Technology & Innovation

‘The problems didn’t begin with John Edwards’: Pressure grows for wider data watchdog overhaul

John Edwards’ resignation was meant to draw a line under the workplace misconduct scandal that engulfed Britain’s data watchdog. Instead, it has shifted scrutiny onto the leadership that surrounded him – and of the regulator’s record long before he stepped down. Tech secretary Liz Kendall told MPs on Wednesday she

  • Saskia Koopman
  • July 9, 2026
  • 0 Comments

Thursday 09 July 2026 11:59 am

John Edwards’ resignation was meant to draw a line under the workplace misconduct scandal that engulfed Britain’s data watchdog. Instead, it has shifted scrutiny onto the leadership that surrounded him – and of the regulator’s record long before he stepped down.

Tech secretary Liz Kendall told MPs on Wednesday she was “appalled” to learn Edwards is understood to be preparing legal action against one of the women who raised concerns about his behaviour during the workplace investigation that led to his resignation. She also announced an independent review into the ICO’s culture and governance, alongside plans to appoint a majority-female board of non-executive directors.

“There have been wider problems at the Information Commissioner’s Office for quite some time,” professor David Erdos, professor of law and the open society at the University of Cambridge, told City AM. “It would be naïve to think these issues begin and end with John Edwards.”

“What we’ve been seeing is under-enforcement of the law. The regulator has become increasingly selective about when it acts, even in very serious cases. It would be naïve to think this has only resulted from John Edwards.”

During Edwards’ tenure, the ICO faced questions over whether it was willing to use the enforcement powers parliament had handed it.

#mc_embed_signup { background: #fff; clear: left; font: 14px Helvetica, Arial,sans-serif; width: 100%; max-width: 600px; margin: 20px 0; } #mc-embedded-subscribe-form { margin: 20px 0 !important; } .newsletter-form-flex { display: flex; gap: 0; align-items: center; margin-top: -10px; } .newsletter-form-flex input[type=”email”] { flex: 1; padding: 2px 10px; border: 1px solid rgb(18, 22, 23) !important; border-radius: 12px 0 0 12px !important; } .newsletter-form-flex input[type=”submit”] { padding: 4px 10px !important; margin: 0 !important; background-color: rgb(18, 22, 23) !important; color: rgb(255, 255, 255) !important; border: 1px solid rgb(18, 22, 23) !important; border-radius: 0 12px 12px 0 !important; } .newsletter-banner-content { margin-bottom: 15px; } .newsletter-banner-content h2 { margin: 0 0 10px 0; font-size: 18px; font-weight: 600; } .newsletter-banner-content p { margin: 0 0 10px 0; line-height: 1.5; } .newsletter-banner-content ul, .newsletter-banner-content ol { margin: 0 0 10px 20px; } .newsletter-banner-content a { color: #0073aa; text-decoration: none; } .newsletter-banner-content a:hover { text-decoration: underline; } .newsletter-banner-content img { max-width: 100%; height: auto; margin: 10px 0; } #mc_embed_signup #mce-success-response { color: #0356a5; display: none; margin: 0 0 10px; width: 100%; } #mc_embed_signup div#mce-responses { float: left; top: -1.4em; padding: 0; overflow: hidden; width: 100%; margin: 0; clear: both; }

Earlier this year Keir Starmer and Chancellor Rachel Reeves wrote to regulators urging them to go further in supporting growth, reinforcing concerns among some privacy experts that robust enforcement had slipped down the agenda.

In 2023-24, the regulator issued just two GDPR fines worth a combined £3.8m despite receiving tens of thousands of complaints. Even this year, complaint volumes have climbed towards 75,000 while formal enforcement has remained comparatively sparse.

“The ICO has become hyper-discretionary, to the point where it often appears able to decide to do nothing formal,” Erdos said. “Tens of thousands of complaints come into the ICO every year, yet many appear to go nowhere.”

Edwards defended those claims earlier this year, arguing the watchdog could not investigate every complaint without spending its time “reacting to noise instead of making meaningful interventions to protect the public.”

A regulator that stopped regulating

That philosophy has become one of the defining fault lines of his tenure, particularly following the ICO’s decision not to formally investigate the Ministry of Defence’s mass Afghan data breach.

The breach, which exposed the personal details of more than 18,000 Afghans who had supported British forces and later triggered a secret resettlement scheme, is widely regarded as one of the most serious data incidents in recent UK history.

