Information watchdog to continue with its public sector approach to data protection enforcement

The approach, first trialled in 2022, emphasises the use of warnings, reprimands and enforcement notices, with fines only issued in the most serious cases.

In December 2024, the information watchdog announced that it had handed out £1.2m worth of fines during the trial period. It said that if the public sector approach had not been applied, the fines could have reached £23.2m. 

Commenting on the move away from large fines in a blog post issued this month, Information Commissioner John Edwards, said: "We can do this because there are different ways we can drive change and require accountability in the public sector.

"We can engage directly with senior officials, involve select committees, or escalate concerns to Parliament. These levers often deliver more than fines, which, while sometimes necessary, are not always the most effective tool in this sector."

He also announced the findings of a consultation it held earlier this year on its approach to public sector enforcement - and said the ICO has now published a clearer definition of organisations in scope and the circumstances under which a fine may be issued.

Edwards said the ICO will continue with its public sector approach because it focuses on improvements rather than punitive actions, minimises unintended consequences to public services and people, and provides regulatory certainty by clarifying expectations early on.

He wrote: "We've been encouraging public authorities to embed data protection by design into everyday operations from the outset rather than treating it as a reactive obligation. And we do so by having early engagement, providing guidance, doing audits, offering services such as our Sandbox, and much more."

According to Edward,s the "active conversations" with public sector organisations had led to improvements and data protection officers (DPOs) have told the ICO they have made changes because of the engagement.

"For example, in Scotland, our work with local authorities to improve SAR compliance has achieved impactful results for people’s information rights, with almost half of the authorities achieving at least 90% compliance," he wrote.

On financial penalties, Edwards said that, while fines still have their place in some cases, they "risk punishing the same people harmed by a breach by reducing budgets for vital services".

He said: "The review of our public sector approach trial reaffirmed that reprimands drive change and publishing them creates strong reputational incentives for compliance, while also offering other organisations valuable lessons from the mistakes of others. We’ll continue to share lessons from reprimands, and you can watch our latest DPPC conference session on reprimands here."

Edwards said that early engagement meanwhile helps clarify data protection expectations and requirements before major decisions or investments are made, "which in turn can prevent costly changes or breaches of the law in the process".

He pointed to one recent example where early engagement on the £330m NHS Federated Data Platform "ensured privacy, compliance and public trust from the outset, enabling a successful rollout and continued support for innovative NHS digitalisation".

Adam Carey