Last week the Information Commissioner, John Edwards, gave evidence to the House of Commons Science, Innovation and Technology Committee.
Mr Edwards faced some tough questions about his response to the Afghan data breach, in which a Ministry of Defence (MoD) official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP). The breach was only discovered in August 2023, when excerpts of the data appeared on Facebook. By then, the damage was done. A new resettlement scheme for those on the leaked list was set up and has seen 4,500 Afghans arrive in the UK so far. The Afghan Relocation Route has cost £400m so far, and the Government has said it is expected to cost a further £450m.
It’s fair to say that overall the committee was not impressed with the ICO’s approach and John Edwards’ answers to some of their questions. Kit Malthouse’s claimed that the Afghan data breach was dealt with through “a few unrecorded meetings and a handshake”.
Mr Edwards also answered questions about his wider remit. He slipped in that he has served a Notice of Intent on a social media company (Reddit), but did not give any details. If you missed the live session, you can still watch the recording.
The Information Commissioner’s session start at 9:46 on the recording here.
If you prefer to read an account of his performance, the Independent covers it here.
This and other data protection developments will be discussed in detail on our forthcoming GDPR Update workshop. The new (2nd) edition of the UK GDPR Handbook has been published. It contains all the changes made by the Data (Use and Access) Act 2025.
