Information Commissioner's Office Opiniões 510

I complained to the ICO over not being able to access my data held by UPS. After waiting over 3 months their response was "go to court". On their website this is precisely what they deal with apparently.

May I actually ask what this organisation does? From what I can see its another pointless waste of money government department that sit around and do sod all every day. When you begin a company this lot are straight on to you for money, I could not in good conscience give these clowns a penny.

The experience with this company has been a terrific waste of time and it is now no wonder why companies disregard GDPR regulations knowing there is no-one around to enforce it. Don’t waste your time with these fools.

Waited over 6 months for them to give a template reply and say they will put my complaint on file. Didn't come back asking for evidence or the other business braking the law. They did say I could seek legal advice and take them to court, but if that is the case, why doesn't the ICO pursue the corrupt business.

Reported Toyota financial services for persistent unethical use of my data.
Waited 4 months for them to advise me they weren’t going to pursue anyone, and weren’t going to look into my complaint any deeper! ‘We will note your concerns but don’t deal with individual complaints’ Surely I’m not the only one being affected by this?
Another Quango type organisation just like ABTA, OFGEM, OFCOM etc.
Set up to present the illusion that you have some sort protection, and a of place to report wrongdoings when things are not handled by useless businesses that don’t care about their customers. In fact they are a toothless waste of time.
Very unhappy but unfortunately another example of the downward spiral of our country!

The ico is a USELESS simple as that. They are not fit for purpose and a COMPLETE WASTE OF TIME. If you have a data issue bypass them and go straight to court. The ICO is pointless

I called up in regards to E.on trying to mine my data (moving in a few days and octopus couldn't change supplier because E.on wouldn't let them)

I then call E.on to be sent to an outsourced call centre with quite arrogant staff demanding my personal data (i'm not the previous tennant, nor required to give them such data) to let Octopus change supplier to them, they escalate, it gets heated and they cut the call off having not assisted

I call the ICO to make a complaint, and they want me to send all emails..........

how can I do this? the point is that i don't want anything to do with such a disgusting company to begin with and i don't want to give them my data (which you would expect to be in the ICO's remit)

I then after having to demand a supervisor or manager (because child in the ICO wouldn't get one (as he wasn't listening to anything i had said (then threatened to cut the call off for telling him (in these exact words to "get off your seat and get one then"))

I tried to explain again to the supervisor who again wasn't listen and went full NPC, i then after having enough, point out that (again exact words) "you are a disgrace as an organisation to the country", then because fee fees hurty wurty (even though this is a fact) they decided they didn't like it and cut the phone off, therefore doing literally nothing to assist YET AGAIN

also, they've said it will take at least 29 weeks before the complaint is even assigned,

HOW IS THE ICO NOT BEING INVESTIGATED AT THIS POINT FOR THEIR TERRIBLE SERVICE!!!!!!

Hewlett Packard broke GDPR rules keeping my details on file longer than necessary. I left 12 years prior to them being hacked and ALL of my personal data stolen. They took months to inform me and offered no compensation.

I asked ICO to investigate over 6 months later they confirmed HP had made mistakes but have no power to comply them to compensate nor were they going to get fined.

What is therefore the point of the ICO?
How many collective hours are wasted by employees following mandatory training when if you lose someone's data there are no repercussions?

Honestly a waste of time, tax payers money and needs to be scrapped and replaced with something fit for purpose. Has teeth, that companies who break the rules fear and can compel companies to compensate. If I could you'd get zero stars.

The fact you have 1.2 is a miracle

i had a company ignore a SAR request. They took half a year to "investigate" and then said they tried to contact them and where ignored and would take no further action. They also got details of what i told them wrong. Completely missing out details i had sent them.
Obviously this being an unacceptable outcome, i raised a complaint about how the case was handled by the ICO. I recieved an almost identical email to the first, addressing not a single one of my complaints and simply restated they will take no action.

So seems simple enough, if you run a company do whatever you want with peoples personal informtation, the ICO will not take any enforcement action , even when given clear evidence of a breach

This country is full of failing organisations but the ICO must surely be one of the worst that I have come across.

As other reviewers have said, the ICO is beyond useless. It took them 7 months to respond to a complaint that I submitted to them about a breach of UK GDPR. The organisation in question was abusing one of the exemptions from the disclosure requirements, but the caseworker simply accepted, without question, what the organisation's data protection officer had told me. When I asked for a review of the decision, I got the same outcome!

