ICO issues update on efforts to strengthen data protection standards in the public sector

On 20 October 2025, the Information Commissioner’s Office (ICO) issued a statement outlining recent progress in its ongoing work to improve data protection standards across the UK public sector.

Background

The update follows a period of increased engagement with government departments, particularly in the wake of the Ministry of Defence data breach that exposed sensitive information relating to Afghan citizens back in July 2025. Information Commissioner John Edwards noted that “further progress was a key action my office undertook” in response to the incident. This included writing to the Cabinet Office in the following week (25 July 2025), urging the government to do more to prevent public sector data breaches. 

Recognising that monetary penalties often take resource away from vital front-line services and risk re-victimising people who have been impacted by a breach, the ICO have sought to adopt a different approach to regulating the public sector. As part of the ICO’s ‘public sector approach,’ the ICO and government have committed together to raise standards and ensure that lessons are learnt from incidents to prevent future breaches. 

New government measures to raise information security standards

According to the ICO, the government has now committed to a series of measures aimed at enhancing information security and accountability. These are set out in a letter dated 20 October 2025 from the Department for Science, Innovation and Technology (DSIT) to the Chair of the Science, Innovation and Technology Committee and include:

1. Establishing a central, coordinated approach to managing data protection accountability and compliance across government;

• The Government Digital Service (within DSIT) will be responsible for co-ordinating cross-government data protection risks and compliance.

• The Government Chief Data Officer (GCDO) will be the accountable individual.

2. Creating a dedicated team under the GCDO to set consistent standards and respond to emerging risks;

3. Drawing up a joint commitment with the ICO to work together to raise standards; and

4. Establishing a cross-government Technology Risk Group to drive accountability for technology risk.

In addition, the government has set out that it is working on eleven additional measures across the following four key domains: (1) government policy and processes; (2) technology; (3) culture; and (4) relationship with the ICO.

For example, as part of the ICO update, Commissioner Edwards highlighted the rolling out of new information management training for all civil servants. This sits under the domain of ‘culture.’ The ICO has also been invited to the meetings of the Government Security Board which will track overall progress against these measures.

Future collaboration between the ICO and government

Alongside the above measures, the ICO also confirmed that it is working with the government to formalise their collaboration through a memorandum of understanding (MOU). This MOU is intended to ensure that the government’s ambitions to modernise public services and adopt new technologies are pursued “with the appropriate safeguards in place.” The ICO expects to receive assurances from the government on the delivery and impact of this work. 

Comment

As the Information Commissioner puts it, this latest update represents “a single step forward, but it is a crucial one.” It signals a more structured and proactive approach to public sector data governance and while the commitments outlined are promising, their effectiveness will ultimately depend on sustained implementation and oversight. The ICO recognises this, along with the importance of maintaining public trust, as it emphasises that:

“Government must now carry through on these commitments, to ensure the public can trust and be confident when sharing their personal information with government, knowing that it will be handled responsibly and safely.”

The ICO notes that it is still working with the government to determine the extent of its involvement and how it will receive assurance on the delivery and impact of the changes - these mechanisms will be key to ensuring that the reforms translate into meaningful improvements in data protection standards in the public sector.

For advice on data protection compliance in the public sector, please contact Hamish Corner, Madelin Sinclair McAusland, Amanda Leiu, Justin Barrow or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Fraser Campbell and Amanda Leiu.