Skip to main content

A year in review

Contents

Our organisation was established as the data protection regulator in 1984. Our original name was the Data Protection Registrar. From 2000, we were the Data Protection Commissioner, and in 2001, we became the Information Commissioner’s Office. During 2026/27, it will change again to the Information Commission, a new statutory body that reflects our new governance structure, with all our current functions transferred to the new organisation. While the world we regulate is starkly different today than it was in 1984, we still have similar aims of: 

  • protecting the public;
  • supporting business; and
  • enabling transparency and innovation.

These aims informed the development of our ICO25 strategic plan, which we launched in October 2022. Our previous annual reports have outlined our achievements and successes in delivering the plan’s strategic enduring objectives so far. Here, we present a review of our achievements and successes during the fourth full year of ICO25.

We’ve listed below some of the key highlights in delivering our enduring strategic objectives during 2025/26. 

Objective 1. Safeguard and empower people, particularly those at most risk of harm in society, by upholding their information rights and enabling everybody to confidently contribute to a thriving society and sustainable economy.

This year we made significant progress in protecting people's information rights and acting where those rights were put at risk. We:

  • worked with major online platforms to improve their practices around children’s data; 
  • championed the records of care-experienced people; and 
  • tackled the nuisance calls and spam messages that cause real distress to people across the UK. 

We continue to focus on regulatory interventions that raise data protection standards in a way that benefits people, including signing an important memorandum of understanding confirming the government’s commitment to raising data protection standards.

 

Objective 2. Empower responsible innovation and sustainable economic growth, by:

  • providing regulatory certainty about what the law requires; 
  • reducing the cost of compliance; and 
  • clarifying what we will do if things go wrong.

This enables those we regulate to plan, invest and innovate. 

Supporting the UK's ambitions for a thriving, data-driven economy remained a central priority throughout 2025/26. We: 

  • published our AI and biometrics strategy; 
  • launched consultations on new guidance under the DUAA; and 
  • brought 979 of the top 1,000 UK websites into cookie compliance.

This gave around 40 million people greater control over how organisations track them online. We worked through the Digital Regulation Cooperation Forum (DRCF) alongside the:

  • Competition and Markets Authority (CMA);
  • Office of Communications (Ofcom); and 
  • Financial Conduct Authority (FCA). 

By doing so, we helped create a clearer, more coherent regulatory environment for businesses innovating with data. Our activities generated an estimated £233 million of economic value for UK businesses over five years.

 

Objective 3. Promote openness and transparency, by:

  • supporting the development of a modern FOIA and EIR practice framework in the UK; and 
  • inspiring confidence in public services and democracy. 

Openness and transparency are fundamental to public trust in how organisations handle information, and this year, we made important strides in both promoting and upholding those values. As FOI complaints continued to rise, we provided more practical tools and resources to help practitioners stay ahead of challenges. This includes important work around proactive publication.

 

Objective 4. Continuously develop our culture, capacity and capability, to deliver impactful regulatory outcomes and be recognised as an effective provider of public services, a knowledgeable and influential regulator, and a great place to work and develop.

To deliver for the public and the organisations we regulate, we need to have in place the right people, systems and culture. This year we: 

  • continued to invest in our transformation programmes; 
  • improved our digital tools; and 
  • introduced a new approach to how we handle data protection complaints.

We also began preparations for our transition to the new statutory body of the Information Commission. Paul Arnold was appointed as Interim Chief Executive Officer Designate in June 2025. As ICO25 draws to a close, we’re developing our next corporate strategy, ensuring we’re well placed to meet the challenges and opportunities ahead.