Skip to main content

Objective 1: Safeguard and empower people

Contents

Our first strategic objective focuses on ensuring that:

  • people can exercise their information rights; and 
  • their personal information is protected from harm. 

This year, we made significant progress in raising public awareness and taking action to protect those most at risk.

Supporting care-experienced people with Better Records Together

A flagship achievement this year was our “Better Records Together” campaign, which we developed in partnership with care-experienced people and the organisations supporting them. This initiative addresses a profound issue: many people who spent time in care struggle to access records that form part of their identity and personal history. Nine in ten still have questions or concerns after receiving their care records.

The campaign recognises that for care-experienced people, these records are not simply administrative documents - they represent connections to their past and their identity. Sometimes, these records are their only link to their family history.

We worked closely with care-experienced people throughout the development of this campaign, ensuring their voices shaped our approach. The result was practical guidance to help organisations holding care records respond appropriately to subject access requests. This new guidance allows organisations to balance data protection requirements with compassion and understanding of what these records mean to the people requesting them. 

Alongside this guidance, John Edwards wrote to senior leaders, making clear that organisations may face regulatory action if they don’t make improvements. A robust, full-service communications campaign launches this report, featuring: 

  • bespoke social media assets; 
  • influencer marketing; and 
  • a strong events presence.

This secured coverage in the national media and support from key stakeholders, including: 

A UK-wide supervision pilot also ran across 2025/26, monitoring the performance of 19 organisations to drive improvements. We’ll be reporting on the outcome of this pilot when it ends later in 2026.

Protecting children online  

Protecting children online remains one of our strategic priorities (and aligns with one of our secondary duties). This year saw important developments as we continued to ensure companies design their online services with young people in mind.

Our interventions are working, with major online platforms improving their data protection practices, benefitting more than one million children in the UK. Monitoring the impact of our work remains an important focus. We’re monitoring platforms that have committed to (but haven’t yet introduced) improvements to ensure they implement their planned changes. We are also ready to open further investigations and progress to formal enforcement action if needed.

In February 2026, we fined MediaLab.AI Inc (mediaLab) £247,590 for using children’s data unlawfully on its Imgur social media platform. The company had: 

  • failed to implement any measures to check the age of its users; and 
  • processed the personal information of children under 13 when offering online service, without parental consent or any other lawful basis.

Later the same month, we fined Reddit £14.47 million after finding the company had failed to use children’s personal information lawfully. Our investigation findings included that Reddit failed to apply any robust age assurance mechanism and therefore didn’t have a lawful basis for processing the personal information of children under the age of 13. These failures meant Reddit was using children’s data unlawfully, potentially exposing them to inappropriate and harmful content.

In July 2025, the First-tier Tribunal delivered a significant judgment in our favour regarding TikTok's appeal against our £12.7 million monetary penalty notice. We issued this notice in April 2023 because TikTok allowed up to 1.4 million UK children under the minimum age of 13 to use its platform. The Tribunal confirmed the Information Commissioner had followed the correct procedure when issuing the penalty notice. This was a welcome clarification of our ability to hold TikTok and other similar platforms to account for how they use people’s information, particularly children’s, when providing their online services. The Upper Tribunal subsequently granted TikTok permission to appeal, and the hearing took place in May 2026. 

Our work on children’s privacy extended to mobile gaming, where we placed the spotlight on how organisations handle children's personal information. We also gave attention to financial services providers, and our audit work identified the need for improvements in how the sector handles children's data. We opened a programme of work to drive improvements on social media platforms and video sharing platforms that currently only use self-declaration to identify under-13s. 

And we continued to work closely with Ofcom, recognising their role in enforcing the Online Safety Act. In March 2026, we called on tech firms to strengthen age assurance measures so children can’t access services that aren’t designed for them. This came alongside Ofcom’s call for platforms to: 

  • enforce minimum ages; and 
  • ensure they configure algorithms to prevent children from encountering harmful content. 

Encourage public sector standards and efficiency

In November 2025, we published clearer definitions of organisations in scope of our public sector approach and the circumstances under which we may issue fines. This approach focuses on improvements rather than punitive actions as the only solution, building more accountability across the public sector in handling people’s data responsibly and with care.

Focusing on proactive engagement can: 

  • influence sustainable change; 
  • protect public trust; and 
  • ensure we spend taxpayer money on prevention rather than punishment. 

In Scotland, our work with local authorities to improve subject access request compliance achieved impactful results, with almost half of authorities achieving at least 90% compliance.

We’ve focused on raising data protection standards across the UK public sector, prioritising early involvement and lasting improvements through tools such as:

  • warnings; 
  • reprimands; and 
  • enforcement notices.

In July 2025, we highlighted our work overseeing the Ministry of Defence’s (MOD’s) investigation into a data breach related to applicants for its Afghan Relocations and Assistance Policy in 2022. This policy placed thousands of people who needed extra support at risk. We were clear that the incident was unacceptable and should never happen again. The MOD reassured us that their investigation resulted in them taking the necessary steps to minimise the risk of this happening again. As the Information Commissioner highlighted to the House of Commons Science, Innovation and Technology Committee, this was a challenging case involving a court injunction and highly classified information. This case also led us to review where staff may need higher security clearance.

Commitment to raise data protection standards in government

In January 2026, we signed an important MOU with His Majesty’s Government, setting out the government's commitment to raise data protection standards.

