Information Commissioner's Office Bewertungen 498

Rights groups accuse ICO of ‘collapse in enforcement activity’
Softly-softly approach ‘fails to drive the adoption of good data management across government and public bodies’

24 November 2025

A group of 73 civil rights organisations, campaigners, lawyers and academics has written to Chi Onwurah - chair of Parliament’s Science, Innovation and Technology Committee - demanding an enquiry into the Information Commissioner’s Office (ICO), the UK’s data protection watchdog, for what they say is a failure to properly investigate and punish data breaches.

In an open letter, the signatories, which include the Open Rights Group, Big Brother Watch, Foxglove, Fair Vote UK and the Good Law Project, claim the ICO has significantly reduced its enforcement activities, particularly in the public sector, leading to a surge in data breaches.

The catalyst for the action was the ICO’s decision not to investigate the Ministry of Defence (MoD) after a serious breach exposed personal details of 19,000 Afghans fleeing the Taliban, but Open Rights Group’s legal and policy officer Mariano delli Santi, described this as “the final straw”.

“After years of failing to hold public sector organisations to account, the failure of the ICO to investigate the most serious data breach in UK history is the final straw,” he wrote in a blog.

“The ICO’s public sector approach must end before more people are harmed by data breaches at the hands of the government and public authorities.

“A data regulator that fails to deter bad practices is not worth having. We need a strong data regulator which is not afraid to take action against both the government and private sector.”

The ICO prioritises engagement over punitive action, but the open letter argues this softly-softly approach has failed to deter data breaches, with the ICO’s own figures showing an 11% increase in reported breaches and an 8% rise in complaints against public sector organisations.

“The picture that emerges is one where the ICO public sector approach lacks deterrence and fails to drive the adoption of good data management across government and public bodies,” the letter states.

The signatories also claim that action against private sector companies has also declined under the leadership of the current Information Commissioner John Edwards, with the watchdog’s latest report revealing “a sharp drop in formal investigations, criminal prosecution, and in the issuing of enforcement notices, monetary penalties, and reprimands,” despite an increase in the number of complaints by the public.

The letter calls for an investigation by the Science, Innovation and Technology Committee into the reduction of enforcement activity by the ICO and its apparent failure to prioritise data protection.

An ICO spokesperson said: “We have a range of regulatory powers and tools to choose from when responding to systemic issues in a given sector or industry. We respect the important role civil society plays in scrutinising our choices and will value the opportunity to discuss our approach during our next regular engagement.”

My experience with the Information Commissioner’s Office (ICO) has been deeply disappointing and confirms that, in practice, this regulator operates more in favour of large institutions than the individuals it is supposed to protect.

I submitted a formal complaint against University College London Hospitals NHS Foundation Trust (UCLH) regarding serious failures in handling my medical records, including incomplete disclosure, obstruction, and the improper sharing of sensitive medical information. Despite the gravity of these issues, the ICO chose to dismiss my complaint without any meaningful investigation.

The case was handled by Charleigh Adams, Case Officer at the ICO (Case Reference: IC-447298-X3X8). In the final response, the ICO simply accepted UCLH’s explanations at face value, concluding that their actions were “reasonable” and “proportionate,” despite clear evidence to the contrary.

The ICO argued that because my original Subject Access Request did not explicitly mention historical or archived records, UCLH was not expected to search off-site archives. This is a technical loophole used to justify non-disclosure, not a genuine application of the spirit or intent of UK GDPR. A regulator genuinely acting in the public interest would challenge such behaviour, not endorse it.

Even more concerning, the ICO refused to intervene regarding the unauthorised sharing of my private medical records by a senior clinician, effectively washing its hands of the issue by stating that I should pursue the original disclosing organisation instead. This is a convenient abdication of responsibility, not regulation.

The ICO states it has “made a record” of my complaint, but simultaneously confirms it will take no further action whatsoever. In other words: the institution is shielded, the individual is dismissed, and accountability is absent.

This experience demonstrates that the ICO is procedurally compliant but substantively ineffective. It appears far more concerned with closing cases quickly than enforcing data protection law or defending patients’ rights—particularly when NHS Trusts are involved.

For anyone considering relying on the ICO for protection or redress: be aware that when challenged with complex, serious, or institutional wrongdoing, the ICO may simply side with the organisation and leave you without remedy.

A regulator that consistently favours the perpetrators over the data subject is not fulfilling its mandate.

What a joke of an organisation. Having had a data protection issue with a company and complaining writing 4 times in total including follow up letters and recieving no response I raised a complaint with the ICO. The ICO advised me to write to the company again requesting a response and closed my complaint. Apparently I will have to raise a new complaint with ICO if the company does not respond to me for a fifth time. I fail to see a justification for the ICO other than wasting my time and public money.

