Category: Public Sector Information

ICO to Review Public Sector GDPR Compliance Enforcement Approach

In June 2022, the Information Commissioner’s Office (ICO) revised its approach to enforcement of the UK GDPR against public sector organisations.  The two-year trial was announced in an open letter from the Information Commissioner, John Edwards, to public authorities in which he indicated that greater use would be made of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases. Mr Edwards said:

“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

This new approach has seen the Commissioner over the last two years issue more reprimands than fines. One example of this approach was the issuing of reprimand to the Department for Education (DfE) following its misuse of the personal data of up to 28 million children. The ICO said at the time that, had the new trial approach not been in place, the DfE would have been issued with a fine of over £10 million. Some would say that the DFE got off very lightly and, given their past record, perhaps more stringent sanctions should have been imposed. Two years ago, the ICO criticised the DfE for secretly sharing children’s personal data with the Home Office, triggering fears it could be used for immigration enforcement as part of the government’s hostile environment policy.

More recently the ICO was criticised for only issuing a  reprimand to the Electoral Commission following the discovery that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and control systems. The Commission estimated the register for each year contained the details of around 40 million people. The ICO reprimand revealed that the Commission did not take basic security steps to ensure the protection of personal data.

On 26th June 2024, the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the autumn. It will be interesting to see whether the ICO views the approach as a success and if it will be continued or even extended to the private sector.

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

Re Use Re Loaded – New Public Sector Information Regulations In Force

On 18th July 2015 the new Re-use of Public Sector Information Regulations 2015 (ROPSI) came into force, replacing the 2005 version. They contain some important changes to the UK public sector information re use regime.

The new Regulations implement Directive 2013/37/EU, which amends Directive 2003/98/EC on the re-use of public sector information (the 2003 Directive). The aim of the latter was to remove obstacles that stood in the way of re-using public sector information. Key obligations for public authorities (including the health, local government and central government sectors) include:

  • being transparent and open about the terms and fees for re-use of information they hold
  • where licences are required to re use information, standard terms and conditions should be offered
  • having accurate notices and statements on documents and websites
  • producing an Asset List so that potential re-users of information know what is available
  • having a complaints process

A full article on the 2005 Regulations can be downloaded here. Key changes made by the new Regulations include:

  • Adding the previously excluded cultural sector (libraries, museums and archives) to the scope of the Regulations
  • Making it an obligation to allow re-use of most public sector information. Previously this was optional.
  • Extending the scope of the information available for re use to not just that which is accessible but anything produced held or disseminated with a public authority’s public task (unless restricted or excluded).
  • Marginal cost pricing is the default (subject to some exceptions) when it comes to charging for re use. Previously a profit could be made.

For the first time the UK re use regime will have teeth similar to FOI. Once the public sector body’s internal complaints procedures have been exhausted, a complainant may turn to the Information Commissioner, who can make a binding decision. A further appeal can be made to the First-Tier Tribunal.

How will the new Regulations overlap with the new dataset obligations under the FOI?  As a result of amendments made by the new Regulations, the requirements relating to datasets under FOI are now as follows.

If you are a public authority making a dataset available in response to an FOI request, you must, so far as is reasonably practicable, make it available in a re-usable, electronic form. You must also make requested datasets available in your publication scheme in a re-usable form unless you are satisfied that it is not appropriate to do so.

However, if the dataset falls under ROPSI, for example because it is produced as part of your “public task”, then you must calculate any charges for allowing re-use and deal with any licences under ROPSI and not FOI. This applies to providing the dataset in response to a request and making it available in the publication scheme.

So, for an FOI public authority, for any dataset that is covered by ROPSI, FOI applies to the format in which it is made available, but ROPSI applies to the charges and licences for re-use.

If the dataset does not fall under ROPSI because you are an FOI public authority but not a public sector body for the purposes of ROPSI, then the provisions in FOI regarding charges and licences for re-use will apply to it. Read the Information Commissioner’s Guide here. Expect lots of appeals to the ICO over these provisions.

The National Archives is the UK policy lead on public sector information. Its website contains useful resources on this topic. All public sector organisations need to carefully consider the new Regulations and how they will impact on the information they produce and disclose.

Want to know more? Ibrahim Hasan will explain the new Regulations in detail our live one-hour web seminar.

Give your career a boost by gaining an internationally recognised qualification in FOI.