Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

ICO and UK Cabinet Office agree on lower fine after data breach

Photo: Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The data protection regulator and Cabinet Office join forces to share good practice and settle big fine.

The UK Information Commissioner (ICO) has come to an agreement with the Cabinet Office to reduce a fine imposed on the Cabinet Office in 2021 in relation to the New Year Honours data breach. The original £500,000 ($574,000) Monetary Penalty Notice (MPN) is to be reduced to £50,000 ($57,000).

The ICO issued its fine to the Cabinet Office on November 15, 2021, after a data breach in 2019 where the Cabinet Office published a file on gov.uk with the names and addresses of more than 1,000 people who were announced in the New Year Honours list. The file was available online for two hours and 21 minutes, and was read 3,872 times.

“Wholly disproportionate”

The Cabinet Office appealed against the £500,000 fine to the First-tier Tribunal (General Regulatory Chamber) in December 2021, arguing that the level of penalty was “wholly disproportionate” in relation to the imposition of the penalty.

“The ICO is a pragmatic, proportionate and effective regulator, focusing on making a difference to people’s lives. While I consider the original fine was proportionate in all the circumstances of this case due to the potential impact on the people affected by the breach, I recognise the current economic pressures public bodies are facing, and the fact that in certain cases fines may be less critical in achieving deterrence,” said John Edwards, UK Information Commissioner.

Both parties have agreed on the new £50,000 agreement, which has also been approved by the Tribunal. Otherwise, the Cabinet Office’s appeal before the Tribunal is dismissed and the hearing listed before the Tribunal on 4 November has been vacated.

“We welcome the agreement reached with the Cabinet Office and we will continue to work with them to ensure people’s information are being looked after”, said John Edwards.

Public approach

The reduced fine is in line with the ICO’s updated approach to work more effectively with public authorities. The work was outlined earlier in June in an open letter from Edwards to public authorities. With this strategic approach, which will be trialled for two years, the ICO is hoping to shape better engagement with the public sector, to share good practices and publish cases of data breach, connected with reduced fines.  

“Since the fine was issued last year, I have adopted a new approach to working more effectively with public authorities to raise data protection standards. As I have explained, in certain circumstances large fines on their own may not be as effective a deterrent within the public sector. I am willing to use my discretion to reduce the amount of fines on the public sector in appropriate cases, coupled with better engagement including publicising lessons learned and sharing good practice,” said Edwards.

This penalty was issued under the Data Protection Act 2018 (DPA 2018) for infringements of the GDPR.

, , ,

You may also like