Wow. They have now excelled themselves in uselessness. NHS hospital completely ignored all ICO letters on my DPA case. ICO say nothing further they can do! What a joke. Organisations and state bodies just ignore them completely as they know they're a total useless joke.

Dead rotten useless as they string you along for months and months and then give you the 2 fingers as they cover for corruption in the State Bodies. As i have experienced here in the Republic of Ireland. As we get abused by this Dictatorship State as corruption and lies are protected and ripe.

Really? After 6 months they are fine with companies tolerating CRM systems to exploit users, although it's a well known problem. Ok, the officer was not able to dial my number. What did I expect. Best passage:

Given the nature of your situation, we strongly recommend that you seek independent legal advice, as the context of your concerns - in our view - may relate to a criminal offence.

Advice: If you're considering a data protection complaint with ICO, manage your expectations. Systematic violations by large platforms appear to fall outside enforcement priorities.

Don’t read the information they have been given. No desire to enforce GDPR.

On first attempt I was greeted by a ‘happy paperclip response’ “Hi there - I see you are trying to submit a SAR - here’s how to do it - we are now closing your case’ - yeh, done SAR + full complaint already, as submitted to ICO.

Months of trying later still no full disclosure of the SAR in question. Staff there do not understand written English - endless confusion between the company I had submitted for and my employer who use them for OH services. No critical reading of company response - which admitted they didn’t look after data properly, and hadn’t asked a sub-contractor for the info required.

Endless delay tactics - emailing at 5pm is their favourite, also not delivering requested information on their procedures and then halting everything which they “investigate” complaints about them.

BTW - complaints go through to the same people that handle the initial request. I will be raising this with MP.

Their website even states that they don’t enforce GDPR for individuals- so what are they there for and who is paying their salaries?

Useless organisation. How is this organisation even allowed to exist? What exactly do they do? Baffled beyond belief.

Raised a complaint about two search engines. After over 3-4 months finally got a reply.
Very poorly written and didn’t deal with issues raised. The 2nd compliant was a copy of the first, the name of the search engine was not replaced from first complaint.

Very poor and not fit for purpose

Goodness another official money making scam. Absolutely disgusting just like ISO 9001 which is way too expensive. Fleecing businesses every which way they can. Threatening letter that if you don't register you could get 4000 fine is appaling tactics. Typical of Government heavy handed in fleecing citizens while they cannot justify what they do with all the money they collect.

Let’s be clear the ICO data protection fee is not regulation it’s a legally enforced scam. A mandatory £52+ “fee” slapped on millions of UK businesses with
zero benefit
no service, and
no measurable impact on data protection.

You get absolutely nothing in return. No audit, no support, no certification, no help line that gives real answers. Just a threat: “Pay us or we’ll fine you.” That’s not regulation — that’s COMPLIANCE BLACKMAIL!

They say the fee is required if you “process personal data” — and legally, they’re right. The problem isn’t the lack of definition — it’s that the definition is so absurdly broad, it now includes nearly every normal business interaction. Under UK GDPR Article 4, “processing” includes collecting, viewing, forwarding, or even deleting someone’s name — so if a customer messages you once and you read it, boom, you’ve "processed data" and owe the ICO £52 a year for life. It’s a deliberately overreaching definition, twisted into a regulatory cash grab. As a business owner, if I ask someone their name and email to help them — by their logic, I’m now a data controller who must fund their bureaucracy.

Even worse, how exactly is this money protecting anyone’s data? Where’s the evidence that your £52/year protects the public from anything? Where are the audits? The mandatory training? The enforcement of real cyber threats? The ICO is not proactively protecting anything, it’s sitting back and collecting revenue.

And let’s not forget: during a cost-of-living crisis, they raised the fee. Despite formal objections from businesses. Despite zero changes to their services. Just a cold, bureaucratic shrug and a reminder that they decide what’s fair. THEY DO NOT EVEN HAVE A PHONE LINE!!!

This isn’t oversight — this is empty compliance theatre. No proportionality. No fairness. No transparency.

Don't bother, I've had my data breached by Camden Council which put our life at risk. The ICO don't even know the GDPR laws or guidelines and will send you an automated message, then will close your case. They wont even look at your case, evidence etc.
Shut it down and save some money. Its easier to make a small claim in court.

A Cry that Faithless Wardens be Rended from Power

O mighty Keeper of the Truth’s proud flame,
Thou wear’st the badge, yet act’st to shame thy name.
I warned thee well of danger grave and deep,
Yet deaf thou stood’st, and let the wounded weep.

My protests foiled by thine own hand,
Your ease preferred to justice’ stand.
O irony! This mockery of lofty law!
In stead of sword that strikes, the toothless saw.

