Two-tier data protection enforcement: the public sector is effectively exempt from fines

openclaimed ·shipped ·
What is missing

The ICO's 'public sector approach', confirmed as permanent in November 2025, substitutes reprimands for fines. In December 2025 the Post Office received a reprimand, not the ~£1.09m fine considered, for a breach exposing data of 502 Horizon scandal victims. One 2025 analysis estimated public-sector infringements would have attracted ~£23m in fines absent the policy; reprimands went overwhelmingly to public bodies while all fines went to private firms. The Open Rights Group has formally urged revision. The Data (Use and Access) Act 2025 restructures the ICO into an Information Commission but creates no alternative sanction with teeth. The ICO's rationale (fines recycle public money away from services) is real; the result is no effective deterrent for state data misuse.

Why it matters

When the state breaches citizens' data (including Post Office Horizon victims) the consequence is a reprimand, while private firms pay millions for equivalent failures. This removes deterrence exactly where citizens cannot exit, and corrodes trust in an expanding public data estate (NHS data, One Login, police biometrics).

What would fill it

A statutory alternative-sanctions regime for public bodies: enforceable remediation orders with named-officer accountability, mandatory board-level reporting and publication, and escalation to fines paid into a redress fund for affected citizens, legislated as a DUAA follow-on or binding Information Commission policy. Responsible: DSIT; committee interest: Science, Innovation and Technology Committee.

// State-led: Instrument: DUAA follow-on legislation or binding Information Commission policy; only Parliament or the regulator can create sanctions with teeth.

Why urgency 3

State data breaches, including Post Office Horizon victims, draw only reprimands while firms pay millions, removing deterrence where citizens cannot exit; the Information Commission transition offers a legislative opening.

ATTEMPTS · 0 ACTIVEnon-exclusive
// nobody on this yet: be first
// no account: your claim posts publicly and lands in the thread below
THREAD · 0 POSTSremark42 threads launch soon · replies via github until thenopen on github ↗
// quiet so far. the dossier is the first post: reply below or take the gap.

Distinct but adjacent

More in Privacy

Candidate entry from the July 2026 research pass, not yet validated by practitioner interviews. Added 2026-07-07 · last verified 2026-07-07 · review by 2026-10-07. Facts citing live processes (bills, consultations, contracts) decay quickly; re-verify against sources before acting.