ICO consults on revised approach to public sector regulation

December 16, 2024

In June 2022, the ICO announced a two-year trial of a revised approach to working more effectively with public authorities across the UK. This is the “public sector approach”, which saw the use of the Commissioner’s discretion to reduce the impact of fines on public bodies and the services they provide, and aimed at improving data protection standards in this sector through guidance and proactive engagement.

The ICO has reviewed the two-year trial and published its report about the impact of, and learning from, the trial.  The review also identified that the scope and parameters of the public sector approach could be articulated more clearly.  It is now proposing some updates to the public sector approach:

The ICO intends to continue with the public sector approach as a standard part of its overall regulatory approach. However, it will adjust it in line with the learnings from the trial period and the responses and input received from this consultation.  There are two areas where there have been requests for further guidance:

Organisations in scope of the public sector approach

The ICO recognises that the term ‘public sector’ is broad in scope and is open to interpretation. To provide certainty to organisations in understanding if they fall under the scope of the public sector approach, it will use the definition of ‘public authorities’ and ‘public bodies’ under section 7 of the Data Protection Act 2018.

The ICO also recognises that there are organisations in the wider not-for-profit sector, such as charities and social enterprises, and other public bodies such as parish councils, which are not public authorities under the DPA 2018 but that services might be similarly affected by a fine. The ICO’s Data Protection Fining Guidance explains how the ICO takes these factors into account when setting an appropriate fine.

Circumstances that will lead to a fine under the public sector approach

The ICO will only issue a fine to a public authority in the most egregious cases, that is, where the infringements are especially serious.

Its Data Protection Fining Guidance sets out the legal framework and explains how we decide to issue penalties and calculate fines. This includes whether the imposition of a fine would be effective, proportionate and dissuasive; the nature and gravity of the infringement, including any actual or potential harm suffered by the victims of the infringement; and any mitigating actions taken by the organisation to limit damage suffered by people. This assessment considers whether the controller or processor is a public authority.

If the ICO decides to issue a monetary penalty notice, the fine amount will be calculated by applying the five-step approach set out in the guidance. In particular, the fact an organisation is a public authority is relevant to the assessment of the nature of the processing, to the maximum amount of the fine, and to the financial position used to assess the fine’s starting point. Considering these factors aims to ensure a consistent approach for public authorities.

The ICO will take into account the seriousness of the infringements, any relevant aggravating or mitigating factors, as well as the overarching requirement to ensure the fine is effective, proportionate and dissuasive.  Examples of cases which would be considered to be egregious include actual or potential harm to people: this could be physical or bodily harm, psychological harm, economic or financial harm, discrimination, reputational harm or loss of human dignity; intentional or negligence character of the infringement, where there is evidence of intent on the part of the controller or a high degree of negligence; and relevant previous infringements, or recent infringements, by the controller or processor.

Where the ICO is satisfied that an infringement by a public authority is egregious and therefore warrants a fine, the fine will be calculated using the Data Protection Fining Guidance while ensuring the level of the fine is consistent with the public sector approach.

The ICO’s consultation ends on 31 January 2025. Following the consultation, the ICO will finalise its public sector approach.