Data Breaches: Why shouldn’t public bodies be fined?

by chloeallen

22 September 2023


Matthew Holman explores why the ICO will almost certainly not fine PSNI for its data breach and why that decision would be wrong.

Imagine you are a PSNI officer. Every day you work hard at keeping the peace in Northern Ireland, an area where peace can be hard to come by. One morning you start work and learn that your employer has unlawfully released your name, rank and work location to the public and those details are in the hands of dissident republican groups.

Now clearly you would be angry and feel let down. You would almost certainly have a civil claim for damages. But you might also expect that PSNI would be penalised by the regulator whose job it is to investigate breaches of data protection law. You would want the state to act, to punish the perpetrator of the injustice you suffered – after all, that is what policing is all about. But what if the regulator did nothing more than issue a written warning to the perpetrator even though it could do so much more? Would you feel that justice was done?

For a very long time, the UK’s ICO treated public and private entities in the same way regarding data breaches. That all changed in June 2022 when John Edwards, then just 6 months into his new tenure as Information Commissioner, issued an open letter to public authorities in which he announced that they would no longer face fines. [1] This article is a critique of his policy decision. It looks at the unfortunate events surrounding the PSNI breach (and other public sector breaches) and asks the difficult questions about why no fines were issued and whether it is right to permit such a stark contrast between public and private sector enforcement. Is it lawful to have such a divide? And even if it is, what message does it send? But it doesn’t stop there. The authors of this article spent a lot of time researching, analysing and debating the underlying policy decision and conclude by tackling the great ethical question: how do you effectively enforce regulations against public sector entities (PSEs)?

What is the policy decision?

To be fair to Mr Edwards, he didn’t quite say that PSEs would never face fines again. He actually said:

“I am not convinced that large fines on their own are as effective a deterrent within the public sector… for the next 2 years the ICO will be trialling a new approach that will see a greater use of my discretion to reduce the impact of fines on the public… in practice this will mean fines will only be issued in the most egregious cases.”

 

What was his underlying rationale for this dramatic shift? He went on to identify two  reasons to justify the change in policy:

“[Fines] do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

 

What on earth is going on at the police force?

The last 6 months have seen an unusual and highly publicised spike in data breaches from the police service, most of which have impacted officers and victims of crime in a terrible way.

Mr Edwards says that “in practice fines will only be issued in the most egregious cases.” What is a most egregious case? Could it be the Police Service Northern Ireland breach? We now know that on 8 August 2023 the personal data of over 10,000 officers and staff were leaked by the PSNI in response to a Freedom of Information Act  request. The cause of this breach was human error. Four PSNI staff reviewed the FOIA response before it was sent. Each failed to spot that the entire force’s personal details were contained in it. Within one day of the FOIA request being released, it was available on line for several hours before being taken down. The impact on staff was immediate and extreme. In the aftermath, PSNI sickness rates jumped to a record high. Officers were quoted as being “anxious, frustrated and really angry.”[2] “Two weeks later it was confirmed that those details were in the hands of dissident republicans.

Clearly when data breaches happen in the police service, they can have significant impacts on those affected. The PSNI breach is just one example. Another comes from Thames Valley Police who in May 2023 were investigated by the ICO after they “inappropriately disclosed contextual information that led to suspected criminals learning the address of a witness. As a result of the incident, the witness has moved address and the impact and risk to the data subject remains high” [3]. Surely an incident of this gravity would result in a fine for Thames Valley? Not so, said the ICO. Instead it issued a reprimand. For those who are unfamiliar with the ICO’s penalty toolkit, a reprimand is a publicised written statement in which the breach is confirmed, brief facts are provided and remedial steps are listed. Crucially, no fine is rendered.

The police service’s catalogue of recent data breaches doesn’t end there. In August 2023 the Norfolk and Suffolk police force reported unintentionally exposing personal data of more than a 1000 individuals, including officers and victims’ data. [4] There was a second PSNI breach which related to a laptop stolen from a private vehicle of a PSNI staff member which contained a spreadsheet with 200 officers’ details in July 2023. And to round it off, on 14 September 2023 Greater Manchester Police reported a personal data breach which resulted in exposure of officers’ names due to a cyber hack on a third party supplier of ID cards. [5]  To date, none of these incidents have resulted in a fine.

