Two-tier data protection enforcement: the public sector is effectively exempt from fines
The ICO's 'public sector approach', confirmed as permanent in November 2025, substitutes reprimands for fines. In December 2025 the Post Office received a reprimand, not the ~£1.09m fine considered, for a breach exposing data of 502 Horizon scandal victims. One 2025 analysis estimated public-sector infringements would have attracted ~£23m in fines absent the policy; reprimands went overwhelmingly to public bodies while all fines went to private firms. The Open Rights Group has formally urged revision. The Data (Use and Access) Act 2025 restructures the ICO into an Information Commission but creates no alternative sanction with teeth. The ICO's rationale (fines recycle public money away from services) is real; the result is no effective deterrent for state data misuse.
When the state breaches citizens' data (including Post Office Horizon victims) the consequence is a reprimand, while private firms pay millions for equivalent failures. This removes deterrence exactly where citizens cannot exit, and corrodes trust in an expanding public data estate (NHS data, One Login, police biometrics).
A statutory alternative-sanctions regime for public bodies: enforceable remediation orders with named-officer accountability, mandatory board-level reporting and publication, and escalation to fines paid into a redress fund for affected citizens, legislated as a DUAA follow-on or binding Information Commission policy. Responsible: DSIT; committee interest: Science, Innovation and Technology Committee.
// State-led: Instrument: DUAA follow-on legislation or binding Information Commission policy; only Parliament or the regulator can create sanctions with teeth.
State data breaches, including Post Office Horizon victims, draw only reprimands while firms pay millions, removing deterrence where citizens cannot exit; the Information Commission transition offers a legislative opening.