Public Reprimands, an Effective Deterrent Against Data Breaches – Source: www.infosecurity-magazine.com

The publication of reprimands following data leaks has been cited as an “effective” deterrent for public authorities.

This follows a two-year trial led by the UK’s Information Commissioner’s Office (ICO) which sought to work proactively with the public sector to encourage data protection compliance.

Over the two years of the Public Sector Approach (PSA) trial, the ICO has published around 60 reprimands issued to public bodies.

The reason such reprimands have been affective is because of their potential for reputational damage and impact on public trust. The reprimands can also be used to capture the attention of senior leaders, according to feedback of the ICO trial by public authorities.

In a statement, John Edwards, the UK’s Information Commissioner, said the trial saw greater use of his discretion when it came to fines.

“In practice, that meant we would increase the use of my wider powers, including warnings, reprimands and enforcement notices, with fines only issued when necessary. That’s so victims of a data breaches are not being punished twice in the form of reduced budgets for vital public services,” he said.

Central government departments cited increased engagement and positive changes on the back of reprimands.

However, Edwards said that wider public sector organizations displayed limited awareness.

“Which means we must do more to share best practice and lessons learned,” he said.

Edwards noted that following the publication of some of the reprimands, significant changes had been made by organizations including a local council updating its procedures to prevent inappropriate disclosure of children’s information and an NHS Trust stopping sending bulk emails with sensitive information.

Other regulatory tools are still used by the ICO, including an enforcement notice that was issued to the Home Office. However, this approach remains limited.

Fines were also issues to Ministry of Defence and Police Service of Northern Ireland for breaking data protection law.

However, Edwards noted that if fines alone had been used, they could have reached £23.2m ($29.5m), instead of £1.2m ($1.5m). Ultimately the feeling is that fines on public sector service disproportionately affects the budget of smaller organizations and devolved administrations.

One area of improvement the ICO noted was how it must make it more clear which organizations fall within the scope of the public sector approach and what type of infringements could lead to a fine. 

While the ICO does not outline the PSA trial as an outright success or failure. Instead, it noted that it involves multiple layers with more to do but has overall been impactful.