• Home /
• News /
• 2025 /
• November /
• UK: Inquiry needed over lack of enforcement against "egregious and repeated data breaches"

UK: Inquiry needed over lack of enforcement against "egregious and repeated data breaches"

Topic

Country/Region

21 November 2025

More than 70 civil society organisations, academics and data protection experts, including Statewatch, have called for an inquiry into the collapse in enforcement activity by the Information Commissioner’s Office (ICO). The call comes after the ICO failed to launch an investigation after the Ministry of Defence published a spreadsheet containing the details of over 19,000 people fleeing the Taliban in Afghanistan.

Image: Stephanie Asher, CC BY-NC-SA 2.0

---

Dame Chi Onwurah DBE MP
Science, Innovation and Technology Committee House of Commons
London SW1 0AA

21 November 2025

INFORMATION COMMISSIONER’S PERFORMANCE: A CALL FOR AN INQUIRY

Dear Dame Chi Onwurah DBE MP,

We are writing to you as a group of civil society, academic and legal practitioners. We are concerned about the collapse in enforcement activity by the Information Commissioner’s Office, which culminated in the decision to not formally investigate the Ministry of Defence (MoD) following the Afghan data breach.

Data protection cuts across sectors and society. It is an important line of defence against abuse and discrimination in healthcare, in the workplace, in public service delivery, in immigration control, in policing, in education. Data breaches expose individuals to serious danger and are liable of disrupting government and business continuity.

However, in a recent public hearing hosted by your committee, Commissioner John Edwards has shown unwillingness to reconsider his approach to data protection enforcement, even in face of the most serious data breach that has ever occurred in the UK. This approach threatens UK residents’ data rights and well-being, leaves organisations on a weak footing to face growing data security threats, and imperils the government’s central growth mission.

Evidence shows a strong correlation between the ICO lack of formal regulatory action and a surge in, sometimes egregious, data breaches in the UK.

As the ICO's own post-implementation review of its new Public Sector Approach (PSA) disclosed, “the average number of reported breaches increased by 11%”[1] following its adoption. The PSA is an ICO internal policy which prioritises engagement and public ‘name and shame’ instead of dissuasive and legally binding enforcement action. Likewise, the review notes that complaints from the British public against public sector organisations have since increased by 8%, with peaks of 21% and 12% in the justice and public health sectors respectively.[2]

Indeed, egregious and repeated data breaches have affected victims of the Windrush scandal,[3] 9,400 Northern Ireland police officers,[4] the electoral records of 40 million UK residents,[5] and 19,000 Afghanis being relocated by the MoD.[6] Despite the severity of these incidents, the ICO has applied its public sector approach and either issued reprimands — written notices that lack the force of law — or significantly lowered the monetary penalties it awarded. Further, the ICO decision not to pursue any formal action against the MoD despite their repeated failures was extraordinary, as was its failure to record its decision making. The picture that emerges is one where the ICO public sector approach lacks deterrence, and fails to drive the adoption of good data management across government and public bodies.

The handling of the Afghan data breach is not an isolated case; many are being let down by the ICO and its numerous failures to use corrective powers.

Alongside the shift away from enforcement in the public sector, statistics show that private sector enforcement is also becoming a rare occurrence from the ICO. Indeed, the latest ICO Annual Report reveals a sharp drop in formal investigations, criminal prosecution, and in the issuing of enforcement notices, monetary penalties, and reprimands.[7] Dovetailing the ICO’s move away from formal regulatory action, there has been a clear increase in the number of complaints from 2023 onwards.[8] This suggest that organisations are diverting resources away from compliance and responsible data practices, knowing that the ICO is not going to pursue the matter.

The ICO's response to changes to UK data protection law further exacerbate these risks. With a recent call for views on regulating online advertising, the ICO has proposed to interpret their duty to promote growth and innovation as grounds to tolerate non-compliance with legal requirements that protect Internet users from predatory advertising, micro-targeting and political profiling.[9] In another consultation, the ICO is proposing to radically curtail its handling of complaints so that many will not be investigated, but merely recorded for information purposes.[10] This posture contradicts what the law stipulates, nor does it reflect repeated reassurances from Parliament and the government that the Data (Use and Access) Act would have not lowered data protection standards in the UK.

Change appears to be unlikely unless the Science, Innovation and Technology Committee uses their oversight powers and steps in.

Parliament has given the ICO considerable powers not to politely hope for the best, but to enforce compliance with legally binding orders. As we heard from the public hearing you hosted, the ICO chose not to use these powers to address the Afghan data breach, a decision strenuously defended by the Information Commissioner.

Unfortunately, the Afghan data breach is not an isolated incident, but the symptom of deeper structural failures which are emerging in the way the ICO operates. The recent call for views on enforcement procedural guidance “aims to increase transparency”[11] about how the ICO investigates infringements, but does not change or even leave room to question the ICO overall approach to enforcement.

Thus, we believe it would be of immense benefit to UK citizens, and to the shape of the UK’s digital economy, for your Committee to open an inquiry to investigate the Information Commissioner’s Office, and understand why data protection enforcement appears to be a low priority.

