### #DataProtectionCompliance #PublicSectorAccountability #ReputationManagement
Summary: The UK’s Information Commissioner’s Office (ICO) has found that publishing reprimands for data breaches effectively encourages public authorities to comply with data protection laws. The trial highlighted the importance of reputational damage and public trust in motivating organizations to improve their data handling practices.
Threat Actor: UK’s Information Commissioner’s Office | UK’s Information Commissioner’s Office
Victim: Public Sector Organizations | Public Sector Organizations
Key Point :
- ICO published around 60 reprimands to public bodies during a two-year trial to promote data protection compliance.
- Reprimands have proven effective due to their potential for reputational damage and their ability to engage senior leaders.
- John Edwards emphasized the need for a balanced approach, using fines only when necessary to avoid punishing victims of data breaches twice.
- Some organizations made significant changes following reprimands, improving their data handling procedures.
- ICO noted limited awareness among wider public sector organizations, indicating a need for better communication of best practices.
- Fines imposed were significantly lower than potential amounts, highlighting the impact on smaller organizations’ budgets.
- The ICO aims to clarify which organizations fall under the public sector approach and the types of infringements that could lead to fines.
- The trial was not deemed a complete success or failure, but it has had a meaningful impact on compliance efforts.
The publication of reprimands following data leaks has been cited as an “effective” deterrent for public authorities.
This follows a two-year trial led by the UK’s Information Commissioner’s Office (ICO) which sought to work proactively with the public sector to encourage data protection compliance.
Over the two years of the Public Sector Approach (PSA) trial, the ICO has published around 60 reprimands issued to public bodies.
The reason such reprimands have been affective is because of their potential for reputational damage and impact on public trust. The reprimands can also be used to capture the attention of senior leaders, according to feedback of the ICO trial by public authorities.
In a statement, John Edwards, the UK’s Information Commissioner, said the trial saw greater use of his discretion when it came to fines.
“In practice, that meant we would increase the use of my wider powers, including warnings, reprimands and enforcement notices, with fines only issued when necessary. That’s so victims of a data breaches are not being punished twice in the form of reduced budgets for vital public services,” he said.
Central government departments cited increased engagement and positive changes on the back of reprimands.
However, Edwards said that wider public sector organizations displayed limited awareness.
“Which means we must do more to share best practice and lessons learned,” he said.
Edwards noted that following the publication of some of the reprimands, significant changes had been made by organizations including a local council updating its procedures to prevent inappropriate disclosure of children’s information and an NHS Trust stopping sending bulk emails with sensitive information.
Other regulatory tools are still used by the ICO, including an enforcement notice that was issued to the Home Office. However, this approach remains limited.
Fines were also issues to Ministry of Defence and Police Service of Northern Ireland for breaking data protection law.
However, Edwards noted that if fines alone had been used, they could have reached £23.2m ($29.5m), instead of £1.2m ($1.5m). Ultimately the feeling is that fines on public sector service disproportionately affects the budget of smaller organizations and devolved administrations.
One area of improvement the ICO noted was how it must make it more clear which organizations fall within the scope of the public sector approach and what type of infringements could lead to a fine.
The ICO did not outline the PSA trial as an outright success or failure. Instead, it noted that it involves multiple layers with more to do but has overall been impactful.
Source: https://www.infosecurity-magazine.com/news/public-reprimands-deterrent-data