WIREDGOV

As a regulator, sometimes we need to intervene directly with organisations to drive change. But our goal is always broader: to raise standards across entire sectors. That means choosing the right regulatory tools to hold decision-makers accountable, set clear expectations, and secure lasting improvements.

For the past three years, my office has focused on raising data protection standards across the UK public sector. We've prioritised early engagement and other enforcement tools such as warnings, reprimands, and enforcement notices, while I’ve exercised my discretion to issue fines for only the most egregious breaches in the public sector. 

We can do this because there are different ways we can drive change and require accountability in the public sector. We can engage directly with senior officials, involve Select Committees, or escalate concerns to Parliament. These levers often deliver more than fines, which, while sometimes necessary, are not always the most effective tool in this sector.

We reviewed our public sector approach and organisations asked for more clarity on it. After holding a consultation earlier this year, we have now published a clearer definition of organisations in scope and the circumstances under which a fine may be issued. You can also read the summary of responses to the consultation on our website. 

We’re continuing with the public sector approach because we believe there are three clear advantages: 

1. Focusing on improvements rather than punitive actions 

Our approach shifted the focus from punitive measures as the only solution to building a compliance-first mindset across the public sector. We've been encouraging public authorities to embed data protection by design into everyday operations from the outset rather than treating it as a reactive obligation. And we do so by having early engagement, providing guidance, doing audits, offering services such as our Sandbox, and much more.

We’re also pushing government to raise data protection standards across the public sector. I’m optimistic that the work we’re doing with government and its commitments will be an important part of it, helping DPOs to make their case for more investment in processes and training.

We’ve seen these active conversations lead to improvements and DPOs have told us they’ve made changes because of it. For example, in Scotland, our work with local authorities to improve SAR compliance has achieved impactful results for people’s information rights, with almost half of the authorities achieving at least 90% compliance.

2. Minimising unintended consequences to public services and people 

Fines in the public sector, particularly in local government, risk punishing the same people harmed by a breach by reducing budgets for vital services. They still have their place in some cases, but so do other enforcement tools. 

The review of our public sector approach trial reaffirmed that reprimands drive change and publishing them creates strong reputational incentives for compliance, while also offering other organisations valuable lessons from the mistakes of others. We’ll continue to share lessons from reprimands, and you can watch our latest DPPC conference session on reprimands here.  

Focusing on a proactive approach of working with organisations to identify risks and implement improvements can influence sustainable change, protect public trust, and ensure taxpayer money is invested in prevention rather than punishment. The net benefit of this approach is higher data protection standards and faster remediation, backed by sanctions when necessary.

3. Providing regulatory certainty by clarifying expectations early on 

Working with an organisation early on helps clarify data protection expectations and requirements before major decisions or investments are made, which in turn can prevent costly changes or breaches of the law in the process.

For example, early and sustained engagement on the £330m NHS Federated Data Platform ensured privacy, compliance, and public trust from the outset, enabling a successful rollout and continued support for innovative NHS digitalisation. While in NI, we advised a regulator on the creation of a combined register of vulnerable customers, ensuring a data protection by design and default approach, with only the necessary personal information collected.

I’m confident that by prioritising transparency, accountability, and early engagement, we are helping public bodies deliver services that respect people’s data rights while maintaining confidence and trust in the system. But as I’ve said before, I’ll keep our approach under review and reconsider it if necessary.