The Information Commissioner’s Office decision to rein in fines for public sector bodies should also be extended the charity sector, as the same arguments about financial punishments apply to the third sector too.
That is according to a number of agency chiefs contacted by Decision Marketing, after the ICO said it only wants to issue fines for the most serious cases of data breaches in the public sector, and will instead issue warnings, reprimands and enforcement notices.
In a blog post, Information Commissioner John Edwards said he did not believe fining public sector organisations was an effective deterrent.
He added: “[Fines] do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services.
“The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”
The ICO is now trialling the new strategy for two years, in a move which will see the regulator revealing the scale of the fine that might have been levied in certain cases, in order to warn the commercial sector about the scale of penalty they could expect as a result of similar conduct.
According to a 2019 analysis by SMS Works, the public sector was by far the worst offender for data leaks in the five years to 2019. Some 60 out of the 110 total fines for data breaches and £7.3m in fines represented 58% of the total. The NHS alone had received 12 fines and the police nine.
More recently, the Cabinet Office was fined £500,000 last December after the postal addresses of the 2020 New Year honours recipients were disclosed online.
The ICO said that in light of the new approach it had reduced two public sector fines for breaching the data protection act.
A potential fine of £784,000 for the Tavistock & Portman NHS Foundation Trust, for accidentally revealing the email addresses of patients at the adult gender identity clinic, has been reduced to £78,400.
The ICO said the trust had taken prompt action over the breach, which occurred because patients had not been bcc’d in the address field for an email inviting them to take part in an artwork competition.
Meanwhile, the NHS Blood & Transplant Service has a fine of nearly £750,000 reduced to a public reprimand. The organisation had a released an untested code for matching organ donations to patients in 2019. As a result, five patients awaiting livers were not matched with potentially available organs.
One agency chief commented: “I don’t see any difference between charities and the public sector when it comes to the potentially devastating effect of large fines. After all, charities don’t have major shareholders or profits so any monetary penalty hits good causes.”
Another said: “Surely the Fundraising Regulator should be straight on the case. Most charity data breaches are the result of human error rather than neglect. Isn’t it about time this was recognised?”
Cabinet Office cuffed for New Year Honours data gaffe
Email gaffe leaks thousands of tenants’ sensitive data
Child sex abuse inquiry fined £200,000 for data misuse
Glos cops cuffed over leak of sensitive child abuse data
Banged to rights: CPS guilty of losing child abuse data
You’re nicked: Humberside cops hit by £130k data fine
Bungling Crown Prosecution Service gets £200k fine