The Information Commissioner"s Office (ICO), the UK"s data regulator, is under pressure after the Open Rights Group (ORG) and 70 other civil society organizations, academics, and data protection experts urged the Select Committee for Science Information and Technology to open an inquiry into the body. Specifically, to investigate the collapse in enforcement activity by the ICO against public entities.
They argue that a data regulator that fails to deter bad practices is not worth having and must take action against both the government and the private sector. The catalyst for this action was the ICO"s inaction over a Ministry of Defence (MoD) leak of a spreadsheet containing the details of more than 19,000 people fleeing the Taliban. The ORG said that initial research suggests at least 49 people have been killed as a result of the data leak.
The ORG said that the ICO"s failure to investigate the "most serious data breach in UK history" is the "final straw." To defend itself, the ICO claimed that the incident was a one-off occurrence, however, freedom of information requests revealed that there were 49 separate data breaches at the MoD over the last four years.
Over the same period, the ICO has shifted away from using its stronger corrective powers, including substantial fines and criminal prosecutions against public sector organizations. It was highlighted that there is a correlation between the lack of formal regulatory action and a surge in data breaches. The ICO has even done a review of its public sector approach. It found the average number of reported breaches increased by 11% after its adoption and the number of data protection complaints lodged by British residents increased by 8%.
The letter highlights several areas where the ICO has decided not to pursue strict enforcement against the public sector. In one case it issued a reprimand against the Home Office when a contractor recorded Windrush victims without consent and uploaded the films to a personal YouTube account.
Another incident saw the ICO significantly reduce a fine against the Police Service of Northern Ireland (PSNI) after details of 9,400 officers and civilian staff were leaked in 2023, data which ended up with dissident Republicans. Finally, the ORG said that the ICO only issued a reprimand against the Electoral Commission after hackers accessed the electoral records of 40 million UK residents due to a lack of appropriate security measures and unupdated servers.