Civil society groups have raised the alarm about a “collapse in enforcement activity” by the UK data regulator following its decision not to investigate the MOD Afghan breach.
.jpg?VersionId=msbNpBsjVRWU3Fua2Bgt6A.uE.LYi9rG)
Shutterstock.com/Ascannio
More than 70 civil society groups, academics and data experts on 21 November sent a letter to Science, Innovation and Technology Committee chair Dame Chi Onwurah urgently demanding an inquiry into the performance of the UK Information Commissioner’s Office (ICO). The groups referred to the ICO's controversial decision not to investigate the Ministry of Defence (MOD) following the high-profile Afghan data leak as the “final straw”.
The committee notably hosted a public hearing last month during which MPs criticised the ICO for failing to investigate the 2022 breach – which had exposed sensitive personal data relating to more than 18,000 Afghans involved in a resettlement scheme – and for keeping no record of its decision-making process.
MP Kit Malthouse, for example, had claimed it was “shocking” that the ICO took no further steps to keep track of the case and of any dialogue between it and the MOD. “It seems it was dealt with by a few unrecorded meetings and a handshake," Malthouse said at the time.
The letter noted that during the committee hearing, Information Commissioner John Edwards showed an “unwillingness to reconsider” his approach to enforcement, even in the face of “the most serious data breach that has ever occurred in the UK”. It added that the ICO’s decision not to record its process or pursue formal action against the MOD’s “repeated” data failures “was extraordinary".
A spokesperson for the committee told Lexology PRO that it is already doing a lot of work on the ICO and its effectiveness, including the recent evidence session “which answered most points that the letter makes”.
“The committee is also looking to do more work on the ICO in 2026,” the spokesperson added.
Meanwhile a spokesperson for the ICO said that the regulator respects the “important role civil society plays” in scrutinising its choices and will value the opportunity to discuss its approach during their next engagement.
“We also welcome our opportunities to account for our work when speaking to and appearing before the DSIT Select Committee,” they added
Public sector approach “must end”
The organisations, which include the Open Rights Group, Big Brother Watch and the Irish Council for Civil Liberties, further warned that the regulator’s response to the breach is part of a broader trend of the ICO opting out of using its corrective powers. There is a “strong correlation” between the lack of formal regulatory action by the ICO and a recent surge in UK data breaches, the letter added.
They particularly noted that the regulator’s public sector approach – under which it favours reprimands or reduced monetary penalties against government entities – lacks a deterrent effect and fails to push improved data protection standards.
For example, the letter cited the ICO’s decision to cut a data security fine it issued to the Police Service of Northern Ireland from £5.6 million to £750,000 and to only reprimand the Electoral Commission following a cyberattack compromising the data of 40 million people.
Open Rights Group legal officer Mariano delli Santi said the approach “must end before more people are harmed by data breaches at the hands of the government and public authorities”.
“A data regulator that fails to deter bad practices is not worth having. We need a strong data regulator which is not afraid to take action against both the government and private sector,” delli Santi noted, adding that the committee should take action to “restore trust in the ICO”.
The ICO had on 11 November issued an update to its public sector approach in an attempt to clarify its application.
Among other things, it set out that organisations in the wider not-for-profit sector such as charities and social enterprises are not in scope of the approach. The ICO had in May 2024 cut a planned fine against the YMCA by 97.5% under the public sector approach, despite the fact that it is a private charity.
It further clarified the circumstances under which cases can qualify as “egregious” and therefore may lead to a fine. The ICO said it will take into account potential harm to people, the intentional or negligent character of the infringement and relevant previous infringements by the controller.
But delli Santi told Lexology PRO that the ICO update “is a clear demonstration” that its policies exist only on paper and are disregarded in practice. He noted that the regulator decided not to open a formal investigation into the Afghan breach even though it checks all the criteria to qualify as an “egregious” case.
“It is hardly surprising that public organisations are not taking data protection seriously, as they know the ICO will not hold them to account,” he said.
According to the letter, while the regulator’s October consultation on enforcement procedural guidance looks to increase transparency, it does not leave room to change or question the ICO’s overall approach to enforcement “Thus, we believe it would be of immense benefit to UK citizens, and to the shape of the UK’s digital economy, for your Committee to open an inquiry to investigate the [ICO], and understand why data protection enforcement appears to be a low priority,” they said.