Organisations up and down the land must be dancing around with glee - in the knowledge that the ICO won't enforce data protection law!

Some years ago, I referred what I considered a serious complaint to the ICO concerning unlawful processing of personal medical data by an online prescription service. They had repeatedly changed my NHS prescription nomination without my permission and, on more than one occasion, set up accounts in my name using fabricated login details. I provided evidence that other patients had experienced similar intrusions. I was especially concerned because medical data is, for obvious reasons, supposed to benefit from enhanced protection under data protection law.

After a very protracted process in which both the pharmacy and the NHS were formally found to be non-compliant with data protection law, I was informed that no further action would be taken. When I asked for this decision to be reviewed, I received a somewhat curt response which suggested a measure of irritation and misstated the legal standard of proof that should be applied in ICO investigations. I was told to contact the Local Government Ombudsman if I remained dissatisfied.

Following the most recent data breach by the same pharmacy, again involving a fabricated account and fictitious login details, I approached the ICO again. I was informed that details of the previous investigations were not retained and I should approach the culprit myself. This was despite me never having had any dealings with the company nor having given them permission to process my data at any time.

In short, the ICO is, in my experience, not fit for purpose and does not provide the protections it should as a regulator. The formal reports were not even published on their website which suggests a grave lack of transparency and there is a marked reluctance to exercise the wide powers given to them by parliament.

A regulator that does not enforce the law is no regulator at all.

These people are beyond useless. It takes them months and months to pick up a complaint and then they don't do a single thing. There's no point in their existence. No wonder companies do whatever they like, they know nothing will happen because the ICO are beyond incompetent

Contacted the ICO for help due to an organisation's refusal to respond to my subject access request following a serious cyber theft incident. The ICO replied saying they were aware of this wide ranging cyber incident but they would not be responding to my specific concerns. In other words, letting this organisation off the hook and so I'll never know who stole my personal data and those of thousand of other consumers or what third parties this organisation shared my personal data with. I wonder which side the ICO is on?

Instead of helping other people and pervent data breaches. They choose to PUNISH the most used image site over data instead. As a result made Imgur block the UK

Most gaming sites and forums and are now filled and censored with the ANNOYING ''Content not viewable in your region''. As a result, I don't want to use game forums anymore and it's affecting my hobby and mental health because of this censorship!

Shame on this company for punishing such site.

Rights groups accuse ICO of ‘collapse in enforcement activity’
Softly-softly approach ‘fails to drive the adoption of good data management across government and public bodies’

24 November 2025

A group of 73 civil rights organisations, campaigners, lawyers and academics has written to Chi Onwurah - chair of Parliament’s Science, Innovation and Technology Committee - demanding an enquiry into the Information Commissioner’s Office (ICO), the UK’s data protection watchdog, for what they say is a failure to properly investigate and punish data breaches.

In an open letter, the signatories, which include the Open Rights Group, Big Brother Watch, Foxglove, Fair Vote UK and the Good Law Project, claim the ICO has significantly reduced its enforcement activities, particularly in the public sector, leading to a surge in data breaches.

The catalyst for the action was the ICO’s decision not to investigate the Ministry of Defence (MoD) after a serious breach exposed personal details of 19,000 Afghans fleeing the Taliban, but Open Rights Group’s legal and policy officer Mariano delli Santi, described this as “the final straw”.

“After years of failing to hold public sector organisations to account, the failure of the ICO to investigate the most serious data breach in UK history is the final straw,” he wrote in a blog.

“The ICO’s public sector approach must end before more people are harmed by data breaches at the hands of the government and public authorities.

“A data regulator that fails to deter bad practices is not worth having. We need a strong data regulator which is not afraid to take action against both the government and private sector.”

The ICO prioritises engagement over punitive action, but the open letter argues this softly-softly approach has failed to deter data breaches, with the ICO’s own figures showing an 11% increase in reported breaches and an 8% rise in complaints against public sector organisations.

“The picture that emerges is one where the ICO public sector approach lacks deterrence and fails to drive the adoption of good data management across government and public bodies,” the letter states.

The signatories also claim that action against private sector companies has also declined under the leadership of the current Information Commissioner John Edwards, with the watchdog’s latest report revealing “a sharp drop in formal investigations, criminal prosecution, and in the issuing of enforcement notices, monetary penalties, and reprimands,” despite an increase in the number of complaints by the public.

The letter calls for an investigation by the Science, Innovation and Technology Committee into the reduction of enforcement activity by the ICO and its apparent failure to prioritise data protection.

