In September 2019, Tavistock and Portman NHS Foundation Trust (“TPFT”) ran a competition, inviting patients of the adult Gender Identity Clinic to submit artwork which could be used to decorate a refurbished clinic building. Two identical emails were sent to promote the competition, each to around 900 patients, before the Trust realised that the ‘Bcc’ function had not been used when these were sent. The result was that 1,781 patient email addresses were exposed.
It was clear from the content of the emails that all the recipients were patients of the clinic, so it is needless to say how serious of a breach this was. According to the ICO’s report, screenshots of the emails had been circulated on social media within hours of the breach, further exposing personal information of the recipients.
On the 30th of June 2022, the ICO issued a monetary penalty notice to TPFT regarding this incident. The notice set out that, in light of the “seriousness, nature and extent” of the breach, the imposed penalty could have been up to £784,400. However, in this case, the ICO decided to reduce this amount by about ninety percent – to £78,400. This was helped by the fact that TPFT had taken prompt action following the breach, including contacting recipients to apologise and request that the emails be deleted, as well as informing the ICO.
This decision by the ICO is one of the first taken under a new approach announced, also on the 30th of June, in an open letter to public authorities by the Information Commissioner. The letter sets out that for the next two years, the ICO will be trialling a new methodology when it comes to enforcement proceedings in relation to public bodies. Commissioner John Edwards expresses his lack of conviction that large fines on their own act as an effective deterrent within the public sector, rightly pointing out that there are no shareholders and there is no share price to impact, and individual directors are not impacted by fines in the same way as in the private sector. Instead, monies paid by public authorities as the result of a fine will come directly out of budgets for the provision of services. The impact of a fine levied at the public sector then, is often felt by the victims of the data breach rather than by any party at fault, in the form of reduced budgets for vital services. “In effect, people affected by a breach get punished twice.”
There is a strong case to be made for what the Commissioner is saying here. When there are no profits or share price to impact, what is really being achieved by landing a public service provider with a hefty fine? Especially when all varieties of public services, perhaps most noticeably the National Health Service, seem to be in a near-constant state of financial hardship.
In a second decision by the ICO under this new regime, the incident concerned the NHS Blood and Transplant Service which accidentally released untested development code into a live system for matching organ donations to patients. As a result, five patients awaiting liver transplants were not matched with potentially available organs. Fortunately the error was spotted and a patch implemented a week later, with no serious harm caused to the patients affected. This was due to the fact that, of the five people affected, two were too ill at the time of the error to have undergone a transplant, and three later did receive liver donations. In this case, the ICO chose to commute the penalty to a public reprimand (i.e. £0), instead of the £750,000 fine that could have been imposed.
It is interesting to note in both cases that the ICO stated what the monetary penalty could have been– this is an intentional element of the Commissioner’s strategy, in order to “promote wider learning”. Presumably this also means to serve as a warning to the private sector about the scale of the financial penalties that can be expected for similar incidents.
Whilst eliminating fines or reducing them by this kind of margin might be the most profound change in the ICO’s new approach, it is not the only measure. The approach is fleshed out with pragmatic steps that the ICO intends to take to supplement the reduction of fines. These will include an increase in public reprimands and the use of the Commissioner’s wider powers, including enforcement notices, with fines only issued in the most egregious cases, as well as fostering a more proactive relationship with the public sector to better prevent incidents from occurring. This will involve a new cross-Whitehall senior leadership group to encourage compliance with high data protection standards, and Mr. Edwards states that he “expects to see greater engagement from the public sector, including senior leaders”, with the ICO’s agenda to raise data protection standards across the board.
The argument to be made against this approach is that, without the possibility of large financial penalties, those in charge of public sector organisations may calculate that investment in data protection infrastructure can be scaled back to the minimum required. For example, why employ a whole data protection office team when a single data protection officer is the only post mandated by law? Conceivably, this could result in the opposite of the Commissioner’s aims – a lowering of data protection standards due to lack of sufficiently meaningful consequences.
It is not claimed that such a scenario is impossible, and the two year trial period shows that the ICO doesn’t think so either. However, the Commissioner’s letter is convincing of the need for this change in tack – the current approach does not seem to be sufficiently effective, and an alternative should at least be explored. There is unofficial research to indicate that between 2010 and 2019, public sector organisations made up around 54% of the number of fines issued for data breaches in that period. If this has continued at even close to that rate since, it would further shore up the position that financial penalties do not serve as an effective deterrent or to improve data protection practices across the sector, whilst also detrimentally affecting the people who rely on public services.
It is hoped that the Commissioner sees the results he is looking for over the next two years, and if so, that this approach will continue to be ICO policy beyond the trial period. If implemented effectively, a strategy that raises data protection standards whilst also seeing public sector organisations hold on to more of their stretched budgets, can only be a good thing for patients and the public.