Commissioner Edwards responds to Select Committee's request for further information

After appearing before the Science, Innovation and Technology Committee last October to give evidence on his regulatory oversight of information and data security across government, Information Commissioner John Edwards has sent a letter to Committee Chair Chi Onwurah. In the letter, Commissioner Edwards provides updates on several areas where the Committee requested additional information.

Of particular note, the Commissioner addressed the complexities surrounding the 2022 personal data breach, stating that it was part of a very limited set of cases requiring exceptional handling procedures. Due to the very high classification of the information involved, the MoD imposed significant restrictions on how the Information Commissioner's Office (ICO) could manage the case. These constraints, Edwards explained, even affected investigators' ability to take contemporaneous notes or maintain detailed records of the decision-making process at the time.

Edwards goes on to clarify the ICO's broader capacity for handling sensitive material. While most cases are managed within standard restricted-access systems by security-cleared staff, rare instances like the MoD breach require separate physical and digital provisions. As a result of the MoD breach, Edwards confirmed that the ICO is currently increasing the number of staff with the appropriate clearance to ensure the regulator is suitably equipped to handle classified information through secure channels.

Commenting on the letter in a LinkedIn post, data protection specialist Jon Baines finds Edwards's response "extraordinary" and asked whether he "considered the availability of the diverse coercive powers conferred on him to challenge such constraints?"

Beyond the MoD breach, Commissioner Edwards discussed the ICO's role in raising standards across the public sector, noting that since April 2023, his audit teams have made 1981 recommendations to 80 public sector organisations, with over 95% being accepted in full or in part, and over 98% of these actioned or in progress at the follow-up stage. 

On enforcement, Edwards noted that his public sector approach has resulted in 77 reprimands over two years, an increase of 54%, to address compliance violations such as security failings and subject access request backlogs. Edwards also noted the £3.07 million monetary penalty against Advanced Computer Software Group following a 2022 ransomware attack that disrupted a number of critical services, including NHS 111, and prevented healthcare staff from accessing patient records. 

The Commissioner also provided detailed responses concerning his office's investigations into the use of children's personal information and how the ICO works closely with Ofcom over online safety issues like dealing with deepfakes and doxxing.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.