Many are aware of the powers available to the Information Commissioner's Office (ICO) under the General Data Protection Regulation (GDPR) to issue huge administrative fines, and many also know she can serve "enforcement notices" on companies and other bodies who infringe the GPDR provisions. These powers derive from Article 58 of GDPR. However, the other Article 58 powers have perhaps been less examined, and the recent announcement that the ICO has issued "reprimands" against two schools, for GDPR infringements involving class photographs of children, demands some attention.
One school received a reprimand for sending a class photograph to a local newspaper, thus failing to have regard to a refusal of consent to such sharing by the parents of two pupils, whilst another school received one for sending a class photograph to parents containing the image of a child whose adoptive parent had previously refused consent for photographs of her daughter to be used outside of the school. Notably, one of the recipient schools and its headteacher were named (and her email address even published, which presumably was in error), whilst the other was not, but only because of concerns about the child involved.
These are certainly not the first examples of reprimands being issued by the ICO – for instance, in its 2019 report, "GDPR one year on", it made reference to "warnings and reprimands" having been issued "across a range of sectors including health, central government, criminal justice, education, retail and finance", but, in contrast to the recent reprimands, no specific publicity appears to have been given to these examples.
Interestingly, the ICO's policy on communicating its regulatory and enforcement action says:
[By] 'formal regulatory outcomes' we mean those where we serve or issue some form of notice, reprimand, recommendation or report following our regulatory work. Our default position is that we will publish (and, where appropriate, publicise) all formal regulatory work, including significant decisions and investigations, once the outcome is reached
This seems at odds with the actual position, given that the two recent reprimands appear to be the first ones the ICO has actually published.
It is not clear whether there has been a hardening of approach by the ICO, but all organisations dealing with data protection compliance need to be aware of the risk that an infringement – even if it doesn't result in a fine or an enforcement notice – could still lead to a reputationally damaging public reprimand.