In December 2025, the ICO concluded its investigation into a data breach that exposed personal information belonging to 502 victims of the Post Office Horizon scandal. After considering a fine of up to £1.094 million, the regulator instead issued a reprimand under its “public sector approach” policy.
The decision has drawn sharp criticism from privacy advocates. Understanding why the ICO made this choice reveals how the regulator approaches enforcement against public bodies—and why that approach remains controversial.
The Horizon scandal stands as one of the UK’s largest miscarriages of justice. The Post Office wrongly prosecuted hundreds of sub-postmasters for theft and fraud based on errors in its Horizon accounting software. Many were convicted and imprisoned. The victims whose data was exposed in this breach had already suffered significant harm at the hands of the same organisation.
What Happened at the Post Office
The Post Office’s communications team published an unredacted legal settlement document on its corporate website. The document contained names, home addresses, and postmaster status of 502 individuals who had reached settlements related to the Horizon scandal.
The exposed document remained publicly accessible for nearly two months, from 25 April to 19 June 2024. The ICO’s investigation found that the Post Office lacked documented policies for website publishing. There were no quality assurance processes in place and staff had not received training on handling sensitive information.
The ICO’s Public Sector Approach Explained
Why Public Bodies Are Treated Differently
The ICO treats public sector organisations differently from private companies. The rationale: fines on public bodies ultimately come from public funds. Taxpayers and service users bear the cost when councils, NHS trusts, or government bodies pay regulatory penalties.
A large fine against a local authority could reduce budgets for frontline services. The ICO therefore prioritises early engagement and non-financial enforcement tools. This is a deliberate policy choice, not a loophole.
The Enforcement Toolkit
The ICO has several options beyond fines:
- Reprimands: A formal finding that a breach occurred, but with no financial penalty. Notably, reprimands carry no legal force.
- Enforcement notices: Legally binding orders requiring the organisation to take specific actions.
- Warnings: Issued before a breach occurs if the ICO identifies risky practices.
Fines remain available for what the ICO terms “egregious” cases involving “especially serious” infringements. The Ministry of Defence and PSNI have both received fines under this threshold.
The Post Office Decision
Why It Was Not Considered Egregious
The ICO assessed the Post Office breach against its public sector criteria and concluded it did not meet the threshold for a fine. Factors likely considered include that the disclosure was accidental rather than deliberate, the exposed data did not include financial information, and the organisation took remediation steps.
The Post Office offered compensation to affected individuals and provided 24 months of fraud monitoring and dark web surveillance. It contacted search engines to request removal of cached versions of the document and committed to implementing documented publishing policies and staff training.
However, there is an important distinction here. Unlike enforcement notices, reprimands do not have legal force. The Post Office has committed to these improvements, but the ICO cannot legally compel compliance through a reprimand alone. Whether these changes actually happen depends entirely on the organisation’s own commitment.
The Criticism and What It Means
Privacy Groups’ Response
The Open Rights Group described the ICO’s assessment as “ludicrous”. The group argued that issuing reprimands signals a lack of consequences for public bodies. There is added context that makes this case particularly sensitive: these 502 individuals had already been wronged by the Post Office through the Horizon scandal. Their data was exposed by the same organisation that had previously prosecuted them based on faulty evidence.
Critics worry that other public bodies may interpret lenient enforcement as permission to deprioritise data protection investment.
The Numbers Tell a Story
Analysis from URM Consulting examined ICO enforcement in the first half of 2025. If the public sector approach had not applied, the consultancy estimated that fines could have totalled £23.2 million instead of the actual figure of £1.2 million. The ICO took only 15 enforcement actions during this period. All six reprimands went to public sector bodies. All fines went to private sector organisations. For more on the ICO’s 2025 enforcement patterns, see our analysis of ICO Enforcement in 2025: Record Fines and What They Mean.
The Counterargument
The ICO maintains that non-financial enforcement can be effective for public bodies. Regulatory action brings reputational damage, and public shaming matters to organisations accountable to citizens and elected officials. Fines from public bodies simply move money between government pots without improving data protection practices. The regulator argues that resources are better spent on improving processes than paying penalties.
The ICO’s public sector approach is a deliberate policy decision, not regulatory weakness. Fines are reserved for the most serious cases to avoid penalising people who rely on public services. However, reprimands carry no legal force, and compliance depends entirely on the organisation’s willingness to improve.
Public sector organisations should not interpret lenient enforcement as permission for poor practices. Review your publishing controls, document your processes, and train your staff—because protecting people’s data is the right thing to do, not just a regulatory requirement.
