Before GDPR came into force the UK’s Information Commissioner’s Office (ICO) was limited to fining organisations £500,000, which was a pretty poor disincentive to large enterprises. GDPR changed all of this by enabling fines of EUR20 million or 4% of annual global turnover (whichever is larger). Fast forward 18 months since the introduction of GDPR and such fines are now being levied.
While authorities waited for organisations to bed into GDPR before issuing significant fines, the recent rise in ‘megafines’ signifies that they feel they have now waited long enough. In July 2019, for example, the UK’s ICO handed out the two biggest penalties to date – fining BA EUR205 million and Marriott EUR110 million (both of which are appealing).
But GDPR is not supposed to be simply a revenue-raising operation – it’s supposed to ensure personal data is better protected by punishing companies that do not comply and thereby incentivising others to pay better attention to their systems and processes. Whether GDPR is effective is an interesting question that remains to be answered. But whether it is effective across all sectors is even more interesting.
One sector that bears particular scrutiny is the public sector. Some substantial GDPR fines have already been levied on public sector organisations across the EU – such as Austria Post (fined EUR18 million) and Bulgarian National Revenue Agency (fined EUR2.6 million).
In 2019 the UK ICO took action against the following organisations and people in the public sector:
- Northern Ireland’s DoJ for auctioning off a filing cabinet that contained personal information about victims of a 2014 terrorist attack (£185,000 fine)
- a Blackpool hospital for posting the private details of thousands of staff members on its website (£185,000 fine)
- Humberside Police for losing disks containing a video interview of an alleged rape victim (£130,000 fine) – with the ICO commenting that highly personal video evidence is being lost too frequently by police authorities in general
- Dannyelle Shaw, a Reablement Officer at Walsall Metropolitan Borough Council was prosecuted for accessing social care records without authorisation (fined a total of £859 including costs)
- Michelle Shipsey, a Social Services Support Officer at Dorset County Council, was fined for accessing social care records without authorisation. She was given a 6 month conditional discharge with fines and costs of £720
- Metropolitan Police for failing to answer SARs in a timely fashion
- Jeannette Baines, a Restorative Justice Caseworker, who was prosecuted for sending sensitive personal data to her own personal email account without authorisation. She was sentenced to a 3 year conditional discharge and ordered to pay costs of £620
- Shamin Sadiq, a GP practice manager, who was fined for sending personal data to her own email account without authorisation. She was fined £414 including costs.
- The London Borough of Newham was fined £145,000 for disclosing the personal information of more than 200 people who featured on a police intelligence database
- Faye Caughey, an administrator at Heart of England NHS Foundation Trust (HEFT), was prosecuted for accessing medical records without authorisation. She was fined £1000, ordered to pay costs of £590 and a victim surcharge of £50.
- Kevin Bunsell, a senior local government officer, was prosecuted for passing the personal information of rival job applicants to his partner who had applied for a job at the Council. He was fined £660, ordered to pay costs of £714 and a victim surcharge of £66.
As can be seen, most are prosecutions of individuals, not organisations, and the fines are currently modest.
However, the public sector is responsible for the highest number of data breach fines from the ICO, with 60 handed out to this sector from a total of 110 fines. And UK government departments admit they are still losing large numbers of devices.
Responding to a Freedom of Information (FOI) Request from security vendor Apricorn, the MoJ revealed that its laptop losses had gone up 400% since 2016 (with 201 being lost in 2018-19), The Department for Education (DfE) reported 91 lost or stolen devices in 2019 and NHS Digital lost 35 in 2019. A separate FOI request from MobileIron found that 508 devices were lost or stolen from eight government departments between January 2018 and April 2019. (In their defence, the departments say that data on the devices was encrypted.)
The question remains: will fines and prosecutions be sufficient in the public sector to incentivise improvements to data protection and GDPR compliance?
Apparently not, as the number of personal data breaches reported by nine government departments and organisations has risen from 3,522 in 2017-18 to 7,409 in 2018-19. Undoubtedly some of this is just improved reporting, but it bears acknowledging that The Home Office reported 29 times as many breaches and the Ministry of Defence four times as many.
Part of the problem is that this is not just a question of poacher turned gamekeeper; in this case the poacher and the gamekeeper are simultaneously one and the same. Fines simply do not have the same effect in the public sector as in the private sector. The money from GDPR fines goes to the UK Treasury and thus isn’t ‘lost’ to the public sector but merely recycled. If there’s a shortfall in a department’s or organisation’s budget then services are cut or the department can appeal for more funds, but there are no shareholders to hold managers to account. Making the fine bigger doesn’t have a more significant effect like it does in the private sector. For the public sector the real punishment therefore comes in the form of prosecutions of guilty parties and holding senior staff accountable.
The picture presented is currently not a good one for the UK public sector, with quasi governmental organisations, local authorities and sectors such as Education also holding large amounts of sensitive data – often on very vulnerable subjects. The main problem with GDPR is that it is designed to police and improve data security in the private sector and has effectively been retro-fitted to the public sector. As government departments, quangos and public sector organisations ‘go digital’, this issue is set to rise up the agenda. Without trust, public support for public sector digitalisation will evaporate.
The UK public sector has everything to lose, as public confidence is currently high. The ICO found that respondents rated the NHS, police and national government 4.5 out of 5 in terms of their trust and confidence in data security. Sixty-six per sent said they trust the NHS or their local GP with storing and using their personal information. If this trust is not to be misplaced, public sector organisations need to pay close heed to their GDPR compliance and their information security processes as a matter of urgency.