ICO publishes reprimands not just fines

January 2023

If you received a regulatory reprimand in 2022 it may now be in the public domain

Until now organisations only faced the limelight for data protection indiscretions if they received an enforcement notice or fine. Not so anymore, lesser mistakes could now be made public and risk reputational damage.

The ICO has announced it is publishing the details of all reprimands, including ongoing cases and those which don’t result in enforcement action. Details will only remain private if there’s a genuine reason not to publish, such as matters of national security or where publication could jeopardise an ongoing investigation.

The change is backdated to January 2022, which means we’re set to hear the details of twenty-eight reprimands issued last year on the ICO’s reprimands website page.

With any ICO enforcement action, organisations are expected to improve their data protection practices and the ICO routinely conduct follow ups to make sure their recommendations are properly implemented.

What impact will publishing reprimands have?

The impact is likely to be two-fold. There’s now more chance of negative publicity, but there’s also more opportunity to learn from the mistakes of others.

Any organisation which suffers a reportable data breach, or is investigated by ICO for other reasons, wants to avoid unnecessary publicity which could harm their brand image. But now organisations can no longer expect confidentiality, even if the ICO decides not to enforce a data breach or privacy violation.

With more information of this nature out in the public domain (even when there’s no fine or other enforcement action) those organisations are more open to potential reputational damage. Something we should all consider when evaluating privacy risks.

This increased transparency and detail of reprimands however will be incredibly useful for privacy and information security teams. We’ll be able to see where organisations were found wanting and what measures are needed to meet the ICO’s standards.

For example, how did Company A fail to fulfil Data Subject Access Requests? How did Company B manage to disclose personal data without authorisation? And most importantly what actions does the ICO recommend?

In theory at least, we should gain a better understanding of the ICO’s expectations in specific situations and what acceptable solutions look like, giving us more certainty.

For the general public, the change helps to provide information on about the ICO’s approach to regulating their information rights, so they become better informed to speak out about poor practices and raise complaints when appropriate.

ICO Commissioner, John Edwards summed up why they made this change:

‘Whatever regulatory action we take, whether it is a reprimand or a fine, its value goes far beyond the individual organisation. Every regulatory action must be a lesson learned by the rest of the economy and play a role in behaviour change.’

So the message is clear. The information is out there to help you learn the lessons. And if you suffer a reportable data breach or ICO investigation, you should not expect the details to remain confidential.

This move to publish reprimands comes alongside the ICO’s new approach to the public sector. Fines will only be issued to public sector organisations in the most serious of cases. The ICO wants to work more closely with public authorities, encouraging compliance with data protection law to prevent harms before they happen. The problem with fines, it the high the public purse and our essentially paid by the tax payer.