ICO Slashes Government Data Breach Fine - Infosecurity Magazine

ICO Slashes Government Data Breach Fine – Infosecurity Magazine

The UK’s data protection regulator has reduced a fine imposed on the Cabinet Office last year after a major breach, from £500,000 to just £50,000.

The Information Commissioner’s Office (ICO) issued the Monetary Penalty Notice (MPN) last November after its investigation into a 2019 incident.

Back then, the Cabinet Office accidentally published the names and unredacted addresses of more than 1000 people announced in the New Year Honours list. The information was accessed thousands of times during the two hours it was left online, the ICO said.

New Year Honours list recipients are often individuals in the public eye, like celebrities from the worlds of sport, TV and music. So it was this time, with the likes of Elton John and England cricket captain Ben Stokes among those impacted by the leak.

However, after a Cabinet Office appeal which argued that the fine was “wholly disproportionate,” the ICO appears to have had a change of heart.

New information commissioner John Edwards said that although he believes the original fine was proportionate to the number of victims, “I recognize the current economic pressures public bodies are facing, and the fact that in certain cases fines may be less critical in achieving deterrence.”

He indicated that this was part of a new approach from the regulator which could result in more education and fewer fines.

“Since the fine was issued last year, I have adopted a new approach to working more effectively with public authorities to raise data protection standards. As I have explained, in certain circumstances large fines on their own may not be as effective a deterrent within the public sector,” Edwards said.

“I am willing to use my discretion to reduce the amount of fines on the public sector in appropriate cases, coupled with better engagement including publicizing lessons learned and sharing good practice.”

That approach has already been visible in the ICO’s move to reduce a massive £784,400 fine levied against the Tavistock and Portman NHS Foundation Trust to just £78,400, a drop of over 900%.

It also declined to fine two government departments in September for “persistent” failures to respond to Freedom of Information (FOI) Act requests.

Although the information commissioner is appointed by the government, the ICO is nominally an independent authority – a non-departmental public body reporting directly to parliament.

This content was originally published here.