The Government is reforming Data Protection Law and has recently issued its response to its consultation ‘Data- A New Direction’. I think it is fair to say that the proposals are not as drastic as many data protection practitioners and lawyers had envisaged. However, the intention to make having a Privacy Management Programme a legal requirement hints at an increasing focus on accountability. This focus isn’t new but part of a direction of travel  which started under former Information Commissioner, Elizabeth Denham, under whose leadership the ICO produced a full Accountability Framework and Toolkit.

However, there is now another development. On 30 June, the Information Commissioner issued an open letter to the public sector. This announced a revised approach to enforcement in the sector with less of a focus on monetary penalties and more of a focus on (in the words of the Information Commissioner) ‘raising data protection standards across the board and preventing harms from occurring in the first place’. The ICO will launch its 3 year strategic vision later this month and the new focus on raising data protection standards will be part of it.

The Information  Commissioner  is ‘not convinced large fines on their own are as effective a deterrent within the public sector’ partly because fines reduce the budget for vital services and ‘people affected by the breach get punished twice’.

The ICO will trial the new approach of reducing the impact of fines on the public for two years. It will still investigate breaches in the same way, follow up with organisations to make sure that improvements are made and do more to publicise the cases for others to learn from.

What is behind this is an increasing emphasis on accountability, both in its strict data protection sense of being able to demonstrate compliance with the data protection principles and in its widest sense. The Information Commissioner is very clear about that, saying, ‘I expect to see greater engagement from the public sector, including senior leaders, with our data protection agenda. I also expect to see investment of time, money and resources in ensuring data protection practices remain fit for the future’