I‑C‑Oh‑no: Saying goodbye to the Information Commissioner's Office

You don’t often get to attend a regulator’s “wake”, but the UK privacy world will soon begin to mourn the loss of the Information Commissioner's Office, in place of the Information Commission. The change comes from the Data (Use and Access) Act 2025 (DUAA) with draft secondary legislation bringing the change into effect recently being published.

What's changing?

In short, the ICO's functions, staff, property and ongoing matters will transfer to a new body corporate, the Information Commission. The main driver is governance - the new IC will have an overhauled corporate structure with clearer statutory objectives and accountability (moving beyond the single‑officeholder model that has defined the ICO for many a decade!). The feeling will be more institutional, akin to that of other regulators (the CMA for example). 

When will the O actually drop?

In stages, of course. The move to the Information Commission is expected in spring/summer 2026.

Do I need to go nuclear with CTRL+F?

• That staple language “complain to the ICO at ico.org.uk” appears in privacy policies far and wide. Unsurprisingly the DUAA doesn't make provision for this, but historically UK public bodies implement long‑running redirects when they rebrand. So expect continuity (and permanent redirects if a new domain appears) but consider making tweaks to any hyperlinks the next time you're refreshing your transparency docs.
• Further afield, whether it's privacy notices, DPIA templates, DPAs, internal policies, cookies policies, vendor questionnaires, training slides, playbooks or customer comms, again it's probably not worth rebranding your compliance framework, so just implement those tweaks as and when your docs are updated. This will become more pressing in a year or so as historical references to the ICO will be a giveaway that it's been a while since your docs were updated.

The bottom line

The ICO is losing its ‘O’, but there's still an ‘O’ in obligations. Actually, there are two. The Information Commission will look and sound more like a modern board‑led regulator, but your compliance to-do list isn't going to change… sorry. Well done if you made it this far!