More ICO/Government cooperation: Less ICO focus on rights?

The year has started with a flurry of data protection law developments, the 2nd reading in the House of Commons of the Cyber Security and Resilience Bill on 6 January; and on 8 January the signing of the Memorandum of Understanding (MoU) between the ICO and the Government (represented by the DSIT Minister for Digital Government and Data; and the Security Minister at the Cabinet Office) on improving data security.(1)

While the latter has not attracted mass media attention, the MoU sets the policy framework for the government’s data security policies.

What are the objectives of this MoU?

In the words of the text, “It sets out an enduring framework and approach to cooperation and collaboration” between the ICO and the government represented by The Department for Science, Innovation and Technology (DSIT) and the Cabinet Office. It recognises the ICO’s independence and does not override the government’s statutory obligations as an independent regulator” nor the ICO’s role to ensure government department’s compliance.

The vision behind the MoU is that both parties have a shared ambition to “use new technologies to transform public services, create a modern digital government and drive economic growth” which has public “trust and confidence that their data is being used safely.” They have a common interest in preventing harm and improving practice when things go wrong.

What are the action points?

The government will publish an “annual assurance statement” on how personal data is being kept safe and how “new and proposed technologies” are designed on the basis of trust and privacy. It will create a “culture of high standards and compliance. This aim will be pursued across government. Information security should be improved by learning from personal data breaches and “near misses,” and by establishing a “clear process” for responding to them.

The government will seek the ICO’s expert advice when it makes an assessment that the “delivery of a policy or a system carries a significant risk.”

The government has identified an accountable and named responsible individual, currently the Government Chief Data Officer, for “managing cross-government data protection risk and compliance,” to advance privacy technology across government and to work with Data Protection Officers in each Department.

The MoU is realistic that although it plans to conduct awareness training, civil servants will also be informed of “real world consequences of inadvertent personal data breaches, by developing and delivering ongoing and engaging communication campaigns.” This programme will be backed by the metrics of key indicators tracking.

The ICO has a matching set of duties. Some of them are steps they have been taking for years, such as producing “guidance, codes of practice, advice notes, opinions and audits” and publishing its rationale for taking action following a data breach. The ICO will provide advice to government departments in the form of a “model action plan” following a breach. The ICO’s identification of security trends and risks will be communicated in the first place via “senior responsible officers” in DSIT and the Cabinet Office.

How does the MoU relate to new policies?

The MoU is keen to stress that it is aiming for “new uses of public sector data to transform people’s lives by improving the delivery of public services while boosting economic growth.” To manage potential critics’ concerns, the government is establishing new governance bodies, such as a Technology Risk Group, a Transformation Board and risk and audit boards. For maintaining contact between the parties, the government will invite the Information Commissioner to attend the Transformation Board and the Government Security Board which will meet every six months.

This set of action points is wide-ranging but will be tested when it comes to assessing the new digital ID card system soon to be the subject of a public consultation. The 2.9 million people who signed the petition opposing the new IS system will be paying close attention to the promises of transparency.

New ICO Board and New Information Commission

2026 will be a year of change at the ICO as this is the last year of John Edwards’ five-year term and the start of the new system of the Information Commission with a set of as yet unknown names and numbers of Non-Executive Directors. From April, John Edwards will take the role of Chairperson until his term expires on 2 January 2027. He will be supported by Paul Arnold, the long-serving ICO manager who started his new role as the first CEO of the Information Commission on 30 June 2025.

The government’s website (accessed on 11 January 2026) states “Changes to the Information Commissioner’s Office (ICO) governance structures in Part 6 of the Act will take place once members of the Information Commission’s new Board have been appointed. This is expected in early 2026.”

Will the changes in the personnel at the top of the ICO have an influence on the way that this MoU is not only interpreted but also works in practice? We will see. There have been data disasters, such as the Post Office Horizon scandal and the Ministry of Defence’s data breach of the disclosure of personal data of Afghans who helped the UK military forces.(2) While they stay in the public’s memory, I expect that the actions promised by the MoU will remain in force.

A more business-friendly IC Board?

As Dr Chris Pounder has explained in detail,(3) we know that he was not appointed as a member of the ICO’s board. I can speculate that the reason is that, for many years, he has been, and still is, a powerful privacy advocate and formidable forensic critic of the government and the ICO.

Professor David Erdos, a leading Cambridge academic, and also a critic of the ICO, has made the case that “the ICO’s data protection complaint handling performance is currently in very clear crisis.”(4) Will the new IC Board lead to a change of current priorities?

The EU’s approval of the UK’s adequacy status in December was confirmed despite the UK’s relaxation of the law in some areas. This may have been a factor, among several others, which encouraged Denmark’s EU Presidency (July to December 2025) to make the case for its simplification agenda.

The rationale to promote innovation and economic growth is consistent with the fears of privacy rights groups across Europe that this new direction might erode DPAs’ commitment to uphold individuals’ data rights.

As a consequence of the MoU in terms of closer cooperation on data security, properly reflecting public concerns about data breaches, there could be less focus on, and fewer resources devoted to, individual rights, leading to a more business-friendly UK Information Commission in future.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

January 2026