Calls grow for inquiry into UK data watchdog after MoD leak
(2025/11/25)
- Reference: 1764063850
- News link: https://www.theregister.co.uk/2025/11/25/ico_inquiry_afghan_mod/
- Source link:
Civil society groups are urging MPs to launch a parliamentary inquiry into the Information Commissioner's Office (ICO), accusing the UK data watchdog of abandoning its enforcement duties after it declined to investigate a Ministry of Defence data leak linked to dozens of deaths.
In [1]a letter [PDF] sent this week to the chair of the Science, Innovation and Technology Committee, organizations including the Open Rights Group and European Digital Rights, along with academics and data protection experts, argue that the ICO's enforcement activity has "collapsed," leaving the country without an effective watchdog at a time of escalating government and public sector failures.
Their demand lands amid fierce criticism of the regulator's decision not to formally investigate the Ministry of Defence over what has been described as the most serious data breach in British history: the leaking of a spreadsheet revealing the identities and locations of more than 19,000 Afghans fleeing the Taliban.
[2]
Information Commissioner John Edwards defended his stance at a DSIT-hosted hearing last month, insisting the incident was a "one-off" error rather than evidence of systemic non-compliance inside the MoD.
[3]
[4]
That assurance has not landed well. Initial [5]research submitted to the Commons defence committee [PDF] found that at least 49 Afghans have since been killed, a figure that advocates say underscores the stakes of robust oversight. Adding further pressure, [6]BBC-obtained FOI responses show the MoD has suffered 49 separate data breaches in the last four years – an awkward backdrop for the regulator's claim that the spreadsheet leak was an isolated blunder.
The open letter argues the Afghan case is part of a wider pattern: a sustained retreat from formal enforcement that has coincided with an uptick in serious breaches.
[7]
Since adopting its so-called "public sector approach," the ICO has repeatedly opted for reprimands or reduced sanctions, even in high-impact cases, from the Windrush breach, in which the UK Home Office shared the email addresses of hundreds of compensation scheme applicants, to the [8]PSNI leak that exposed 9,400 officers and staff .
What's more, when hackers accessed the Electoral Commission's systems and grabbed details on 40 million voters, [9]the regulator again issued only a reprimand , despite servers not being properly updated or secured.
The ICO's [10]own review of its approach isn't flattering either. Reported breaches have risen by 11 percent since it pulled back on its corrective powers, while public data protection complaints have jumped by 8 percent.
[11]UK data regulator defends decision not to investigate MoD Afghan data breach
[12]Capita fined £14M after 58-hour delay exposed 6.6M records
[13]Clearview AI sees red as UK tribunal sides with regulator over $10M GDPR fine
[14]Flu jab email mishap exposes hundreds of students' personal data
Mariano delli Santi, legal and policy officer at the Open Rights Group, said the MoD incident "is the final straw," adding that "a data regulator that fails to deter bad practices is not worth having." He urged the committee to step in, warning that public trust cannot be restored unless the regulator is prepared to hold both the government and the private sector to account.
Beyond civil liberties concerns, the letter points to economic risks. Data security obligations are baked into UK law, and the groups argue that a regulator unwilling to enforce them directly threatens the government's own growth agenda. They cite ONS findings that the [15]UK economy recently slowed after a cyberattack on Jaguar Land Rover – a reminder that breaches have real-world economic costs far beyond fines and FOI numbers.
[16]
Whether MPs will bite is another matter. The ICO has long bristled at suggestions that it is going soft, insisting that cooperation, guidance, and "proportionate" responses achieve better long-term compliance than headline-grabbing penalties.
In a statement to The Register , a spokesperson for the watchdog said: "We have a range of regulatory powers and tools to choose from when responding to systemic issues in a given sector or industry. We respect the important role civil society plays in scrutinising our choices and will value the opportunity to discuss our approach during our next regular engagement. We also welcome our opportunities to account for our work when speaking to and appearing before the DSIT Select Committee."
With the Afghan leak now linked with reported deaths, and with pressure from civil society groups mounting, the regulator may find it harder to argue that its lighter touch is improving anything. An inquiry, if launched, would test those claims in public – and could force the ICO to explain why, at a moment of historic breaches, it's issuing fewer sanctions than ever. ®
Get our [17]Tech Resources
[1] https://www.openrightsgroup.org/app/uploads/2025/11/Afghan-data-breach-ICO.pdf
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://committees.parliament.uk/writtenevidence/149931/pdf/
[6] https://www.bbc.co.uk/news/articles/cp8950pyy1vo
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2023/12/12/psni_data_breach_forces_officers/
[9] https://www.theregister.com/2024/07/31/uk_electoral_commission_ico/
[10] https://cy.ico.org.uk/media2/migrated/4032078/psa-post-implementation-review-annexes.pdf
[11] https://www.theregister.com/2025/10/22/ico_afghan_leak_probe/
[12] https://www.theregister.com/2025/10/15/ico_fines_capita_14m/
[13] https://www.theregister.com/2025/10/09/ico_clearview_ai_tribunal/
[14] https://www.theregister.com/2025/09/10/birmingham_school_data_blunder/
[15] https://www.theregister.com/2025/11/07/bank_of_england_says_jlrs/
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[17] https://whitepapers.theregister.com/
In [1]a letter [PDF] sent this week to the chair of the Science, Innovation and Technology Committee, organizations including the Open Rights Group and European Digital Rights, along with academics and data protection experts, argue that the ICO's enforcement activity has "collapsed," leaving the country without an effective watchdog at a time of escalating government and public sector failures.
