Pressure is mounting on Parliament to bring the Information Commissioner’s Office to account amid claims that MPs should launch a major investigation into a “collapse in enforcement activity” at the regulator.
More than 70 civil liberty groups, academics and legal experts have joined forces to demand action in a letter to the chair of Parliament’s Science, Innovation & Technology Committee, Chi Onwurah, arguing that the ICO is plagued by deep “structural failures”.
It also alleges that a lack of enforcement actions by the ICO, particularly against public sector agencies, has led to an 11% increase in reported breaches and an 8% increase in data protection complaints.
The move follows a call by Cambridge Don, Professor David Erdos for UK and European lawmakers to take a long hard look at the record of the ICO, following what he branded “a severe and serious weakening of information rights regulation” under the current regime, which is threatening its primary role to “robustly protect people’s personal data”.
And, like Professor Erdos, the group’s call for an inquiry focuses on the regulator’s failure to investigate the Ministry of Defence for the 2022 leak of data belonging to Afghans who had worked for the British government.
Information Commissioner John Edwards defended the decision not to probe the MoD last month despite research submitted to a Parliament committee probing the incident suggesting that at least 49 people have been killed as a result of the leak. That research was produced by a non-profit advocacy group for refugees, as well as academics at two British universities.
Open Rights Group legal and policy officer Mariano delli Santi said in a statement: “After years of failing to hold public sector organisations to account, the failure of the ICO to investigate the most serious data breach in UK history is the final straw.”
At the heart of the issue is the ICO’s policy of issuing reprimands to public sector organisations, rather than fines, a measure that was brought in on a trial basis by Edwards in 2022.
The idea centres around replacing the emphasis on stiff fines in an effort to work proactively with senior leaders to encourage data protection compliance, prevent harms before they occur and learn lessons when things have gone wrong.
However, this has proved highly controversial. Delli Santi commented: “The ICO’s public sector approach must end before more people are harmed by data breaches at the hands of the government and public authorities.”
In its defence, the ICO has maintained the Afghan data breach was a “one-off occurrence following a failure to [adhere to] usual checks, rather than reflecting a wider culture of non-compliance”. However, documents provided to the BBC under the Freedom of Information Act reveal 49 separate data breaches at MoD in the last four years.
The open letter states: “The handling of the Afghan data breach is not an isolated case; many are being let down by the ICO and its numerous failures to use corrective powers.
According to the ICO’s Annual Report for 2024-25, there were only 43 UK GDPR investigations in this period compared to 285 in 2023-24 (less than a fifth of the previous year’s total), and not a single UK GDPR enforcement notice.
Meanwhile, as Decision Marketing reported, just two UK GDPR fines were issued totalling £3.8m (compared to three fines totalling £13m in 2023/24), while PECR fines (and related notices) were down to nine and £890,000 compared to 26 and £2.59m in 2023/24 which again represents an approximate 65% decrease.
The ICO has issued reprimands or drastically reduced fines in several cases, including when a contractor at Home Office recorded victims of the Windrush scandal “without recorded consent on a private phone and uploaded the films to her personal YouTube account, outside of Home Office systems,” Open Rights Group said.
The Windrush scandal involved the wrongful detentions and deportations of Caribbean immigrants.
The ICO also slashed a fine against the Police Service of Northern Ireland (PSNI) after data belonging to 9,400 police officers and civilian staff was leaked in 2023, the group said, and it only issued a reprimand to the country’s Electoral Commission after malicious actors accessed 40 million UK residents’ election records.
“This was despite the fact that the Electoral Commission did not have appropriate security measures in place and had not kept its servers up to date with the latest security updates,” the group claims.
There has also been a marked decrease in investigations of ransomware incidents by the ICO in recent years.
Only 87 of the 1,253 incidents reported to the regulator in 2023 were investigated. Only 19 of 440 incidents reported in the first half of 2024 were probed. In 2019 and 2020, more than 99% of 605 ransomware incidents were investigated by the ICO.
The letter concludes by urging the committee to open an inquiry “to investigate the Information Commissioner’s Office, and understand why data protection enforcement appears to be a low priority”.
Related stories
Lawmakers urged to act on ‘severe’ failings of the ICO
Complaints to the ICO soar as performance takes a hit
The £161bn question: Will EU renew data transfer deal?
DMA claims Data Act victory as privacy groups seethe
ICO unveils business guidance as Data Act becomes law
Four years in the making, UK data reforms are passed
Fresh call for Brussels to scrap UK adequacy agreement
Be the first to comment on "MPs urged to investigate ICO ‘collapse in enforcement’"