Information Commissioner Edwards provides an update on his public sector approach

In a blog article, Information Commissioner John Edwards provides an update on the public sector approach to enforcement at the Information Commissioner's Office (ICO). The approach, introduced in June 2022, prioritises raising data protection standards through engagement and non-punitive enforcement tools rather than awarding fines for regulatory infringements. This means that for the last three years, the ICO has focused on warnings, reprimands, and enforcement notices, exercising discretion to issue fines for "only the most egregious breaches."

Commissioner Edwards believes this approach has three clear advantages. First, it focuses on improvements over punitive actions, encouraging public authorities to adopt a compliance-first mindset and embed data protection by design and default. 

Second, the strategy minimises unintended consequences, as large fines risk harming the same people affected by a breach by reducing budgets for vital public services. Reprimands are viewed as effective, as their publication creates strong reputational incentives for compliance while providing valuable lessons for other organisations.

Third, early engagement provides regulatory certainty, clarifying data protection expectations before significant investments are made. Edwards cites the examples, including sustained engagement on the £330 million NHS Federated Data Platform and advising a Northern Ireland regulator on a vulnerable customer register. 

Following a report and consultation in December 2024, the ICO has now published a clearer definition of in-scope organisations and the specific circumstances under which a fine may be issued. The ICO has also published a summary of the consultation responses.

Training Announcement: Freevacy offers a range of short one-day courses on a range of data-related subjects, including data protection topics such as conducting DPIAs and privacy-by-design, as well as how to use AI tools responsibly, cybersecurity best practices, and information access. The interactive sessions cover basic concepts through to advanced examinations of specific areas. Find out more.