Information Commissioner's Office Arvostelua 504

i had a company ignore a SAR request. They took half a year to "investigate" and then said they tried to contact them and where ignored and would take no further action. They also got details of what i told them wrong. Completely missing out details i had sent them.
Obviously this being an unacceptable outcome, i raised a complaint about how the case was handled by the ICO. I recieved an almost identical email to the first, addressing not a single one of my complaints and simply restated they will take no action.

So seems simple enough, if you run a company do whatever you want with peoples personal informtation, the ICO will not take any enforcement action , even when given clear evidence of a breach

This country is full of failing organisations but the ICO must surely be one of the worst that I have come across.

As other reviewers have said, the ICO is beyond useless. It took them 7 months to respond to a complaint that I submitted to them about a breach of UK GDPR. The organisation in question was abusing one of the exemptions from the disclosure requirements, but the caseworker simply accepted, without question, what the organisation's data protection officer had told me. When I asked for a review of the decision, I got the same outcome!

Organisations up and down the land must be dancing around with glee - in the knowledge that the ICO won't enforce data protection law!

Some years ago, I referred what I considered a serious complaint to the ICO concerning unlawful processing of personal medical data by an online prescription service. They had repeatedly changed my NHS prescription nomination without my permission and, on more than one occasion, set up accounts in my name using fabricated login details. I provided evidence that other patients had experienced similar intrusions. I was especially concerned because medical data is, for obvious reasons, supposed to benefit from enhanced protection under data protection law.

After a very protracted process in which both the pharmacy and the NHS were formally found to be non-compliant with data protection law, I was informed that no further action would be taken. When I asked for this decision to be reviewed, I received a somewhat curt response which suggested a measure of irritation and misstated the legal standard of proof that should be applied in ICO investigations. I was told to contact the Local Government Ombudsman if I remained dissatisfied.

Following the most recent data breach by the same pharmacy, again involving a fabricated account and fictitious login details, I approached the ICO again. I was informed that details of the previous investigations were not retained and I should approach the culprit myself. This was despite me never having had any dealings with the company nor having given them permission to process my data at any time.

In short, the ICO is, in my experience, not fit for purpose and does not provide the protections it should as a regulator. The formal reports were not even published on their website which suggests a grave lack of transparency and there is a marked reluctance to exercise the wide powers given to them by parliament.

A regulator that does not enforce the law is no regulator at all.

These people are beyond useless. It takes them months and months to pick up a complaint and then they don't do a single thing. There's no point in their existence. No wonder companies do whatever they like, they know nothing will happen because the ICO are beyond incompetent

Contacted the ICO for help due to an organisation's refusal to respond to my subject access request following a serious cyber theft incident. The ICO replied saying they were aware of this wide ranging cyber incident but they would not be responding to my specific concerns. In other words, letting this organisation off the hook and so I'll never know who stole my personal data and those of thousand of other consumers or what third parties this organisation shared my personal data with. I wonder which side the ICO is on?

Instead of helping other people and pervent data breaches. They choose to PUNISH the most used image site over data instead. As a result made Imgur block the UK

Most gaming sites and forums and are now filled and censored with the ANNOYING ''Content not viewable in your region''. As a result, I don't want to use game forums anymore and it's affecting my hobby and mental health because of this censorship!

Shame on this company for punishing such site.

Rights groups accuse ICO of ‘collapse in enforcement activity’
Softly-softly approach ‘fails to drive the adoption of good data management across government and public bodies’

24 November 2025

A group of 73 civil rights organisations, campaigners, lawyers and academics has written to Chi Onwurah - chair of Parliament’s Science, Innovation and Technology Committee - demanding an enquiry into the Information Commissioner’s Office (ICO), the UK’s data protection watchdog, for what they say is a failure to properly investigate and punish data breaches.

In an open letter, the signatories, which include the Open Rights Group, Big Brother Watch, Foxglove, Fair Vote UK and the Good Law Project, claim the ICO has significantly reduced its enforcement activities, particularly in the public sector, leading to a surge in data breaches.

The catalyst for the action was the ICO’s decision not to investigate the Ministry of Defence (MoD) after a serious breach exposed personal details of 19,000 Afghans fleeing the Taliban, but Open Rights Group’s legal and policy officer Mariano delli Santi, described this as “the final straw”.

“After years of failing to hold public sector organisations to account, the failure of the ICO to investigate the most serious data breach in UK history is the final straw,” he wrote in a blog.

“The ICO’s public sector approach must end before more people are harmed by data breaches at the hands of the government and public authorities.

“A data regulator that fails to deter bad practices is not worth having. We need a strong data regulator which is not afraid to take action against both the government and private sector.”

The ICO prioritises engagement over punitive action, but the open letter argues this softly-softly approach has failed to deter data breaches, with the ICO’s own figures showing an 11% increase in reported breaches and an 8% rise in complaints against public sector organisations.

“The picture that emerges is one where the ICO public sector approach lacks deterrence and fails to drive the adoption of good data management across government and public bodies,” the letter states.

