The UK Information Commissioner’s Office has issued a reprimand to the Department for Education (“DfE”) and reduced a monetary penalty notice (“MPN”) imposed upon the Cabinet Office in 2021. Both matters reflect the ICO’s revised approach to enforcement actions involving public authorities, adopted in June 2022, in which the ICO undertook to issue fines only in the most serious cases, while working with the public sector to encourage compliance with data protection laws and prevent harms before they occur.
The ICO imposed a £500,000 MPN upon the Cabinet Office in November of 2021 for a 2019 data breach in which errors in the setup of the Cabinet Office IT systems caused the publication of the names of more than 1,000 people on the New Year Honours list for more than two hours. The Cabinet Office appealed the amount of the fine alleging that it was “wholly disproportionate,” and on November 3, 2022, the ICO announced that the parties had reached a settlement, reducing the MPN to £50,000. According to the ICO, the Cabinet Office only disputed the amount of the fine, not the facts associated with the imposition of the penalty. Because of the settlement, the Cabinet Office’s appeal was dismissed.
The ICO also announced a reprimand of the DfE for violating data protection laws when it authorized an employment screening firm, Trust Systems Software UK Ltd (trading as Trustopia) to access its learning records services database (“LRS”), a database intended to enable education providers to confirm student qualifications. An ICO investigation revealed that the DfE authorized Trustopia to access the LRS in order to determine whether online gambling customers were over the age of 18 -- a use which the ICO determined was beyond its original purpose. The reprimand issued by the ICO provided the DfE with a set of clear measures to implement in order to improve data protection practices and, in particular, the protection of children’s data.