Blog: 04 August 2023 - Charlotte Smith, Sharpe Pritchard Partner

Charlotte Smith

Unlawful Processing of Data - A Data Protection Update

Over the past year, there have been many enforcement activities undertaken by the Information Commissioner’s Office (ICO) in relation to breaches of the GDPR. There has also been a change to the approach used by the ICO to address breaches from public authorities in particular, with the aim of reducing the effect that fines have on the service users.

TikTok Fine
In Spring 2023, TikTok was issued with a fine of £12.7million by the ICO. The fine was issued due to TikTok unlawfully processing personal data. In particular, the ICO held that TikTok failed to do enough to check who was using their platform and remove users who were children under the age of 13 and had not provided parental consent.
The GDPR states that information society services (e.g. social media platforms) are only able to process personal data from children under 13, with parental consent. Due to the difficulties of doing this, many other social media platforms choose against allowing under 13s to use their platform. The ICO estimated that more than one million UK children under 13 were using TikTok in 2020.

The ICO Approach to Public Authority Fines
In June 2022, the new Information Commissioner set out a revised approach to regulating public bodies. It was recognised by the ICO that larger fines to public authorities could end up harming the service users as fines could reduce overall budgets used by the authorities. As a result, other measures, in addition to fines, will be considered by the ICO in situations where data protection legislation has been breached.
Since this revised approach was announced, where fines have been issued to public sector bodies, the ICO has taken into account the public role of the authority. Therefore the ICO has issued a lower fine to a public body than would have been issued to a private body and reflected this in the monetary penalty notice. Nevertheless, the ICO has warned that this should not be an indication that they will always take such an approach.

Recent ICO Action against Public Bodies
As examples of the approach the ICO have recently taken to data protection breaches by public sector bodies:
• The Tavistock & Portman NHS Foundation Trust were fined £78,400 as they failed to use BCC and instead used CC when sending a mass email. This led to the email addresses of patients at the Trust’s Gender Identity Clinic being shared with one other.
• The Met Police were reprimanded, but no fine was issued, for failing to ensure that criminal records were uploaded correctly to their Police National Database.
• NHS Blood and Transplant were reprimanded for using untested code in the system which led to transplant patients being excluded from Liver Matching Run for a week in September 2019.
• Norfolk County Council were reprimanded for only responding to 260 out of 511 subject access requests within the statutory timescales between April 2021 to April 2022.
As shown, there are various situations in which a public body may fail to follow data protection legislation which can lead to detriment to the public, and subsequent enforcement action from the ICO in the form of fines or reprimands.

Charlotte Smith

Sharpe Pritchard, Partner