The Information Commissioner’s Office (ICO) has failed to publicly disclose the majority of “reprimands” it has issued since November 2021 to public sector organisations – including the Government Digital Service (GDS) – for UK data protection law breaches, a freedom of information (FOI) request shows.
Under the UK General Data Protection Regulation (GDPR), the ICO has the power to serve formal reprimands, as well as fines and other enforcement notices, when organisations contravene the law.
The 15 reprimand recipients include the GDS (part of the Cabinet Office), the UK Independence Party (UKIP), the Crown Prosecution Service (CPS) and the Welsh Language Commissioner. Other recipients include four police forces, two local authorities and two NHS trusts.
The ICO confirmed to Computer Weekly that all of the reprimands issued to criminal justice sector bodies were issued under Part Three of the Data Protection Act 2018, which lays out specific rules for the processing of personal data by law enforcement entities for law enforcement purposes.
The undisclosed reprimands were revealed by a Freedom of Information (FOI) request submitted by Jon Baines, a senior data protection specialist at law firm Mishcon de Reya, who was following up on a previous request that showed the ICO had issued 42 reprimands between 25 May 2018 (when the UK GDPR came into effect) and 15 November 2021.
In the vast majority of cases, the ICO failed to publicly disclose it had taken action to reprimand these organisations, in spite of its own policy that says its “default position” is to publish all formal regulatory outcomes.
“By ‘formal regulatory outcomes’ we mean those where we serve or issue some form of notice, reprimand, recommendation or report following our regulatory work,” said the ICO in its Regulatory and Enforcement Activity Policy. “Our default position is that we will publish (and, where appropriate, publicise) all formal regulatory work, including significant decisions and investigations, once the outcome is reached.”
On reprimands specifically, the ICO added: “We will publicise these if it will help promote good practice or deter non-compliance.”
While the ICO has not disclosed details of the specific contraventions that led to the reprimands being issued, its Regulatory Action Policy says the watchdog will reserve its “most significant powers (i) for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data”.
In response to the FOI disclosure about the lack of public reprimands, Mishcon de Reya said the ICO had confirmed that, going forward, it would include reprimands when publishing its online datasets of casework outcomes.
Computer Weekly asked the ICO to confirm that it would publish all reprimands going forward, to which a spokesperson responded that reprimands were published as part of the datasets available on its website.
While the spreadsheets attached to this web page do contain entries that show some of the reprimands were issued, there is no accompanying documentation detailing the nature of the reprimand.
Computer Weekly asked the ICO whether it would publish the actual reprimand documents going forward, rather than confirming whether one had been issued through entries in spreadsheets, to which a spokesperson responded: “Presently, the reprimands are published on the dataset. Looking ahead, we’ll be reviewing our approach to publicising our work once the Regulatory Action Policy has been agreed by Parliament.”
The only reprimands the ICO decided to make fully public since November 2021 were those given to the Scottish Government and NHS National Services Scotland in February 2022, which were issued over their failure to provide people with clear information about how the NHS Scotland Covid Status app was using their data.
“The ICO has decided to make this reprimand public because of the significant public interest in the issues raised. The decision to issue a reprimand in this case reflects that this is the most effective and proportionate way to make sure the issues identified are swiftly resolved,” it said at the time.
On why these reprimands would be deemed of “significant public interest” and the others not, Baines told Computer Weekly he presumed that the connection to the Covid-19 pandemic made them “particularly compelling when it came to a public interest analysis”.
Other reprimands are in the public domain, but only through news reports (in the case of Sheffield Council) or brief mentions buried in the ICO website that do not provide detail (in the case of UKIP). Baines said he was not aware of any other reprimands being in the public domain.
Computer Weekly asked the ICO directly why the reprimands issued to Scottish authorities were deemed to be of significant public interest, while all the others issued since November 2021 were not.
Pointing to its Regulatory and Enforcement Activity Policy, an ICO spokesperson said: “We state that we will publicise reprimands if it will help promote good practice or deter non-compliance. In the case of the Scottish Covid app, the reprimand was publicised to deter non-compliance.”
On whether its failure to publish the reprimands was contrary to its own disclosure policies, the spokesperson added that the ICO had recently closed a consultation on its Regulatory Action Policy: “Once the Regulatory Action Policy is agreed by Parliament, we will be reviewing our approach to disclosure, publishing and publicising our work, which is laid out in the document Communicating Our Regulatory and Enforcement Activity Policy.”
The document already says the ICO’s “default position” is to publish all formal regulatory outcomes.
Commenting on the FOI disclosure generally, Baines said: “It’s still not clear to me why the ICO hasn’t published in the past, as their own policy on publishing regulatory action says, ‘Publicity helps to raise confidence in – and awareness of – our work to promote good practice and deter those who may be thinking of breaching information rights legislation’.”
He added: “I feel I have a good understanding of the data protection practitioner community, and members of that community can learn from the outcomes of regulatory investigations; a failure by the ICO to publicise is a missed opportunity to help raise general standards of awareness and compliance.”