It is not just the police service which has suffered highly sensitive and highly publicised breaches. In November 2022 it was reported that the ICO had investigated a breach at the Department for Education after it had unlawfully permitted a third party access to a database which holds personal data of 28 million children. The ICO confirmed that the DfE would have received a fine of £10,030,000 if the ICO had not changed its policy. However, instead of issuing a fine, the DfE received a reprimand.

What do other countries do?

The EU GDPR permits member states to decide for themselves the thorny issue of how to resolve public sector fines.[6] The authors researched the activities of EEA territories regarding enforcement of data protection fines against PSEs to understand what approach they are taking.

Several countries have taken a similar position to the UK. Belgian law states that “administrative fines under GDPR do not apply to public authorities.”[7] German law has a similar stance: “No fines shall be imposed on public authorities and other public bodies.”[8] The Czech Republic’s Data Protection Authority cannot impose a fine on public authorities and other public bodies, as they are exempt. [9] The same stance is taken in Spain, Austria, Slovenia and Estonia.

However, the majority continue to issue fines to PSEs following data protection breaches, but they don’t all do it in the same way. Poland, Sweden, Lithuania, Denmark, Hungry, Greece, Bulgaria and Romania all allow GDPR fines against PSEs but they are often comparably lower in value to those against private entities. Interestingly, the Norwegian regulator faced a similar breach to the DfE breach discussed above, but subjected the municipality to an administrative fine of €170,000 for allowing access to personal data of 35,000 children. The Italian regulator remains happy to issue quite large fines and recently imposed a fine of €800,000 on the Administration of Rome.[10] The Portuguese regulator issued a fine to the Municipality of Lisbon for €1.25m. In the Republic of Ireland, fines are capped at €1m. [11]

Is this policy unlawful?

The GDPR always envisaged that member states (not supervisory authorities) could determine how to deal with PSE fines. The relevant language of the GDPR was removed as a result of Brexit and not formally reintroduced to the statute book. It seems that the ICO believes it has adequate discretion about its fining policy without needing a statutory power to carry out this activity.

It may be the case that the way in which the ICO has implemented this particular decision is unreasonable. Is it disproportionate to let off an entire swathe of one part of the economy and continue to levy fines against another? This issue gets incredibly tricky when one considers that there is no settled legal definition of what a PSE is; the answer varies depending on which branch of the law you analyse. There are many examples of organisations that are not commonly considered to be public but in fact are. For example, Coutts (a famously private bank) is on the list of public sector entities. [12]  If Coutts has a breach and another, non-publicly owned, bank has the exact same breach, will one be fined and the other not? And what about public/private partnerships? Or alternative joint-ventures between public and private sector such as the myriad sub-contractors to the NHS? They are private entities providing a very public service and, if fined, would be less able to deliver that service to detriment of service users. It is certainly conceivable that the new ICO policy is open to challenge by way of judicial review. This article is not the place for a detailed examination of the merits of such an action, but it appears to the authors that it is at least possible and, if the ICO continues to fine private sector bodies while (apparently) letting off public sector bodies for large scale breaches, that possibility increases. It would be a very interesting exercise if an interest group for private sector entities were to take it upon itself to challenge the reasonableness of this policy’s application.

Is this policy unethical?

Let’s get to the meaty issue. Is it fair or right to treat one group (PSEs) very differently to another group (private sector entities) when they commit equally bad acts or omissions? Why is a reprimand equivalent to a fine? Does failing to fine PSEs send a message to them that they can essentially get away with wrongdoing while saying to private sector entities they will continue to be fined? Or does it show that the ICO is sensitive to the effect of enforcement and is seeking to moderate the impact of harm on public resources? These are complicated, quasi-political issues.

Let’s go back to the start. Article 83 (1) UK GDPR says that:

“The Commissioner shall ensure that the imposition of administrative fines…shall in each individual case be effective, proportionate and dissuasive.”

 

From this we understand the threefold ambition of the legislature. We suggest that this should frame the discussion about how to treat PSEs. The ICO’s regulatory action policy (RAP) expands on the requirements here, adding that its overall approach should be “fair and consistent” as well as effective, proportionate and dissuasive[13]. It is curious that the revisions to the RAP were put out to public consultation whereas the new policy for PSEs received no equivalent public scrutiny.