An ICO spokesperson said: “We have a range of regulatory powers and tools to choose from when responding to systemic issues in a given sector or industry. We respect the important role civil society plays in scrutinising our choices and will value the opportunity to discuss our approach during our next regular engagement.”

My experience with the Information Commissioner’s Office (ICO) has been deeply disappointing and confirms that, in practice, this regulator operates more in favour of large institutions than the individuals it is supposed to protect.

I submitted a formal complaint against University College London Hospitals NHS Foundation Trust (UCLH) regarding serious failures in handling my medical records, including incomplete disclosure, obstruction, and the improper sharing of sensitive medical information. Despite the gravity of these issues, the ICO chose to dismiss my complaint without any meaningful investigation.

The case was handled by Charleigh Adams, Case Officer at the ICO (Case Reference: IC-447298-X3X8). In the final response, the ICO simply accepted UCLH’s explanations at face value, concluding that their actions were “reasonable” and “proportionate,” despite clear evidence to the contrary.

The ICO argued that because my original Subject Access Request did not explicitly mention historical or archived records, UCLH was not expected to search off-site archives. This is a technical loophole used to justify non-disclosure, not a genuine application of the spirit or intent of UK GDPR. A regulator genuinely acting in the public interest would challenge such behaviour, not endorse it.

Even more concerning, the ICO refused to intervene regarding the unauthorised sharing of my private medical records by a senior clinician, effectively washing its hands of the issue by stating that I should pursue the original disclosing organisation instead. This is a convenient abdication of responsibility, not regulation.

The ICO states it has “made a record” of my complaint, but simultaneously confirms it will take no further action whatsoever. In other words: the institution is shielded, the individual is dismissed, and accountability is absent.

This experience demonstrates that the ICO is procedurally compliant but substantively ineffective. It appears far more concerned with closing cases quickly than enforcing data protection law or defending patients’ rights—particularly when NHS Trusts are involved.

For anyone considering relying on the ICO for protection or redress: be aware that when challenged with complex, serious, or institutional wrongdoing, the ICO may simply side with the organisation and leave you without remedy.

A regulator that consistently favours the perpetrators over the data subject is not fulfilling its mandate.

What a joke of an organisation. Having had a data protection issue with a company and complaining writing 4 times in total including follow up letters and recieving no response I raised a complaint with the ICO. The ICO advised me to write to the company again requesting a response and closed my complaint. Apparently I will have to raise a new complaint with ICO if the company does not respond to me for a fifth time. I fail to see a justification for the ICO other than wasting my time and public money.

Wow. They have now excelled themselves in uselessness. NHS hospital completely ignored all ICO letters on my DPA case. ICO say nothing further they can do! What a joke. Organisations and state bodies just ignore them completely as they know they're a total useless joke.

Dead rotten useless as they string you along for months and months and then give you the 2 fingers as they cover for corruption in the State Bodies. As i have experienced here in the Republic of Ireland. As we get abused by this Dictatorship State as corruption and lies are protected and ripe.

Really? After 6 months they are fine with companies tolerating CRM systems to exploit users, although it's a well known problem. Ok, the officer was not able to dial my number. What did I expect. Best passage:

Given the nature of your situation, we strongly recommend that you seek independent legal advice, as the context of your concerns - in our view - may relate to a criminal offence.

Advice: If you're considering a data protection complaint with ICO, manage your expectations. Systematic violations by large platforms appear to fall outside enforcement priorities.

Don’t read the information they have been given. No desire to enforce GDPR.

On first attempt I was greeted by a ‘happy paperclip response’ “Hi there - I see you are trying to submit a SAR - here’s how to do it - we are now closing your case’ - yeh, done SAR + full complaint already, as submitted to ICO.

Months of trying later still no full disclosure of the SAR in question. Staff there do not understand written English - endless confusion between the company I had submitted for and my employer who use them for OH services. No critical reading of company response - which admitted they didn’t look after data properly, and hadn’t asked a sub-contractor for the info required.

Endless delay tactics - emailing at 5pm is their favourite, also not delivering requested information on their procedures and then halting everything which they “investigate” complaints about them.

BTW - complaints go through to the same people that handle the initial request. I will be raising this with MP.

Their website even states that they don’t enforce GDPR for individuals- so what are they there for and who is paying their salaries?

Useless organisation. How is this organisation even allowed to exist? What exactly do they do? Baffled beyond belief.