The ICO’s current practice of largely replacing fines with “reprimands” raises concerns about the lack of guidance or apparent procedure for how reprimands are issued. Additionally, the absence of any mechanism to appeal the serving of a reprimand could unfairly put recipients at reputational and legal risk.
At a conference of the National Association of Data Protection Officers last November, hosted at the Mishcon de Reya offices, Information Commissioner John Edwards gave a speech about his new approach to enforcement of data protection laws. Public bodies would not, he announced, now be subject to fines for serious infringements of their data protection obligations, except for the most egregious of incidents. Instead, the Information Commissioner's Office (ICO) would consider the other enforcement "tools" available under Article 58(2) UK GDPR, including enforcement notices, warnings and reprimands.
The use of reprimands by the ICO was largely unknown until the author made a Freedom of Information request in 2021, which revealed that a number of such reprimands had indeed been issued since May 2018 (when GDPR came into effect) including to some very large organisations, but that the ICO had not published them, let alone publicised them.
Edwards, in his speech, made clear that from then on the default position would be that reprimands would be published.
However, the nature and use of reprimands has caused some confusion. Article 58(2)(b) of UK GDPR makes clear that a reprimand can only be given if a "processing operation" has infringed UK GDPR, so it is a prerequisite that, to serve a reprimand, the ICO must have found there to have been an infringement by the controller or processor. But there is no further explanation in either the Articles, or the recitals, of UK GDPR as to what triggers a reprimand and what the procedure for serving one, and challenging one, should be.
Where there is absence of statutory explication of an important regulatory enforcement measure, one would naturally expect the regulator to provide such guidance. However, the ICO has published no guidance on its use of reprimands (they get a single mention in the Regulatory Action Policy). For this reason, in February of this year the author made a Freedom of Information request for the internal policies and procedures which govern and guide the ICO's staff when issuing reprimands. However, the response was that the ICO has "no specific written policy or procedure covering the issuing of reprimands" but is "currently working on putting together a formalised process specifically for reprimands, which will be added to our Investigations Manual once finalised". Six months on though, there is no obvious sign of it being completed, or if it has, it has not been published.
It is an unusual and unsatisfactory situation for regulatory enforcement action to be unclear and unsupported by guidance. This is especially so where the action lies somewhere in the gap between the informal and formal. The ICO has previously said that "recommendations we make in reprimands are advisory", yet some reprimands clearly signal that failure to take recommended steps will result in regulatory action. For instance, in a reprimand handed to NHS Scotland in February 2022, the ICO's then Deputy Commissioner said that failure to comply with the recommendations would lead him to consider exercising his power to serve an enforcement notice.
Another issue is that some reprimands are served in the form of a letter with a signature (the name of the issuing officer sometimes redacted and sometimes not) and some are an unsigned free-standing notice: this reinforces that there seems to be a lack of consistency or clarity in the process.
And these are not just arbitrary concerns. It is axiomatic that the publication of any regulatory enforcement action has an effect on reputation: any public adverse regulatory notice could potentially result in complaints and claims against the recipient. If an organisation receives an enforcement notice or a monetary penalty notice, there is a statutory right of a merits appeal to the Information Tribunal. This process ensures both fairness for the recipient, but would also, one assumes, tend towards ensuring investigatory and drafting rigour on the part of the ICO. But with reprimands, there is no right of appeal - the reputational hit is there, but procedural fairness by way of a statutory challenge is not. Although it would be possible to apply for judicial review of the decision to serve a reprimand, this is a costly option limited essentially only to cases where the applicant could argue the decision was illegal or irrational.
Shortly after John Edwards' November 2022 announcement, the ICO's Director of Investigations published a blog post which said that the move to publishing all reprimands was part of a drive to "provide certainty to businesses and organisations in what the law requires from them". He linked this to the ICO's "pilot" of not (as a general rule) fining public authorities, announced as part of the ICO's three year strategy - "ICO25". The problem there is that although the announcement gained a lot of publicity, there appear to be no metrics associated with the "pilot", other than John Edwards' statement that "if I do not see the improvements that I hope to see, I will look again [at the policy of not fining public authorities]".
If the ICO's current "reprimand-only" approach continues against the recent background of serious data breaches, and if those reprimands continue not to have an associated (and published) policy of guidance (whilst not being amenable to appeal), then there will surely be calls for a rethink.