Go Back
Blog

The British Information Commissioner's Office Is Setting an Example for Regulators Everywhere

Check out this Exterro enforcement alert for insight into why the British ICO's recent FOIA enforcement actions are setting a strong example for regulators across the globe.

The UK Information Commissioner’s Office (ICO) has made it clear: the era of "guidance-only" is over. Following its first Freedom of Information Act (FOIA) enforcement notice in seven years in late 2022, the regulator has significantly ramped up its interventionist approach through 2024 and into 2026.

Public authorities failing to meet the statutory 20-working-day response limit are now facing a sophisticated "name and shame" regime and the real threat of contempt of court.

The Enforcement Escalation: 2024–2026

The ICO has moved from occasional warnings to a systematic crackdown on backlogs. Recent regulatory data shows a surge in activity:

  • Persistent Offenders: In 2025 alone, the ICO issued over a dozen FOIA Enforcement Notices against major public bodies, including the Foreign, Commonwealth & Development Office (FCDO) and multiple NHS Trusts (Nottingham and Cambridge University Hospitals), some of which had compliance rates as low as 14%.
  • The "Practice Recommendation" Warning: Authorities like the Ministry of Defence (MOD) and various local councils have been issued formal practice recommendations. These serve as a "final warning"—if performance doesn't improve, an Enforcement Notice follows immediately.
  • Contempt of Court: Failure to comply with an Enforcement Notice is no longer a theoretical risk. The ICO has clarified that persistent non-compliance will be referred to the High Court as a matter of contempt.

The Data (Use and Access) Act 2025 (DUAA)

The legislative landscape shifted fundamentally with the DUAA 2025, which received Royal Assent in June 2025 and fully commenced in early 2026.

  • New Investigatory Powers: The ICO can now compel interviews and request technical reports at the expense of the investigated body.
  • Modernized Standards: The Act emphasizes that transparency must be supported by modern digital infrastructure, making "manual spreadsheets" an increasingly indefensible excuse for delays.

Expert Insight: Shifting from Manual to Managed

As Xavier Alabart noted, the "learn lessons" drum is beating louder. Public authorities can no longer rely on fragmented, manual processes. The shift toward Commercial Off-the-Shelf (COTS) solutions—the same tools used by the private sector for DSARs—is now a necessity for FOIA compliance.

Key Requirements for a Defensible FOIA Process:

  1. Automated Logging: Ensuring every request is tracked from the second it hits the inbox.
  2. Workflow Orchestration: Moving requests through departments automatically to prevent "bottlenecks" in subject matter expert review.
  3. Redaction Technology: Using AI-assisted redaction to speed up the delivery of sensitive documents while protecting personal data.

Modernizing Your Public Records Response

The ICO is prioritizing "systemic transparency issues." Agencies that demonstrate they are investing in dedicated FOIA technology are often given more leniency (Practice Recommendations) than those that remain stagnant (Enforcement Notices).

Resource: Product Brief: Managing FOIA and Public Record Requests with Exterro

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information