Category Archives: reprimand

October 11, 2024 · 6:24 am

Still no clearer on reprimands

[reposted from LinkedIn]

What is a reprimand, and how does the ICO decide to issue one? This, bizarrely, remains a bit of a mystery – apparently even to the ICO themselves.

Under Article 58(2)(b) of the UK GDPR the Information Commissioner’s Office has the power to issue reprimands to a controller or a processor where processing operations have infringed provisions of the UK GDPR.

Since January 2022 the ICO has issued 84 reprimands that it has made public (it’s possible there are others it hasn’t published – that’s certainly happened in the past). Yet there is still no clearly documented process that the ICO will follow to decide what might trigger the decision to issue a reprimand.

In February 2023 I was informed by the ICO that “there is no specific written policy or procedure covering the issuing of reprimands [but that they were] currently working on putting together a formalised process specifically for reprimands, which will be added to our Investigations Manual once finalised”.

So I followed this up recently (18 months on from the previous request). And I’ve had a couple of documents disclosed to me, one a checklist that begins “Once reprimand agreed…” and another on how to apply redactions, but, otherwise, there appears still to be no way of an organisation – or even the ICO themselves(!) – knowing what might lead to a reprimand being issued, and how the decision will be made.

So, six years on from the ICO getting the power, those organisations placed on the naughty step appear to be no clearer to understanding what exactly they did to deserve it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, reprimand, UK GDPR

Tagged as ,

September 27, 2023 · 7:23 am

Soft regulation = poorer compliance?

The Information Commissioner’s Office (ICO) has published reprimands against seven separate organisations all of whom committed serious infringements of data protection law by inadvertently disclosing highly sensitive information in the context of cases involving victims of domestic abuse.

The ICO trumpets the announcement, but does not appear to consider the point that, until recently, most, if not all, of these infringements would have resulted in a hefty fine, not a regulatory soft tap on the wrist. Nor does it contemplate the argument that precisely this sort of light-touch regulation might lead to more of these sorts of incidents, if organisations believe they can act (or fail to act) with impunity.

I have written elsewhere about both the lack of any policy or procedure regarding the use of reprimands, and also about the lack of empirical evidence that a “no fines” approach works.

I think it is incumbent on the Information Commissioner, John Edwards, to answer this question: are you confident that your approach is not leading to poorer compliance?

The cases include

  • Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation. 
  • Revealing identities of women seeking information about their partners to those partners. 
  • Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother. 
  • Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners. 

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, monetary penalty notice, reprimand, UK GDPR

Tagged as , , ,