UK groups demand inquiry into ICO’s enforcement failures
The open letter argues that the ICO’s softer stance toward public bodies has coincided with a rise in serious breaches, citing issues at the PSNI, the Electoral Commission, and other agencies. The signatories warn that weak oversight leaves the public exposed to growing security risks and undermines trust in the UK’s data governance system.
More than 70 civil society organisations, academics, and data protection experts have asked the UK Parliament’s Science, Innovation and Technology Committee to open an inquiry into what they describe as a collapse in enforcement by the Information Commissioner’s Office (ICO). Their call follows the ICO’s decision not to formally investigate one of the most serious data breaches in UK history: the leaking of a Ministry of Defence (MoD) spreadsheet exposing the details of over 19,000 Afghans fleeing the Taliban.
The organisations argue that the ICO’s refusal to investigate the MoD marks a turning point. They cite evidence submitted to the Commons Defence Select Committee showing that at least 49 people have been killed after their information was disclosed. In recent years, they say, the ICO has taken a lenient approach toward public sector organisations, relying mainly on reprimands and sharply reducing the use of corrective powers such as fines. This shift, they claim, correlates with an increase in serious breaches. According to the ICO’s own review, reported public sector data breaches grew by 11 percent after the regulator adopted this softer approach, and data protection complaints rose by 8 percent.
Examples cited in the open letter include reduced penalties or reprimands in high-profile cases involving the Police Service of Northern Ireland, the Electoral Commission, and the handling of sensitive information relating to the Windrush scandal. Critics argue that this pattern has undermined deterrence, allowing poor data management practices to persist inside government and public bodies. They warn that this weakens the UK’s ability to face growing cybersecurity threats, with economic repercussions. The Office for National Statistics recently linked a slowdown in UK manufacturing output to disruptions caused by a major cyberattack on Jaguar Land Rover.
The signatories are urging Parliament to review the ICO’s approach and restore confidence in the regulator’s ability to act independently and decisively. They argue that without a credible enforcement body, both the public sector and private companies will lack the incentives needed to protect people’s data and prevent further harm.
