The Information Commissioner’s Office (ICO) is facing criticism from privacy advocates at Open Rights Group (ORG). They argue that the ICO’s practice of only fining public sector organizations for the most severe data protection violations isn’t cutting it. According to ORG, this limited approach fails to address ongoing issues that linger even after less serious enforcement actions are taken.
Jim Killock, the chief executive of ORG, emphasizes the importance of data protection in our digital age. He points out that the ICO’s hesitance to act against public bodies is a significant problem. With the rise of AI technology, it’s more crucial than ever to have strong data protection laws and a proactive regulator.
In July 2022, the ICO changed its strategy, starting a two-year trial focused on working with public authorities. Commissioner John Edwards argued in an open letter that fines often hurt victims of data breaches by leading to budget cuts in essential services.
Fast forward to July 2024, and the ICO released its Annual Report and financial statements for the 2023-24 year. This document reviews its activity and shows how many investigations against public and private entities resulted in reprimands, enforcement notices, or fines.
The report highlighted that the ICO only imposed one fine on the public sector during this period—targeting the Ministry of Defence for a data breach that exposed the identities of 245 Afghan nationals. It issued two enforcement notices: one to the Crown Prosecution Service for mishandling child abuse case files, and another to the Home Office for improperly tagging refugees with GPS. Alongside this, the ICO handed out 28 reprimands for various infractions, such as Thames Valley Police revealing a witness’s address, and a situation where a hospital delayed treatments due to poor data management.
Despite these reprimands indicating a pattern of harmful data practices, the number of fines and enforcement actions remains low. As a result, ORG is urging the ICO to fully leverage its powers against public sector organizations and to take more decisive action where necessary.
In response to ORG’s insights, the ICO pointed to a statement from June 2024, stating that while fines are issued when warranted, they prefer other regulatory tools. The ICO plans to evaluate the two-year trial in the autumn and continue applying this strategy in its regulatory work.
On November 20, 2022, Edwards mentioned to The Times that hefty penalties from European regulators often lead to extensive legal battles, which can drain resources and diminish their enforcement capabilities. He questioned whether the sheer size of fines truly reflects their effectiveness, expressing a preference for fostering compliance over waging costly legal wars.
According to ORG’s review of the ICO’s annual report, the current enforcement actions demonstrate a shocking level of data misuse in the public sector, and reprimands don’t necessarily lead to genuine behavioral changes among organizations. ORG suggests that without solid evidence to support alternative strategies, the ICO should employ its full range of enforcement powers.
They also recommend that the ICO publicly share evidence gathered during the two-year trial, followed by an independent audit to verify these findings. Furthermore, ORG urges revisions to the upcoming Data Use and Access Bill (DUAB) to prevent the ICO from issuing more than one reprimand to any organization, advocating for stronger actions for subsequent breaches.
ORG insists that SAR performance data should be made publicly available to prioritize enforcement against bodies that consistently fall short in timely responses. They stress that Subject Access Requests are critical for protecting individual privacy and safety, especially considering the ongoing struggles some authorities have had with backlogs.
This year marked the ICO’s first comprehensive disclosure of reprimands in its annual report, a move prompted by a public records request that unveiled a significant number of undisclosed reprimands from as far back as 2018.