The signatories also claim that action against private sector companies has also declined under the leadership of the current Information Commissioner John Edwards, with the watchdog’s latest report revealing “a sharp drop in formal investigations, criminal prosecution, and in the issuing of enforcement notices, monetary penalties, and reprimands,” despite an increase in the number of complaints by the public.

The letter calls for an investigation by the Science, Innovation and Technology Committee into the reduction of enforcement activity by the ICO and its apparent failure to prioritise data protection.

An ICO spokesperson said: “We have a range of regulatory powers and tools to choose from when responding to systemic issues in a given sector or industry. We respect the important role civil society plays in scrutinising our choices and will value the opportunity to discuss our approach during our next regular engagement.”

My experience with the Information Commissioner’s Office (ICO) has been deeply disappointing and confirms that, in practice, this regulator operates more in favour of large institutions than the individuals it is supposed to protect.

I submitted a formal complaint against University College London Hospitals NHS Foundation Trust (UCLH) regarding serious failures in handling my medical records, including incomplete disclosure, obstruction, and the improper sharing of sensitive medical information. Despite the gravity of these issues, the ICO chose to dismiss my complaint without any meaningful investigation.

The case was handled by Charleigh Adams, Case Officer at the ICO (Case Reference: IC-447298-X3X8). In the final response, the ICO simply accepted UCLH’s explanations at face value, concluding that their actions were “reasonable” and “proportionate,” despite clear evidence to the contrary.

The ICO argued that because my original Subject Access Request did not explicitly mention historical or archived records, UCLH was not expected to search off-site archives. This is a technical loophole used to justify non-disclosure, not a genuine application of the spirit or intent of UK GDPR. A regulator genuinely acting in the public interest would challenge such behaviour, not endorse it.

Even more concerning, the ICO refused to intervene regarding the unauthorised sharing of my private medical records by a senior clinician, effectively washing its hands of the issue by stating that I should pursue the original disclosing organisation instead. This is a convenient abdication of responsibility, not regulation.

The ICO states it has “made a record” of my complaint, but simultaneously confirms it will take no further action whatsoever. In other words: the institution is shielded, the individual is dismissed, and accountability is absent.

This experience demonstrates that the ICO is procedurally compliant but substantively ineffective. It appears far more concerned with closing cases quickly than enforcing data protection law or defending patients’ rights—particularly when NHS Trusts are involved.

For anyone considering relying on the ICO for protection or redress: be aware that when challenged with complex, serious, or institutional wrongdoing, the ICO may simply side with the organisation and leave you without remedy.

A regulator that consistently favours the perpetrators over the data subject is not fulfilling its mandate.

What a joke of an organisation. Having had a data protection issue with a company and complaining writing 4 times in total including follow up letters and recieving no response I raised a complaint with the ICO. The ICO advised me to write to the company again requesting a response and closed my complaint. Apparently I will have to raise a new complaint with ICO if the company does not respond to me for a fifth time. I fail to see a justification for the ICO other than wasting my time and public money.

Wow. They have now excelled themselves in uselessness. NHS hospital completely ignored all ICO letters on my DPA case. ICO say nothing further they can do! What a joke. Organisations and state bodies just ignore them completely as they know they're a total useless joke.

Dead rotten useless as they string you along for months and months and then give you the 2 fingers as they cover for corruption in the State Bodies. As i have experienced here in the Republic of Ireland. As we get abused by this Dictatorship State as corruption and lies are protected and ripe.

Really? After 6 months they are fine with companies tolerating CRM systems to exploit users, although it's a well known problem. Ok, the officer was not able to dial my number. What did I expect. Best passage:

Given the nature of your situation, we strongly recommend that you seek independent legal advice, as the context of your concerns - in our view - may relate to a criminal offence.

Advice: If you're considering a data protection complaint with ICO, manage your expectations. Systematic violations by large platforms appear to fall outside enforcement priorities.

Don’t read the information they have been given. No desire to enforce GDPR.

On first attempt I was greeted by a ‘happy paperclip response’ “Hi there - I see you are trying to submit a SAR - here’s how to do it - we are now closing your case’ - yeh, done SAR + full complaint already, as submitted to ICO.

Months of trying later still no full disclosure of the SAR in question. Staff there do not understand written English - endless confusion between the company I had submitted for and my employer who use them for OH services. No critical reading of company response - which admitted they didn’t look after data properly, and hadn’t asked a sub-contractor for the info required.

Endless delay tactics - emailing at 5pm is their favourite, also not delivering requested information on their procedures and then halting everything which they “investigate” complaints about them.

BTW - complaints go through to the same people that handle the initial request. I will be raising this with MP.

Their website even states that they don’t enforce GDPR for individuals- so what are they there for and who is paying their salaries?

Useless organisation. How is this organisation even allowed to exist? What exactly do they do? Baffled beyond belief.

Raised a complaint about two search engines. After over 3-4 months finally got a reply.
Very poorly written and didn’t deal with issues raised. The 2nd compliant was a copy of the first, the name of the search engine was not replaced from first complaint.

