70+ organisations and experts demand action over failing ICO
- Failure to investigate the Afghan data leak is ‘final straw’ following collapse of enforcement by the data regulator.
- Evidence shows correlation between ICO shift away from use of corrective powers and surge in data breaches that expose people’s lives to danger
- Public sector approach has failed to protect the public from bad data management, leaving government and public bodies on a weak footing to face growing data security threats
Over 70 civil society organisations, academics and data protection experts have urged the Chair of the Select Committee for Science Information and Technology to open an inquiry into the collapse in enforcement activity by the Information Commissioner’s Office (ICO).
The organisations’ demand for an inquiry has been made more urgent by the data regulator’s decision to not formally investigate the Ministry of Defence (MoD) after the most serious data breaches in British history – the leaking of a spreadsheet containing the details of over 19,000 people who were fleeing the Taliban.
Last month, the Information Commisioner John Edwards, defended the decision not to investigate the MoD at a public hearing hosted by DSIT. Initial on-the-ground research submitted to the Commons defence select committee inquiry into the data breach found that at least 49 people have been killed as a result of data being leaked.
As the open letter reports, the Afghan data breach is not an isolated case, but part of a broader trend which has seen the ICO shying away from using its enforcement powers. Evidence shows a correlation between the ICO’s lack of formal regulatory action and a surge in, sometimes egregious, data breaches in the UK.
Legal and Policy Officer at Open Rights Group, Mariano delli Santi, said:
“After years of failing to hold public sector organisations to account, the failure of the ICO to investigate the most serious data breach in UK history is the final straw. The ICO’s public sector approach must end before more people are harmed by data breaches at the hands of the government and public authorities.
“A data regulator that fails to deter bad practices is not worth having. We need a strong data regulator which is not afraid to take action against both the government and private sector.
“We urge the Select Committee to open an inquiry and take action to restore trust in the ICO.“
The ICO claimed that the Afghan data breach was a “one-off occurrence following a failure to [follow] usual checks, rather than reflecting a wider culture of non-compliance”. However, responses to freedom of information requests by the BBC found that there had been 49 separate data breaches at the MoD over the last four years.
Failing public sector approach
The ICO has a range of enforcement powers ranging from reprimands through to substantial fines and criminal prosecutions. However, for the last 3-4 years, it has shifted away from using corrective powers against public sector organisations except as a last resort.
The ICO’s own review of its public sector approach found that “the average number of reported breaches increased by 11%”2 following its adoption. Likewise, the review shows an 8% increase in the number of data protection complaints lodged by British residence since the public sector approach was adopted. The public sector approach was supposed to improve data protection practices but, by removing the deterrence of regulatory sanctions, it has worsen the status quo instead.
Other instances where the ICO issued reprimands or significantly lowered the awarded fines include:
The ICO issued a reprimand when a contractor for the Home Office recorded victims of the Windrush scandal without recorded consent on a private phone and uploaded the films to her personal YouTube account, outside of Home Office systems.
The ICO used its powers of discretion to significantly reduce a fine issued to the Police Service of Northern Ireland (PSNI) after details of 9,400 police officers and civilian staff were leaked in 2023. It was reported that the data ended up in the hands of dissident Republicans.
The ICO issued a reprimand to the Electoral Commission after hackers accessed the electoral records of 40 million UK residents. This was despite the fact that the Electoral Commission did not have appropriate security measures in place and had not kept its servers up to date with the latest security updates.
Impact on the economy
Data protection law imposes information security requirements, and the ICO must play its role in ensuring organisations take their obligations to comply with them seriously, or it risks imperiling the government central growth mission. The ONS reports that UK economy has slowed due to the Jaguar Land Rover cyber-attack, which led to a big fall in car production.
