Councils, NHS organisations, schools and public bodies face a more demanding compliance baseline than the private sector. Here is what that means in practice.
Public sector organisations operate under a compliance framework that is meaningfully different from — and in most respects stricter than — the framework applying to private sector employers. Freedom of information obligations, the public sector equality duty, NHS data security standards, local authority transparency requirements, and procurement rules all create obligations that do not exist in commercial settings.
Yet many public bodies are using the same generic policy templates as private sector organisations — or, in some cases, policies that have not been reviewed since the organisation last had an external audit. This is a risk that is growing, not shrinking, as regulatory scrutiny of public sector data handling and AI use intensifies.
Public authorities subject to FOIA must have documented policies for handling information requests, including internal review procedures and appeals processes. The Information Commissioner's Office monitors public authority compliance closely, and failures to respond within the 20-working-day deadline or to maintain adequate records for response are regular subjects of enforcement decisions.
Section 149 of the Equality Act 2010 imposes a positive duty on public bodies to have due regard to equality in all their functions. This goes further than the private sector's prohibition on discrimination: public bodies must actively promote equality of opportunity and foster good relations between groups. Policies covering recruitment, performance management, reasonable adjustments and pay equity all need to reflect this higher standard.
NHS and health-adjacent organisations must achieve a satisfactory or higher score on the DSPT annually. The Toolkit is updated regularly, and many organisations that rely on generic information security policies find they do not map cleanly to DSPT requirements — creating gaps that auditors identify and that must be remediated before the submission deadline.
Local authorities are subject to transparency publication requirements under the Local Government Transparency Code 2015, including obligations to publish senior salary data, contracts above certain thresholds, and spending data. Policies governing procurement, contract management and financial transparency need to reflect these obligations explicitly — they are not addressed by standard private-sector compliance templates.
Public sector bodies using AI tools face a stricter standard than private sector equivalents. The combination of public accountability duties, Article 22 UK GDPR obligations, and the political sensitivity of automated decision-making in government services means that an AI governance framework adequate for a private company is almost certainly inadequate for a council or NHS trust.
The ICO and CMA joint guidance on foundation model market dynamics (March 2026) specifically addresses public sector procurement of AI tools and sets expectations about market concentration risk, vendor lock-in, and data sovereignty. Public sector bodies buying or renewing AI contracts should have this reflected in their AI procurement policy.
Our Full Suite Government subscription includes all 45 standard policies plus 19 public-sector-specific addenda, covering:
All 64 policies are personalised with your organisation's specific details using our 15-minute questionnaire.
64 policies — the full Standard suite plus 19 government addenda. From £197/month.
View Government tier pricingChartered Governance Professional
Mark Osei is a Chartered Governance Professional (CGP) specialising in UK public sector governance and procurement compliance. He advises councils, NHS organisations, and educational bodies on regulatory frameworks and policy requirements.