ICO fails to disclose majority of reprimands issued under GDPR

The Information Commissioner’s Office (ICO) has failed to publicly disclose the majority of “reprimands” it has issued since November 2021 to public sector organisations – together with the Government Digital Service (GDS) – for UK knowledge safety legislation breaches, a freedom of info (FOI) request exhibits.

Under the UK General Data Protection Regulation (GDPR), the ICO has the ability to serve formal reprimands, in addition to fines and different enforcement notices, when organisations contravene the legislation.

The 15 reprimand recipients embody the GDS (half of the Cabinet Office), the UK Independence Party (UKIP), the Crown Prosecution Service (CPS) and the Welsh Language Commissioner. Other recipients embody 4 police forces, two native authorities and two NHS trusts.

The ICO confirmed to Computer Weekly that each one of the reprimands issued to legal justice sector our bodies had been issued under Part Three of the Data Protection Act 2018, which lays out particular guidelines for the processing of private knowledge by legislation enforcement entities for legislation enforcement functions.

The undisclosed reprimands had been revealed by a Freedom of Information (FOI) request submitted by Jon Baines, a senior knowledge safety specialist at legislation agency Mishcon de Reya, who was following up on a previous request that confirmed the ICO had issued 42 reprimands between 25 May 2018 (when the UK GDPR got here into impact) and 15 November 2021.

In the huge majority of circumstances, the ICO failed to publicly disclose it had taken motion to reprimand these organisations, in spite of its personal coverage that claims its “default position” is to publish all formal regulatory outcomes.

“By ‘formal regulatory outcomes’ we mean those where we serve or issue some form of notice, reprimand, recommendation or report following our regulatory work,” stated the ICO in its Regulatory and Enforcement Activity Policy. “Our default position is that we will publish (and, where appropriate, publicise) all formal regulatory work, including significant decisions and investigations, once the outcome is reached.”

On reprimands particularly, the ICO added: “We will publicise these if it will help promote good practice or deter non-compliance.”

While the ICO has not disclosed particulars of the precise contraventions that led to the reprimands being issued, its Regulatory Action Policy says the watchdog will reserve its “most significant powers (i) for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data”.

In response to the FOI disclosure in regards to the lack of public reprimands, Mishcon de Reya said the ICO had confirmed that, going ahead, it might embody reprimands when publishing its on-line datasets of casework outcomes.

Computer Weekly requested the ICO to verify that it might publish all reprimands going ahead, to which a spokesperson responded that reprimands had been revealed as half of the datasets out there on its website.

While the spreadsheets hooked up to this net web page do include entries that present some of the reprimands had been issued, there isn’t any accompanying documentation detailing the character of the reprimand.

Computer Weekly requested the ICO whether or not it might publish the precise reprimand paperwork going ahead, somewhat than confirming whether or not one had been issued by entries in spreadsheets, to which a spokesperson responded: “Presently, the reprimands are published on the dataset. Looking ahead, we’ll be reviewing our approach to publicising our work once the Regulatory Action Policy has been agreed by Parliament.”

The solely reprimands the ICO determined to make absolutely public since November 2021 had been those given to the Scottish Government and NHS National Services Scotland in February 2022, which had been issued over their failure to present individuals with clear details about how the NHS Scotland Covid Status app was utilizing their knowledge.

“The ICO has decided to make this reprimand public because of the significant public interest in the issues raised. The decision to issue a reprimand in this case reflects that this is the most effective and proportionate way to make sure the issues identified are swiftly resolved,” it stated on the time.

On why these reprimands can be deemed of “significant public interest” and the others not, Baines advised Computer Weekly he presumed that the connection to the Covid-19 pandemic made them “particularly compelling when it came to a public interest analysis”.

Other reprimands are within the public area, however solely by information stories (in the case of Sheffield Council) or temporary mentions buried within the ICO web site that don’t present element (in the case of UKIP). Baines stated he was not conscious of some other reprimands being within the public area.

Computer Weekly requested the ICO immediately why the reprimands issued to Scottish authorities had been deemed to be of vital public curiosity, whereas all of the others issued since November 2021 weren’t.

Pointing to its Regulatory and Enforcement Activity Policy, an ICO spokesperson stated: “We state that we will publicise reprimands if it will help promote good practice or deter non-compliance. In the case of the Scottish Covid app, the reprimand was publicised to deter non-compliance.”

On whether or not its failure to publish the reprimands was opposite to its personal disclosure insurance policies, the spokesperson added that the ICO had not too long ago closed a session on its Regulatory Action Policy: “Once the Regulatory Action Policy is agreed by Parliament, we will be reviewing our approach to disclosure, publishing and publicising our work, which is laid out in the document Communicating Our Regulatory and Enforcement Activity Policy.”

The document already says the ICO’s “default position” is to publish all formal regulatory outcomes.

Commenting on the FOI disclosure typically, Baines stated: “It’s still not clear to me why the ICO hasn’t published in the past, as their own policy on publishing regulatory action says, ‘Publicity helps to raise confidence in – and awareness of – our work to promote good practice and deter those who may be thinking of breaching information rights legislation’.”

He added: “I feel I have a good understanding of the data protection practitioner community, and members of that community can learn from the outcomes of regulatory investigations; a failure by the ICO to publicise is a missed opportunity to help raise general standards of awareness and compliance.”