible for the processing of personal data in the areas of compliance, risk and audit and therefore could not independently advise on such matters.

Many data protection experts have interpreted this ruling as preventing any employee who is a “head of department” from carrying out the DPO rule without a conflict of interest, although the situation is not as clear cut.

Conflict of Interests

Whilst the employer will pay their salary, the DPO must be able to act independently and without fear or favour. The Article 29 Working Party’s Guidelines on DPO’s makes reference to a number of roles which would be considered to pose a conflict of interests with the position of DPO namely; Chief Executive, Chief Operating Officer, Chief Financial Officer, Chief Medical Officer, Head of Marketing, Head of HR and Head of IT.
All of these roles involve a significant amount of personal data processing and decision making, resulting in an impossible independent standpoint to be taken on data matters arising as a result.

This ruling presents an opportunity for organisations to review their DPO position.
Both the organisation and the individual must be clear about the role. The job description should be reviewed from time to time in the light of changing roles and responsibilities. This may flag up potential conflicts of interest.

It is common for DPOs, especially in the public sector, to wear many “hats” due to budget constraints. Whilst GDPR does allow this, if there is any doubt about a conflict of interests, the decision-making process should be documented and the position reviewed.
If any mitigating measures are to be put in place to reduce the risk of conflict these should be outlined and reviewed periodically as new risks and processing activities are presented to the organisation.

Data protection and privacy is an ever-changing area of compliance and in the coming years, more case law will be generated as the principles of the legislation are put to the test. With the end of the Brexit transition period approaching and changing uses of technology due to the global coronavirus pandemic, organisations will need to remain alert to potential issues arising from their original GDPR implementation plan.

Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places are left  on the course starting in August.