Despite the scale of the breach, the ICO decided against opening a formal investigation. Instead, it worked alongside the MoD while a superinjunction remained in place, concluding that the department had identified the causes of the breach, taken corrective action and that further regulatory intervention would add little beyond existing scrutiny.

The decision caused a bruising appearance before parliament last October. During a Science, Innovation and Technology Committee hearing, former policing minister Kit Malthouse accused the watchdog of dealing with the case through “a few unrecorded meetings and a handshake”, describing the absence of any recorded decision-making process as “alarming”.

Edwards later defended the approach, arguing the watchdog had already scrutinised the MoD’s response under severe national security constraints and that a formal investigation would have diverted resources from other priorities.

“The Afghan data breach raised profound questions about the ICO’s regulatory culture,” Erdos said.

Several former officials and practitioners separately described confidence in the regulator as having steadily eroded over recent years, with two former ICO employees telling City AM what they saw as an increasingly cautious approach to enforcement; and another arguing leadership and staff morale had deteriorated long before Edwards resigned.

Read more Former Bank of England rate-setter to become next OBR chair  Rebuilding credibility

The review comes as the ICO prepares for its biggest governance overhaul in decades, as it begins its transition from a single Information Commissioner model to a board-led Information Commission. Paul Arnold, who was appointed interim chief executive by Edwards ahead of the transition to the new statutory commission, is expected to oversee the regulator while ministers recruit a permanent chair.

“The ICO’s powers are only as meaningful as its willingness to use them,” Joanna Ludlam, co-chair of Jenner & Block’s investigations department, told City AM. “Strong leadership isn’t optional for a regulator – it’s central to its effectiveness.”

Moving to a to a board-led Information Commission gives ministers an opportunity to rebuild that credibility, she added, but only if appointments bring genuine regulatory, and technological expertise rather than continuity: “This is an opportunity to address the credibility deficit rather than simply manage a crisis,” she said.

“The platforms the ICO regulates are sophisticated and extremely well-resourced”, Ludlam added. “What the regulator needs now is leadership with the credibility to close the gap between the law and enforcement.”

According to a former ICO employee, ministers are looking for someone with both political credibility and enough authority to unite an incoming board of experienced non-executive members while rebuilding confidence inside the regulator.

Nicola Cain, chief executive of Handley Gill, also said Edwards’ departure itself was unlikely to materially alter the regulator’s day-to-day work because deputies had already been exercising many of his statutory functions during his absence. “The biggest risk for the organisation appears to be retaining, or regaining, the trust and confidence of its own staff,” she said.

Cain said the transition also raises questions about what existing senior leaders knew about concerns raised during Edwards’ tenure and whether the new governance structure can convince staff and industry that it represents a genuine break from the past.

Scrutiny intensifies

The review itself is already attracting scrutiny. In a message to staff, interim chief executive Paul Arnold said the review announced by ministers was the same lessons-learned exercise the ICO had already promised employees, but would be jointly commissioned with DSIT.

Yet when Arnold wrote to parliament following Edwards’ resignation, he referred only to an independent lessons-learned review commissioned by the ICO, making no reference to DSIT’s involvement.

Only after Kendall’s announcement did staff receive confirmation the review would instead be jointly commissioned with the department, raising questions among former officials over whether government had since taken a more direct role.

Several former officials said restoring confidence will depend on whether the review is seen as genuinely independent of the executives now responsible for leading the organisation through the transition.

An ICO spokesperson said: “As the independent investigation found, John Edwards’ conduct was unacceptable and fell well short of the standards we expect and of the safe, respectful working environment every member of staff at every level in an organisation deserves.”

“The role of Information Commissioner is extraordinary in that it is a Crown appointee and accountable to Parliament. Despite the limitations of this governance structure, concerns were raised, action taken when necessary, and outcomes shared with DSIT when appropriate. Some of these concerns formed the basis for the recent workplace investigation.”

“An independent lessons learned review, which we will be commissioning jointly with DSIT, will respond to the findings of the investigation and ensure lessons are learned, no matter how challenging. Enhancing our workplace support is an ever-present commitment and we’re determined to work with our staff to ensure something like this never happens again at the ICO.”

The next Information Commissioner will inherit more than an empty office. They will inherit a regulator being asked both whether it failed to police Britain’s data laws aggressively enough, and whether it governed itself to the standards it expected of everyone else.

Read more Government departments will look at cutting budgets to fund defence, minister says

Similarly tagged content: Sections Categories People & Organisations

This post was originally published on this site.