The Information Commissioner's Office ('ICO') announced, on 30 June 2022, that it had set out a revised approach to working more effectively with public authorities, through an open letter sent from the Information Commissioner, John Edwards, to public authorities. In particular, the ICO noted that it will increase the use of its powers to issue warnings, reprimands, and enforcements actions, leaving fines for the most serious cases only. Furthermore, the ICO stated that it will work more closely with the public sector to encourage compliance with data protection law and prevent harms before they happen. In light of this change, the ICO announced that it had issued a reduced fine of £78,400 from £784,800 to Tavistock & Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients, as well as a reprimand (instead of the original £749,856 fine) to the NHS Blood and Transplant Service after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. 

The revised approach is part of ICO25 - the ICO's three-year strategic vision to empower organisations to innovate while using people's data responsibly.

You can read the press release here, the letter here, Tavistock & Portman NHS Foundation Trust's monetary penalty notice here, and the reprimand to the NHS Blood and Transplant Service here.