Mr Edward’s initial justification for the change in policy is that: “[Fines] do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services.” This seems to be a highly challengeable assumption. It is axiomatic that fines have a detrimental impact on any entity upon whom they are imposed: that is what makes them effective and dissuasive. There are very few private sector businesses that would not be materially affected by a fine, excluding the obvious international tech corporates such as Meta. Almost no private sector entities operate with a reserve budget for fines, which means they are often paid by reallocating funds from other budgets or increasing borrowing or cutting resource. Of course, reducing profit to shareholders will occur, but we suggest that it would be wrong to imply that the difference is not felt in an equivalent way in the private sector.

Mr Edwards’ second justification is that “the impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.” Again, this is open to challenge and also appears to lack any independently verifiable evidence. Whether a public body in question has depleted funds due to paying a fine is a public policy issue, not a law enforcement issue. If the DfE were fined £10m by the ICO instead of being given a reprimand, the DfE will be able to choose which of its budgets are impacted and, if there were an impact on service users, to seek additional resource from central government. If what Mr Edwards’ says is right, surely central government should apply this rule to all public sector enforcement rather than just data protection? Yet many other regulators continue to investigate PSE wrongdoing and issue fines where deemed appropriate. In September 2023, Network Rail was fined £6.7m due to its failings in the 2020 Aberdeen train derailment.[14] Presumably that fine will be deducted from budgets that were otherwise allocated to operation of the national train network? Why is it OK for one regulator to fine and take money from front line services, but for another to not?

These are clearly difficult issues. They are political and philosophical in nature. It is our view that the decision about how to enforce against PSEs should be resolved by Parliament rather than the view of one regulator. It requires a democratic debate about what is right for the UK. Indeed, this was envisaged by the original draft of the GDPR which devolves to member states (not their regulators) the ability to decide whether to fine PSEs.

What are the alternatives?

We believe that issuing reprimands to PSEs alone is not effective or dissuasive. We have seen no evidence to support the view that this policy change will result in positive benefit to the rights and freedoms of data subjects. Reprimands are of extremely limited value and are certainly not equivalent in effect to monetary penalty notices. Their use in this policy is also disproportionate. But still the question lingers: if not that, then what?

Before launching into our suggested alternatives, it is worth pausing to reflect that there is no panacea and that any alternative solutions, other than returning to the way things were, will result in a different treatment for PSEs. Each reader of this article, indeed even the authors of this article, have different views on the options and to a large extent those views are formed by our personal biases regarding basic philosophical approaches to issues as expansive as justice and punishment of wrongdoing. However, in an attempt to get off the fence and start a good debate, here are some alternative options that the ICO could explore with PSEs.

