Calls for an inquiry into ICO over its poor enforcement action record

In an open letter to Chi Onwurah, Chair of the Science, Innovation and Technology Committee, the Open Rights Group, along with more than 70 civil society organisations, including Big Brother Watch, European Digital Rights, Good Law Project, Statewatch, and Freevacy, are calling for an inquiry into the decline in enforcement activity by the Information Commissioner’s Office (ICO).

The letter explains that the call for an inquiry is urgently needed after a decision by the ICO not to formally investigate the Ministry of Defence (MoD) following the catastrophic  2022 personal data breach, which put thousands of Afghan citizens' lives at risk. Despite being one of the most serious personal data breaches in British history, the decision was defended by Information Commissioner John Edwards at a public hearing last month. Initial research submitted to the Commons defence select committee suggests at least 49 people have been killed as a result of the leaked data.

The groups argue that the Afghan data breach is not an isolated case, but part of a broader trend where the ICO is avoiding its enforcement powers, which has correlated with a surge in serious data breaches across the UK. 

Legal and Policy Officer at Open Rights Group, Mariano delli Santi, said:

"After years of failing to hold public sector organisations to account, the failure of the ICO to investigate the most serious data breach in UK history is the final straw. The ICO’s public sector approach must end before more people are harmed by data breaches at the hands of the government and public authorities. 

"A data regulator that fails to deter bad practices is not worth having. We need a strong data regulator which is not afraid to take action against both the government and private sector. 

"We urge the Select Committee to open an inquiry and take action to restore trust in the ICO."

Read ORG press release.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.