Signed:

5Rights Foundation

Alison Benson, Information Governance Professional

Amory Creese, Senior Lecturer

Andrew Kent, LL.M candidate

Ann Kristin Glenster, Professor at Minderoo Centre for Technology and Democracy, University of Cambridge

Aysem Diker Vanberg , Senior Lecturer in Law

Big Brother Watch

Birgit Schippers, Senior Lecturer in Law at University of Strathclyde

Dr C N M Pounder, Director at Amberhawk Training Limited

Connected by Data

Cristina, Director at CVG Solutions Ltd

Damian Clifford, Assistant Professor at LSE

Dr Daniella Lock, Lecturer in Law

Data, Tech & Black Communities CIC

Professor David Erdos, Professor of Law and the Open Society, University of Cambridge

Douwe Korff, Emeritus professor of International law

Duncan Campbell, Senior Visiting Research Fellow, at School of Law, University of Sussex

Edina Harbinja, Associate Professor in Law at University of Birmingham

Ekō

Eleonor Duhs, Barrister

Emma Campbell, Program Manager at Data Privacy & Compliance at Media Company

Emma Crisp, Data Protection Manager

European Digital Rights (EDRi)

Fair Vote UK

Dr Fiona Brimblecombe, Legal Academic

Forward Democracy

Foxglove

Dr Gina Helfrich

Global Link

Good Law Project

Professor Guido Noto La Diega, Professor of Law, Technology and Innovation at University of Strathclyde

Henry Pearce, Senior Lecturer in Internet Law at Queen Mary University of London

Hermes Center

Hugh Tomlinson KC, Barrister

Irish Council for Civil Liberties

Jane Kaye, Professor

Jennifer Cobbe, Assistant Professor in Law and Technology at Faculty of Law, University of Cambridge

Kathryn Corrick, Founding Partner

Kay Young, Information and Records Management Lead

Kiran Kiani, Assistant manager legal

Li Min Ong, PhD Candidate in Law

Lilian Edwards, Emerita Professor of Law, Information and Society at Newcastle Law School

Matthew Jewell, Director at Assure Start Ltd

Mengyi Mei, PhD Candidate in Law

Michael Hrebeniak, Founder at New School of the Anthropocene

Mitchell Omer, Director at Trust Keith

Naomi Colvin, Independent Researcher

Nathan Fowler, Director at Freevacy ltd

Nicholas Gervassis, Assistant Professor in Law (Technology & Data) at University of Nottingham

Dr Oliver Butler, Assistant Professor in Law at University of Nottingham Open Rights Group

Orla Lynskey. Professor

 

Paul Bernal, Professor of Information Technology Law at UEA Law School

Professor Paul Wragg, Professor of Media Law at University of Leeds

Dr Peter Coe, Associate Professor in Law at University of Birmingham

People vs Big Tech

Ralph O'Brien, Principal at REINBO Consulting and Institute of Privacy by design

Ray Corrigan, Senior Lecturer in STEM at The Open University

Rebecca Mosavian, Associate Professor at School of Law, University of Leeds

Rowenna Fielding, Director at Miss IG Geek Ltd

Simon Nixon, Senior Compliance Manager

Statewatch

Suze Phillips, Director of Data Protection Services at Garden City Assurance Ltd

Tara Taubman

Tetyana Krupiy, lecturer at Newcastle University

The Electronic Privacy Information Center (EPIC)

Tim Bell, Managing Director at DataRep UK

Tom Stoneham, Professor of AI & Data Ethics at University of York

Dr. Tony Roberts, Fellow at Institute of Development Studies

Tony Sheppard, Founder at My Data Protection World

Tristan Henderson, Senior Lecturer in Computer Science at University of St Andrews

Wendy M. Grossman Author at net.wars

Worker Info Exchange

 

[1] See ICO, Post-implementation review annexes: Public sector approach trial, p.15, at: https://cy.ico.org.uk/media2/migrated/4032078/psa-post-implementation-review-annexes.pdf

[2] Ibid, p.17

[3] See ICO, Action we have taken, at:

https://ico.org.uk/action-weve-taken/enforcement/2022/08/secretary-of-state-for-the-home-department-home-office/

[4] Ibid, at: https://ico.org.uk/action-weve-taken/enforcement/police-service-of-northern-ireland-mpn/

[5] Ibid, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/07/ico-reprimands-the- electoral-commission-after-cyber-attack-compromises-servers/

[6] Ibid, at: https://ico.org.uk/action-weve-taken/enforcement/2024/02/ministry-of-defence-1/

[7] See Information Commissioner’s Annual Report and Financial Statements 2024/25, at: https://ico.org.uk/media2/1wyfliqp/annual-report-2025-ico-v4-1-complete.pdf

For a quick overview: The UK Information Commissioner’s Annual Report 2024/25: Surveying a Systematic Trend Away from Adequate Enforcement, at: https://inforrm.org/2025/07/22/the-uk-information-commissioners- annual-report-2024-25-surveying-a-systematic-trend-away-from-adequate-enforcement-david-erdos/

[8] See Cause for Complaint: Assessing the ICO’s Proposed New Approach to Data Protection Complaints, at: https://inforrm.org/2025/10/28/cause-for-complaint-assessing-the-icos-proposed-new-approach-to-data- protection-complaints-david-erdos/

[9] See ICO call for views on our approach to regulating online advertising, at: https://ico.org.uk/about-the-ico/ico- and-stakeholder-consultations/2025/07/ico-call-for-views-on-our-approach-to-regulating-online-advertising/       See also: Cookie Consent Review Exposes Weaknesses in UK Data Protection Reform, at: https://www.openrightsgroup.org/blog/cookie-consent-review-exposes-weaknesses-in-uk-data-protection-reform/

[10] See ICO consultation on draft changes to how we handle data protection complaints, at: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/08/ico-consultation-on-draft- changes-to-how-we-handle-data-protection-complaints/

[11] See ICO consultation on data protection enforcement procedural guidance, at: https://ico.org.uk/about-the- ico/ico-and-stakeholder-consultations/2025/10/ico-consultation-on-data-protection-enforcement- procedural-guidance/

 

Further reading