On Monday, 9 December 2024, the Information Commissioner's Office (ICO) published a post-implementation report about the 3-year public sector approach (PSA) to enforcement. Alongside the report, the ICO outlined plans to continue with the PSA for a further 2 years, subject to certain revisions. The ICO has opened a consultation on the scope of the revised approach and the circumstances that would make it appropriate to issue a monetary penalty to a public authority. The consultation closes on 31 January 2025.
According to the report, 77 reprimands were issued by the ICO during the trial period, of which only 70 have been published, including 60 issued to public sector organisations, representing 80% of the total. The shift in enforcement activity accounted for a 54% increase in reprimands compared to the previous 2-year period. The report also noted that the "use of other powers like Enforcement Notices and warnings has been limited to date."
A total of 4 monetary penalty notices were issued to public organisations with fines totalling £1.2 million after the Commissioner used his discretion to lower the amount from £23.2 million, saving the taxpayer £22 million.
In addition, the report highlights the findings from a survey conducted among Data Protection Officers (DPOs) in central government, supplemented by insights from workshops and departmental interviews.
Reprimands were generally viewed as an effective deterrent, largely because of their reputational damage in gaining the attention of senior stakeholders. However, their effect is limited due to minimal coverage in the media and a lack of widespread awareness among other public sector organisations.
The report highlighted a widespread view across the public sector that monetary penalties are counter-productive, as such fines lead to reduced budgets for public services. Many Central Government DPOs and stakeholders within the wider public sector voiced strong support for a revised regulatory strategy tailored to the public sector's unique challenges.
This view was not held universally, however, with some respondents giving negative feedback on the PSA. Among the reasons given, several DPOs said that it had made it more challenging to make the case for adequate resources and sustaining interest in compliance initiatives, attributing these challenges to the reduced threat of fines under the current framework.
In the annexes to the report (p37), a chart indicates the level of professional influence of the DPO was found to have reduced by 18% in 2024 compared to 7% in 2022, while 14% said it had increased, down from 18%. A majority of 55% said that it remained the same compared to 54% in 2022. Overall, the chart suggests the DPOs level of influence has decreased in the period.
A separate chart in the annexes (p19-20), shows comparisons from EU data protection authorities (DPAs) that also limit or do not allow for fines against public sector bodies.
A statement from the Permanent Secretary of the Department for Science, Innovation and Technology (DSIT) said, "I welcome the results of the trial and its findings and the positive conclusions it provides. These highlight how the ICO's regulatory activities can deter bad practice, whilst at the same time support the government in its ambitions to transform public service and drive positive outcomes for communities."
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.