O shameful farce, where justice should preside,
A hollow throne where rot and evil hide.
The weakest suffer for thy slothful hand,
Can conscience dwell where such foul acts stand?

If angels weep at mortal law’s decay,
They weep for ICO, grown grey.

From the outset I warned the ICO that such a large, complex, and technical case required a holistic, thorough, and dedicated team approach. I also explained the importance: the longer autistic people were denied information about certain restricted NHS assessments, the longer they might lack correct diagnoses and support, increasing the risk of serious harm.

Despite catastrophic errors from the start, the ICO continued to refuse my requests for an approach that was fit-for-purpose, so all my appeals failed. This reinforced the feeling of victimisation I was already suffering from the NHS.

The Case Officer only assessed those review-requests I submitted to the NHS, ignoring those I had submitted to the ICO after the NHS refused further contact. So, their first decision omitted half my appeal items; the second omitted them all. After acknowledging these oversights, the ICO denied their significance by making excuses on the NHS’s behalf that contradicted their own guidance.

In my other five appeals, the ICO clearly did not consult my evidence as they referred to one of my documents as if it were a database query and they treated the private NHS subcontractor as if it were a public authority capable of answering FOI requests directly. The result was inevitable bias in favour of the NHS.

Although I informed the ICO of my mental disabilities from the start, they persistently failed to meet my requests for reasonable adjustments. Their process was so distressing I could not continue with my outstanding appeals or escalate the rest to tribunal.

When I attempted to complain, the responsible Group Manager repeatedly intercepted my emails and dismissed them without meaningful explanation.

Documents later released by the PHSO confirmed that the ICO’s failure to secure crucial evidence for me had enabled the PHSO to overlook these, undermining my complaint about my autism assessment and my complaint about the way the NHS treated me personally when responding to my requests for information. The poem tries to convey the betrayal I feel.

I am utterly disgusted with the recent increase in ICO fees. As the owner of a small business, I receive nothing in return for this charge, yet the cost has been raised by a huge margin with no consideration for the impact on small companies.

This is a fee imposed at a time when businesses are already under severe economic pressure. To raise it so steeply now is outrageous, unethical, and unfair. It feels like yet another example of government taking advantage of those who are simply trying to survive and grow.

I have read the ICO’s justification, and it changes nothing. Acknowledging the impact on small businesses is meaningless if nothing is done to ease that burden. This increase is indefensible, and I will never accept it as reasonable.

The ICO's own existence is pretty much close to pointless. Spied on for months on end, Police does not consider the use of a CCTV camera as harassment (despite the fact that I feel scared, distressed and threatened and covered under the Protection from Harassment Act 1997). the ICO can ONLY write to the offenders with guidelines. If the problem isn't resolved, the ICO recommendation is to take my neighbour to court, at my expenses of course. Another example of honest decent citizens abiding by the law caught between a rock and a hard place with no help!

TV Licensing 2.0.

Dreadful experience - almost threatening in its tone.

I received an automated email on February 19 2025 confirming my complaint had been lodged with an estimated lead time of 16 weeks before it would be looked at. I emailed again on 7 August having heard nothing. I received an automated email acknowledging receipt but still nothing. What has happened to this organisation? Is anyone working there? How and why are they allowed to be like this? Who is responsible? Because this organisation does not seem to operate in any way, it means that any individual or organisation can misuse your data unlawfully without any consequence whatsoever.

I've reported 2 separate issues to the ICO, one of which left me seriously ill as a result. I have yet to receive any correspondence from them. It has been over 6 months since my first report, and over 2 since my second and more serious report.
As far as I'm concerned the ICO exist in name only.

Dear Charity Commission,
I am writing to raise serious concerns regarding the conduct of Stanley Community Centre, which I understand is a registered charity. I believe their actions may constitute a breach of both data protection laws and human rights principles.
It has come to my attention that individuals affiliated with this centre—including service users and potentially staff—have been encouraged to take photographs of me without my consent. These images have reportedly been shared with others, including individuals outside the centre’s immediate community, with the intent to incite harm or harassment against me.
This behaviour is not only morally reprehensible but may also violate:
UK GDPR and Data Protection Act 2018 regarding the unlawful collection, processing, and dissemination of personal data (i.e., photographs).
Human Rights Act 1998 – particularly Article 8 (Right to respect for private and family life) and Article 3 (Prohibition of inhuman or degrading treatment).
Charity Governance Standards – which require charities to operate with integrity, accountability, and in the public interest.
I strongly urge the Commission to investigate this matter and consider whether Stanley Community Centre is acting in accordance with its charitable objectives and legal obligations. I am prepared to provide further evidence and documentation if required.
Please confirm receipt of this complaint and advise on the next steps.

Yours sincerely