Their demand lands amid fierce criticism of the regulator's decision not to formally investigate the Ministry of Defence over what has been described as the most serious data breach in British history: the leaking of a spreadsheet revealing the identities and locations of more than 19,000 Afghans fleeing the Taliban.
[2]
Information Commissioner John Edwards defended his stance at a DSIT-hosted hearing last month, insisting the incident was a "one-off" error rather than evidence of systemic non-compliance inside the MoD.
[3]
[4]
That assurance has not landed well. Initial [5]research submitted to the Commons defence committee [PDF] found that at least 49 Afghans have since been killed, a figure that advocates say underscores the stakes of robust oversight. Adding further pressure, [6]BBC-obtained FOI responses show the MoD has suffered 49 separate data breaches in the last four years – an awkward backdrop for the regulator's claim that the spreadsheet leak was an isolated blunder.
The open letter argues the Afghan case is part of a wider pattern: a sustained retreat from formal enforcement that has coincided with an uptick in serious breaches.
[7]
Since adopting its so-called "public sector approach," the ICO has repeatedly opted for reprimands or reduced sanctions, even in high-impact cases, from the Windrush breach, in which the UK Home Office shared the email addresses of hundreds of compensation scheme applicants, to the [8]PSNI leak that exposed 9,400 officers and staff .
What's more, when hackers accessed the Electoral Commission's systems and grabbed details on 40 million voters, [9]the regulator again issued only a reprimand , despite servers not being properly updated or secured.
The ICO's [10]own review of its approach isn't flattering either. Reported breaches have risen by 11 percent since it pulled back on its corrective powers, while public data protection complaints have jumped by 8 percent.
[11]UK data regulator defends decision not to investigate MoD Afghan data breach
[12]Capita fined £14M after 58-hour delay exposed 6.6M records
[13]Clearview AI sees red as UK tribunal sides with regulator over $10M GDPR fine
[14]Flu jab email mishap exposes hundreds of students' personal data
Mariano delli Santi, legal and policy officer at the Open Rights Group, said the MoD incident "is the final straw," adding that "a data regulator that fails to deter bad practices is not worth having." He urged the committee to step in, warning that public trust cannot be restored unless the regulator is prepared to hold both the government and the private sector to account.
Beyond civil liberties concerns, the letter points to economic risks. Data security obligations are baked into UK law, and the groups argue that a regulator unwilling to enforce them directly threatens the government's own growth agenda. They cite ONS findings that the [15]UK economy recently slowed after a cyberattack on Jaguar Land Rover – a reminder that breaches have real-world economic costs far beyond fines and FOI numbers.
[16]
Whether MPs will bite is another matter. The ICO has long bristled at suggestions that it is going soft, insisting that cooperation, guidance, and "proportionate" responses achieve better long-term compliance than headline-grabbing penalties.
In a statement to The Register , a spokesperson for the watchdog said: "We have a range of regulatory powers and tools to choose from when responding to systemic issues in a given sector or industry. We respect the important role civil society plays in scrutinising our choices and will value the opportunity to discuss our approach during our next regular engagement. We also welcome our opportunities to account for our work when speaking to and appearing before the DSIT Select Committee."
With the Afghan leak now linked with reported deaths, and with pressure from civil society groups mounting, the regulator may find it harder to argue that its lighter touch is improving anything. An inquiry, if launched, would test those claims in public – and could force the ICO to explain why, at a moment of historic breaches, it's issuing fewer sanctions than ever. ®
Get our [17]Tech Resources
[1] https://www.openrightsgroup.org/app/uploads/2025/11/Afghan-data-breach-ICO.pdf
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://committees.parliament.uk/writtenevidence/149931/pdf/
[6] https://www.bbc.co.uk/news/articles/cp8950pyy1vo
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2023/12/12/psni_data_breach_forces_officers/
[9] https://www.theregister.com/2024/07/31/uk_electoral_commission_ico/
[10] https://cy.ico.org.uk/media2/migrated/4032078/psa-post-implementation-review-annexes.pdf
[11] https://www.theregister.com/2025/10/22/ico_afghan_leak_probe/
[12] https://www.theregister.com/2025/10/15/ico_fines_capita_14m/
[13] https://www.theregister.com/2025/10/09/ico_clearview_ai_tribunal/
[14] https://www.theregister.com/2025/09/10/birmingham_school_data_blunder/
[15] https://www.theregister.com/2025/11/07/bank_of_england_says_jlrs/
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSWMTfXfVVPzBb30tLwTuAAAAJg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[17] https://whitepapers.theregister.com/
Doctor Syntax
insisting the incident was a "one-off" error
All incidents are one-off when they happen. That doesn't make them OK.
Beyond Shameful
Most data breaches only represent financial risks for the people who are exposed. In this case, the breach resulted in people who the UK government promised to protect being murdered.
To not investigate and punish the MoD for this is unacceptable.