Very poor and not fit for purpose

Goodness another official money making scam. Absolutely disgusting just like ISO 9001 which is way too expensive. Fleecing businesses every which way they can. Threatening letter that if you don't register you could get 4000 fine is appaling tactics. Typical of Government heavy handed in fleecing citizens while they cannot justify what they do with all the money they collect.

Let’s be clear the ICO data protection fee is not regulation it’s a legally enforced scam. A mandatory £52+ “fee” slapped on millions of UK businesses with
zero benefit
no service, and
no measurable impact on data protection.

You get absolutely nothing in return. No audit, no support, no certification, no help line that gives real answers. Just a threat: “Pay us or we’ll fine you.” That’s not regulation — that’s COMPLIANCE BLACKMAIL!

They say the fee is required if you “process personal data” — and legally, they’re right. The problem isn’t the lack of definition — it’s that the definition is so absurdly broad, it now includes nearly every normal business interaction. Under UK GDPR Article 4, “processing” includes collecting, viewing, forwarding, or even deleting someone’s name — so if a customer messages you once and you read it, boom, you’ve "processed data" and owe the ICO £52 a year for life. It’s a deliberately overreaching definition, twisted into a regulatory cash grab. As a business owner, if I ask someone their name and email to help them — by their logic, I’m now a data controller who must fund their bureaucracy.

Even worse, how exactly is this money protecting anyone’s data? Where’s the evidence that your £52/year protects the public from anything? Where are the audits? The mandatory training? The enforcement of real cyber threats? The ICO is not proactively protecting anything, it’s sitting back and collecting revenue.

And let’s not forget: during a cost-of-living crisis, they raised the fee. Despite formal objections from businesses. Despite zero changes to their services. Just a cold, bureaucratic shrug and a reminder that they decide what’s fair. THEY DO NOT EVEN HAVE A PHONE LINE!!!

This isn’t oversight — this is empty compliance theatre. No proportionality. No fairness. No transparency.

Don't bother, I've had my data breached by Camden Council which put our life at risk. The ICO don't even know the GDPR laws or guidelines and will send you an automated message, then will close your case. They wont even look at your case, evidence etc.
Shut it down and save some money. Its easier to make a small claim in court.

A Cry that Faithless Wardens be Rended from Power

O mighty Keeper of the Truth’s proud flame,
Thou wear’st the badge, yet act’st to shame thy name.
I warned thee well of danger grave and deep,
Yet deaf thou stood’st, and let the wounded weep.

My protests foiled by thine own hand,
Your ease preferred to justice’ stand.
O irony! This mockery of lofty law!
In stead of sword that strikes, the toothless saw.

O shameful farce, where justice should preside,
A hollow throne where rot and evil hide.
The weakest suffer for thy slothful hand,
Can conscience dwell where such foul acts stand?

If angels weep at mortal law’s decay,
They weep for ICO, grown grey.

From the outset I warned the ICO that such a large, complex, and technical case required a holistic, thorough, and dedicated team approach. I also explained the importance: the longer autistic people were denied information about certain restricted NHS assessments, the longer they might lack correct diagnoses and support, increasing the risk of serious harm.

Despite catastrophic errors from the start, the ICO continued to refuse my requests for an approach that was fit-for-purpose, so all my appeals failed. This reinforced the feeling of victimisation I was already suffering from the NHS.

The Case Officer only assessed those review-requests I submitted to the NHS, ignoring those I had submitted to the ICO after the NHS refused further contact. So, their first decision omitted half my appeal items; the second omitted them all. After acknowledging these oversights, the ICO denied their significance by making excuses on the NHS’s behalf that contradicted their own guidance.

In my other five appeals, the ICO clearly did not consult my evidence as they referred to one of my documents as if it were a database query and they treated the private NHS subcontractor as if it were a public authority capable of answering FOI requests directly. The result was inevitable bias in favour of the NHS.

Although I informed the ICO of my mental disabilities from the start, they persistently failed to meet my requests for reasonable adjustments. Their process was so distressing I could not continue with my outstanding appeals or escalate the rest to tribunal.

When I attempted to complain, the responsible Group Manager repeatedly intercepted my emails and dismissed them without meaningful explanation.

Documents later released by the PHSO confirmed that the ICO’s failure to secure crucial evidence for me had enabled the PHSO to overlook these, undermining my complaint about my autism assessment and my complaint about the way the NHS treated me personally when responding to my requests for information. The poem tries to convey the betrayal I feel.

I am utterly disgusted with the recent increase in ICO fees. As the owner of a small business, I receive nothing in return for this charge, yet the cost has been raised by a huge margin with no consideration for the impact on small companies.

This is a fee imposed at a time when businesses are already under severe economic pressure. To raise it so steeply now is outrageous, unethical, and unfair. It feels like yet another example of government taking advantage of those who are simply trying to survive and grow.

I have read the ICO’s justification, and it changes nothing. Acknowledging the impact on small businesses is meaningless if nothing is done to ease that burden. This increase is indefensible, and I will never accept it as reasonable.