  1. Levy Lower Fines: This seems quite obvious to us. It is the approach more commonly taken on the continent. A fine of a lower value has the benefit of meaning that there are still some consequences for the PSEs beyond a mere reprimand. The detriment of course is that a fine however large or small will result in an impact on the PSEs budgets. This policy could be subject to discretion i.e. a greater reduction for an NHS Trust and a lesser reduction (or none) for a publicly-owned private bank.
  2. Suspended Sentence: Another option, and one which is conceptually closer to the position the ICO has already taken, is to identify the fine value and then decline to levy it, instead suspending it for a period of time while the PSE’s behaviour is monitored and data protection improvements are made. Should a second fineable incident occur within the suspension period then the ICO takes both fines into account levying a much larger fine, a bit like with a criminal sentence. The benefit to this approach is that it reduces (though does not eliminate) the sense of public/private sector injustice and, one could argue, it is more easily justifiable to demand payment of a fine if the PSE incurs 2 fineable breaches in a year, for example. The downside is that it may result in even larger sums being taken from PSEs, causing exacerbated hardship to already stretched services.
  3. Pay The Fine To The Victims: As discussed above, one of Mr Edwards’ justification is that fines for PSEs result in victims being punished twice, that is to say punished because their personal data is subject to a breach and punished again when the public service suffers due to the fine. The first part of this problem could be ameliorated by levying the fine at full value and paying a proportionate amount of each fine to the affected data subjects. There are several benefits to this approach: it tackles head on the conceptual sense of injustice between public and private sectors; it provides a meaningful remedy to affected service users; it ensures that the financial pain continues to be felt by PSEs that have caused a breach. The downsides are also clear: for a start, people affected by the breach may receive payment even if they have not suffered any verifiable detriment; administering such a system of payment is far easier to articulate than deliver (think of all the civil servants it will need!); those PSE service users who were not affected by the breach will not be eligible for a payment but will presumably still suffer a diminished service due to the shortfall in available budget; and it may create an unsavoury claims-based culture in an industry already awash with ambulance-chasers.
  4. Pay The Fine To Charities: If it seems unsatisfactory to pay fines directly to affected data subjects, an alternative would be to pay the fine to charities in the sector in question. For example, if an NHS Trust is to be fined £3m for a particularly nasty data breach arising from loss of cancer patient records, that money could be handed to vetted cancer charities. This option has the benefit of ensuring that no one service-user group is financially advantaged over other service-user groups. It still has the detriment of taking money from PSEs and leaving their services diminished.
  5. Affirmative Action: A different option is to levy the fine and require that all or part of it is invested back in the PSE for better training, IT security improvements and data protection organisational changes. So, if the prison service is fined £20m for the PSNI breach, the ICO may come to an arrangement where only £5m of that fine is paid and the balance must be re-allocated by PSNI on corrective action which can be evidenced to the ICO within (say) 12 months, failing which the entire fine would become payable. The upside here is the majority of the money remains where it is needed most (in the PSE) and it also means the PSE is being forced to make positive changes which will have a tangible effect on improving data security and processing standards for service users. There appear to be fewer downsides with this option, although one persistent objection is that it means there will be a depletion of funds for other (arguably more pressing) areas of the PSE’s work. One contributor to this article also amusingly (and presumably with tongue-in-cheek) suggested that it could result in very peculiar behaviour from IT personnel deliberately sabotaging its PSEs to ensure they get the uplifted budget that may have been declined by the PSE’s senior leadership team during budget season! We are sure this would never happen.

Where next?

The focus is now squarely on the ICO and the PSNI incident. What will Mr Edwards do? Will he honour his policy, or is this the egregious breach which results in a heavy fine, the first for any PSE in over 12 months? If not, will he come forward and give an example of what, in his view, would be a most egregious breach? The officers and staff at PSNI would (we suspect) be interested to hear it. The view of the authors is clear: the new policy is not effective, not proportionate and not dissuasive, and it is certainly not fair. In that sense, rather than helping the public, the ICO is failing to deliver its duty to protect them.

 

Authors –

Matthew Holman, Principal, EMW
Stefan Dingelstad, Solicitor, EMW
Sarah Simon, Solicitor, EMW
Jonathan Addaih, Paralegal, EMW

 

[1]Open letter from UK Information Commissioner John Edwards to public authorities | ICO

[2]PSNI chief admits officers anxious and angry at data breach – BBC News

[3] See ICO Enforcement Notice 30 May 2023

[4]Press notice regarding data breach at Norfolk and Suffolk police | Suffolk Constabulary

[5]Greater Manchester Police officers’ details hacked in cyber attack – BBC News

[6]Article 83 (7) EU GDPR. This section was removed from the UK GDPR and not replaced. The reason for this is set out in the EU Exit Regulations 2019 explanatory notes which state: “A number of the articles in the GDPR make provision which is akin to that in a directive, permitting Member States to make certain data protection provision in domestic law. For example, articles 87, 88 and 90. Such articles will be wholly redundant after Exit Day and have therefore been omitted.” 

[7]Article 221 §2 of the Act on 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data.

[8]Section 43 (3) of the German Federal Data Protection Act.

[9]Section 62 (5) of Act No. 110/2019 Coll on personal data processing.

[10]GDPR Enforcement Tracker – list of GDPR fines

[11]Data Protection Act (Act No. 7/2018) (Irish Act) Chapter 6.

[12]It is owned by NatWest Group plc, which was brought into public ownership since 13 October 2008 due to the failure of RBS Group plc (its prior name).

[13]regulatory-action-policy-2021_for-consultation.pdf (ico.org.uk)

[14]Stonehaven crash: Network Rail fined £6.7m over fatal derailment – BBC News

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

arrow back Back to Latest Thinking

Speak with us

chloeallen

chloeallen