Public sector approach
Latest updates - 11 November 2025
11 November 2025 - this policy was published
What is the public sector approach?
Our public sector approach aims to improve data protection standards in the public sector through guidance and proactive engagement, preventing harms before they occur and learning lessons when things have gone wrong.
The approach also uses our discretion when fining public authorities. In practice, that means we will use our wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most egregious cases, that is where the infringements are especially serious.
Further reading
- Blog: Regulating for impact with our public sector approach, November 2025
- Summary of responses to the consultation on the revised approach to public sector regulation, November 2025
- Information Commissioner statement on the public sector approach, December 2024
- Post-implementation review: Public sector approach trial, September 2024
- Blog: Providing certainty on how we enforce the laws we regulate, December 2022
- Open letter from UK Information Commissioner John Edwards to public authorities, June 2022
Which organisations are in scope of the public sector approach?
We use the definition of ‘public authorities’ and ‘public bodies’ under section 7 of the Data Protection Act 2018 (DPA 2018) to determine whether an organisation is in scope of the public sector approach.
We recognise that there are organisations in the wider not-for-profit sector, such as charities and social enterprises, and other public bodies such as parish councils, which are not public authorities for the purposes of the DPA 2018 and whose services might be similarly impacted by a fine. These organisations do not fall within the scope of the public sector approach. Our Data Protection Fining Guidance explains how we take these factors into account when setting an appropriate fine.
What circumstances may lead to a fine under the public sector approach?
We will only consider issuing a fine to a public authority in the most egregious cases, where it is appropriate and the infringements are especially serious.
We will determine ‘egregiousness’ as part of the assessment of the seriousness of the infringement. This assessment takes place at the end of a fair and impartial investigation where we have found evidence of an infringement.
While not intended to be an exhaustive list, where the following factors are present, infringements that may be considered to be egregious include:
- Actual or potential harm to people: this could be physical or bodily harm, psychological harm, economic or financial harm, discrimination, reputational harm or loss of human dignity. For example, evidence of:
- a high risk of actual or potential harm to affected people or their family members, including a threat to life following a data breach;
- actual or potential distress or loss of dignity as a result of illegal monitoring of people; and
- actual or potential discrimination or bias arising from automated decision-making.
- Intentional or negligent character of the infringement, where there is evidence of intent on the part of the controller or a high degree of negligence; and
- Relevant previous infringements, or recent infringements, by the controller or processor. Where previous infringements have concerned a similar subject matter, the current infringement is more likely to be considered egregious.
When considering whether, in all the circumstances of a case, the infringement by a public authority is egregious and warrants a fine, we will take into account the seriousness of the infringements, any relevant aggravating or mitigating factors, as well as the overarching requirement to ensure the fine is effective, proportionate and dissuasive.
We will calculate the fine amount by applying the five-step approach set out in the Data Protection Fining Guidance. The fact that the organisation which committed the infringement is a public authority is relevant to the assessment of the nature of the processing (at step 1), to the determination of the maximum amount of the fine (at step 2), and to the financial position used to assess the fine’s starting point (at step 3).
In addition to this, we will take into account the public sector approach when completing a final review of the fine amount to ensure the fine is effective, proportionate and dissuasive. This is a matter of evaluation and judgement.
Considering all the relevant circumstances of the case, we may make no adjustment or may reduce the overall fine that is imposed on a public body, provided that in each case the fine is still effective, proportionate and dissuasive.
Guidance and resources
We have a broad range of guidance and tools on our website for public authorities, including when and how to respond to subject access requests, choosing a lawful basis for using personal information, data sharing, reporting a personal data breach and more.
If you are not able to find the answer to your question on our website, your call the ICO helpline on 0303 123 1113 or use our live chat.
Enforcement action and lessons learned
Every enforcement action offers valuable lessons for organisations by highlighting real consequences of non-compliance, while helping them identify and address similar issues.
You can read our audit reports, reprimands, enforcement notices and fines on our website, as well as watch our DPPC sessions on reprimands. They serve as cautionary tales, encouraging organisations to avoid similar pitfalls and, ultimately, handle people’s information appropriately.