The UK Information Commissioner’s Office (ICO) has some history of failing to learn the lessons from its past information governance mistakes, even seeking to present these as a testament to success.  For example, its publicity video for its 40th anniversary released earlier this year stated that the 2012 Leveson Inquiry, which followed the phone hacking scandal, showed it “stand[ing] up during scandals” and thereby demonstrated a track record of “being there when you need us most”.

In fact, backed up by copious evidence, Lord Justice Leveson held that the ICO’s conduct had constituted “regulatory failure” and that this had arisen from it “not be[ing] keen to exercise the powers and functions reposed to it by Parliament” despite “the abundant evidence, both patent and latent, of problems”.  He also explicitly stated that this “was not simply a historic matter; it is perceptible in its approach today”.

Unfortunately, despite some initial hopes to the contrary in the lead-up to and first years of the General Data Protection Regulation (GDPR), the ICO has become even more reluctant to use the much more formidable powers and functions which are reposed to it in the UK GDPR.  Such reluctance was very publicly in evidence this past week during what may be just the beginning of a potentially far more serious scandal involving the February 2022 Ministry of Defence breach of 33,000 lines of gravely sensitive personal details related to almost 19,000 Afghan applicants for relocation to the UK following the Taliban takeover in 2021.

This breach put up to 100,000 people (the applicants and their family members, an undisclosed number of whom were themselves mentioned in the data) at grave risk of harm and may even have resulted in some of their deaths.  Although there are many aspects of both the incident itself and the way in which ICO did (and didn’t) respond which remain unknown or are very murky, some key facts are starting to become clear:

  1. In September 2021 – five months before this data breach – the ICO was notified of 2 (and, by October, 3) similar Ministry of Defence data breaches that put 265 Afghan applicants at grave risk by revealing their highly sensitive status through the carbon copy field in email.
  2. By August 2023 the ICO should have been (and it seems likely was) notified of the Ministry of Defence’s far more grave February 2022 spreadsheet data breach, yet in December 2023 it still chose to maintain its post June 2022 “public sector approach” and to deploy this to reduce this Ministry’s fine in the 2021 breach by a full 50% to just £350K (the maximum possible fine under law was £8.7M).  Indeed, this flawed public sector approach, which has no statutory basis, remains in place today.
  3. Even more concerningly, in relation to the much more serious February 2022 spreadsheet data breach, the ICO did not conduct a full investigation and it issued no fine whatsoever, nor took any other regulatory action such as placing the Ministry under an enforcement notice. It did not even issue a reprimand.  This was despite the Information Commissioner John Edwards stating in December 2023, at the time of issuing the £350K fine for the Ministry’s 2021 data breach, that when “we see breaches of data protection that are so egregious that they put people’s lives at risk” it is “necessary for us at the ICO to apply the full sanctions of the law”.
  4. It is also clear that the ICO took no part (and wasn’t even mentioned) in the legal proceedings which prevented the fact of the spreadsheet data breach being communicated. This was despite these proceedings being centrally concerned with what was necessary and proportionate to protect data subjects in a situation of grave risk and that the upholding of the prohibition prevented the Ministry of Justice from discharging their default legal obligation, and each data subject’s default right, to be notified of any high risk data breach (UK GDPR, art. 34).

As the Court of Appeal stated in Delo v Information Commissioner [2023] EWCA Civ 1141there may sometimes be cases in which the Commissioner cannot decline to act” (at [79]). This is very clearly such a case. Article 83 of the UK GDPR requires that the ICO “ensure that the imposition of administrative fines” are “effective, proportionate and dissuasive” and Recital 148 authoritatively interprets this to mean (amongst other things) that organisations (whether governmental or otherwise) must be fined for any infringement which is not “minor”.  As the Commissioner himself seems to broadly acknowledge, the violation here was not only non-minor but was positively egregious.

As many others such as Jon Baines have pointed out, the ICO has many other tools in its formal arsenal including enforcement notices, reprimands and making a report to Parliament. It should use them. If it did, then – given the many hundreds of millions of pounds which even partial remediation of this breach has already cost – it would be reasonable to take these other actions significantly into account when calculating a fine.

What is absolutely clear is that it is only by taking robust formal action that the “strong enforcement” (Recital 7) which was solemnly promised in the UK GDPR can be delivered. This requires an end to the hyper-discretion and hyper-selectivity (frankly often to near vanishing point) that has characterized ICO regulatory action in recent years.

David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law in the Faculty of Law and WYNG Fellow at Trinity Hall, University of Cambridge. He is also an associate member of Matrix Chambers.