This commitment followed several serious, high-profile data breaches that undermined public trust in government, some of which placed lives at risk. The MOU formalises action to address these concerns by: 

  • setting clear expectations for how departments handle people’s personal information; and 
  • providing a pathway for the government to:
    • rebuild trust with the public; and 
    • improve transparency and accountability.

The MOU commits government to:

  • creating a central, coordinated approach for managing cross-government data protection accountability and compliance;
  • establishing a dedicated team to set consistent standards and respond swiftly to risks;
  • rolling out new information management training for all civil servants; and
  • publishing an annual assurance statement on GOV.UK. 

The leadership of the Government Chief Data Officer, along with the expert network of departmental data protection officers, strengthens this framework. Together, they play a vital role in embedding good data practice across government.

As the data protection regulator, we provide advice, scrutiny and challenge at all levels. The MOU reinforces the mechanisms available to us to hold government to account when it doesn’t meet or maintain the required standards.

The MOU also supports the government’s ambitions to use new technologies to transform public services and drive economic growth, ensuring these developments include appropriate safeguards.

Deliver timely regulatory interventions

We focus on interventions that raise data protection standards across the board. This means using all the regulatory tools available to us to drive change, including: 

  • using the MOU outlined above; 
  • producing guidance and advice; 
  • engaging upstream with companies; and 
  • leading criminal prosecutions.

Regular review of the impact of our regulatory approach is an important part of this picture. Our latest evidence and learning suggest that our interventions are most effective and deliver impact most quickly when they:

  • create regulatory certainty; and 
  • build organisational capability.

We’ll publish further details of this analysis in 2026/27 2.

In June 2025, we issued a £2,310,000 fine to 23andMe following a data breach that affected customers globally. A hacker exploited reused login credentials stolen from previous unrelated data breaches. Our investigation found that the company did not have additional verification steps for users to access and download their raw genetic data. This action underlines our commitment to protecting UK residents’ data regardless of where organisations are based. 

In June 2025, we fined Scottish charity Birthlink £18,000 after it destroyed approximately 4,800 records, including irreplaceable handwritten letters and photographs from birth parents. The action showed how not looking after people’s information can have far-reaching effects that continue to affect lives long after the initial error. 

In October 2025, we fined Capita £14,000,000 following a cyber-attack that resulted in the removal of nearly one terabyte of data. The attack began when someone downloaded a malicious file onto an employee device. Despite a security alert being raised within 10 minutes, Capita did not quarantine the device for 58 hours. Our investigation found failures to: 

  • implement appropriate technical and organisational measures to safeguard data; and,
  • prevent privilege escalation. 

Capita acknowledged our decision and admitted liability, agreeing to pay without appeal. This case demonstrates that no organisation is too big to ignore its responsibilities.

In November 2025, we fined LastPass £1,228,283 for security failings that exposed customer data. The company promised to help people improve their security but left them feeling vulnerable after a hacker gained access to a backup database. 

In December 2025, we issued a £66,000 fine and a reprimand to Police Scotland. The force had extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring sufficient safeguards were in place. The incident was a stark example of the devastating consequences poor data protection practices can have on people.

Across the year, we also issued seven reprimands (2024/25: nine) and two enforcement notices (2024/25: zero). This included a reprimand to Post Office Limited following a breach that disclosed personal information of 502 postmasters involved in the Horizon IT scandal. The breach occurred when Post Office Limited mistakenly published an unredacted legal settlement document on the corporate website. Our investigation found a lack of documented policies, quality assurance processes and staff training. This case highlighted that organisations should embed data protection by design into their everyday operations.

We also welcomed the Court of Appeal’s ruling in February 2026 about us fining DSG Retail. This reinstated a clear interpretation of organisations’ legal responsibility to keep personal information secure.

Tackling nuisance communications

Unwanted marketing messages cause real harm. They’re an intrusion that can cause distress, and some deliberately target people at greater risk of harm, such as those facing financial hardship.

We continue to take robust enforcement action against organisations responsible for millions of unlawful marketing messages and calls.

In total, we issued fines totalling £1.445 million, including fines for: 

We also fined a pair of energy companies (Green Spark Energy Ltd and Home Improvement Marketing Ltd) for using unlawful ‘robo calls’ – software that gives call recipients the impression they are talking to a human by playing scripted lines recorded by actors.

We took action against one person who knowingly transmitted nearly one million text messages without valid consent, targeting people at greater risk of harm. This resulted in over 19,000 complaints through the 7726 spam reporting service. And following our largest ever nuisance call investigation, 10 men pleaded guilty to the unlawful accessing and obtaining of people’s personal information from vehicle repair garages to generate potential leads for personal injury claims.

Public reporting plays a crucial role in our work. We continue to encourage anyone receiving spam texts to report them to us or forward them to 7726 so we can investigate and take robust action against offenders. Last year we received 48,395 reports of unwanted marketing calls and texts via our online reporting tool (2024/25: 49,494).

Unlocking privacy-preserving online advertising  

Our online tracking strategy continued to deliver meaningful results for people and businesses. As of May 2026, following talks with the UK’s most-visited websites, our cookie compliance work resulted in 99% of the top 1,000 UK websites meeting our compliance checks. This gave an estimated 40 million people - around 80% of UK internet users over the age of 14 - greater control over how websites tracked them for personalised advertising online. We’ve issued 20 preliminary enforcement notices to the websites that haven’t passed our checks and we continue to monitor them for non-compliance.

We also:

We also continued to explore privacy-preserving advertising approaches, recognising that a thriving online advertising sector and strong data protection standards are not mutually exclusive.


2 We published this in June 2026, and it is available on our website.