ICO: Instead of massive fines, regulation works best when we work alongside organisations

Written by John Edwards on 9 March 2023 in Opinion

Information commissioner John Edwards discusses the impact of the watchdog’s new approach to working with the public sector – which focuses on improvements, rather than penalties

Credit: PublicDomainPictures/Pixabay

Information can drive everything in our lives: from the provision of public services to job opportunities, or the decisions made for and about us – people’s data is vital.

As a regulator for information rights, I want to provide certainty to the public, so they can trust that organisations will look after their personal data. And I also want to provide certainty for those same organisations, so they have the knowledge and confidence to deliver privacy-minded services.

That’s why, soon after I became information commissioner last year, I set out a new approach to working closely with the public sector to improve data-protection practices. While we will continue to issue fines when necessary, we want to collaborate with and provide support to organisations to help them get it right. 

While I recognise that the public sector as a whole is facing a challenging time in terms of resourcing and funding, many of the data breaches and issues I see are easily avoidable.

But we can’t do this alone.

We need support from senior leaders in the public sector to drive higher data-protection standards. That’s why I called on the UK government to create a cross-Whitehall senior leadership group to encourage improvements in the way public bodies handle people’s information. This work is underway and I’m pleased to see good practice being shared, but also examples of how things have gone wrong – this enables government departments to recognise and learn from mistakes, and to identify potential harms so they can prevent them before they happen.

The way we worked with the Department for Education is a clear example of our public sector approach in practice.

In 2020, following an audit of the DfE, we found that the department was not prioritising their data protection responsibilities and this had severely impacted its ability to handle people’s data responsibly. We issued 138 recommendations for improvement, with over 60% classified as urgent or high priority.

In the same year, the DfE reported to my office that its database of 28 million pupils’ learning records was used by an employment screening firm to check if people opening online gambling accounts were 18, which was not its original purpose. In this case, we chose to issue a reprimand instead of the potential multi-million pound fine, as we believe that regulation works best when we work alongside organisations, encouraging change and improvement.

Our approach with the DfE resulted in positive change. I am very pleased with the progress the DfE has made in the past two years towards improving their overall compliance with people’s information rights in general, and the security of shared data sets in particular.

Lessons to be learned
While I recognise that the public sector as a whole is facing a challenging time in terms of resourcing and funding, many of the data breaches and issues I see are easily avoidable.

Government departments must consider their data-protection and privacy obligations upfront – from the provision of public services to the design of new projects, organisations must put people’s information rights at the heart of everything they do.

If the public sector can show people their commitment to high data protection standards, and that they will look after their personal information, people are more likely to trust public institutions and participate in their services.


About the author

John Edwards is the UK information commissioner. 

    This piece originally appeared on PublicTechnology sister publication Civil Service World.

Share this page




Please login to post a comment or register for a free account.

Related Articles

Interview: CDDO chief Lee Devlin on the ‘move from being disruptive to collaborative’
23 May 2023

In the first of a series of exclusive interviews, the head of government’s ‘Digital HQ’ talks to PublicTechnology about the Central Digital and Data Office’s work to unlock £8bn...

Government should publish user research for the public good
20 April 2023

Departments now possess vast volumes of data on citizens' experiences of digital services and should make this information publicly available, according to Joe Tomlinson from the University...

Consultation reveals widespread opposition to proposed data-sharing laws for government login system
26 May 2023

Overwhelming majority of respondents voice disapproval but government will press on with plans to bring forward legislation

HMRC finds strong support for online Child Benefit claims – but ‘digital by default’ would cause problems for one in five users
17 May 2023

Department publishes findings of study conducted ahead of planned digitisation initiative