Aug 06, 2025:
The Information Commissioners Office (ICO) is the UKs data privacy watchdog, and has it’s origins in the Data Protection Act 1984.
This is the body that ensures Subject Access Requests (SARs), Freedom Of Information requests (FOIs) and Environmental Information Requests (EIRs) are complied by organisations such as councils, and water companies. The ICO has the power to reprimand, enforce and fine organisations who fail in their duty to ensure data is maintained, in keeping with legislation.
However, in recent years, the ICO has been struggling in its role as regulator, and this in turn has had an adverse impact on the publics’ civil liberties.
Why the ICO Is Failing
According to the ICO:
”Complaints are being assigned to case officers within 24 weeks of submission.”
This is a massive leap from the 90 days the ICO previously advised complainants.
In a further statement from the ICO - 1 April 2025:
”Anyone who has felt the need to make a complaint to us deserves a timely response. Our current response times are not where we want them to be, and we know how frustrating this is for people who are asking for our help.”
🗣️ TrustPilot Reviewers Spell It Out 😡
The frustration can be clearly seen in these TrustPilot reviews, where the ICO currently has a rating of just 1.2. The Review Summary states: ”Most reviewers were let down by their experience overall.”
Sample quotes from reviewers:
”…not fit for purpose quango”
“Serves no purpose”
“An utter waste of taxpayers' money.”
“If the government is serious about getting better value for taxpayer money. This pointless and utterly useless office must be the first to go."“
“Unfair treatment biased against customers - companies can do whatever they want.”
“…easy for any private or public organisation to circumnavigate the freedom of information act and the ICO are unable or unwilling to do anything.”
“in my experience the ICO is not fit for purpose…”
“1 star as minus don’t exist.”
“This is not just an oversight but a failure to uphold the basic human rights to which I am entitled.”
“How my case was handled suggests a lack of competence and raises serious questions about the integrity of the organization.”
Several reviewers claim the ICO is nothing more than a “quango”
What Is a Quango?
“Quango” stands for:
Quasi-Autonomous Non-Governmental Organisation
It's not a legal term, but a common nickname for certain public bodies that:
Are funded by the government,
Operate at arm’s length from direct ministerial control,
Have statutory powers to regulate, enforce, or advise.
✅ So: Is the ICO a Quango?
✔️ In practical terms: Yes
— It is a quasi-autonomous body with government funding and regulatory powers.
However: ⚠️ Technically, it’s more accurate to call it a statutory regulator and NDPB.
But in everyday language, Trustpilot reviewers calling it a “quango” aren’t wrong — they’re expressing frustration at its “independent but unaccountable” structure.
📌 The ICO’s Official Classification
The UK government classifies the ICO as a:
“Non-departmental public body (NDPB) sponsored by the Department for Science, Innovation and Technology (DSIT).”
(Previously DCMS — Department for Digital, Culture, Media & Sport)
So while the ICO is independent in function, it is:
Funded in part through fees from data controllers,
Overseen in structure and accountability by a government department,
Subject to Parliamentary reporting via the Information Commissioner.
🚨 Civil liberties at risk — and companies are cashing in!
What’s happening isn’t just poor administration—it’s a full erosion of the right to access information, a fundamental democratic safeguard.
The ICO delays mean environmental and planning information, personal data, or safety-related documents that should be delivered within weeks are instead stuck in the queue for six to twelve months, or longer.
Publicly traded companies, utilities, and local authorities are learning to use this failure as a tool: by withholding information or ignoring statutory duties, they effectively neutralise public oversight—as long as complaints remain unresolved.
Crucially, this isn’t hypothetical: Open Rights Group’s 2024 report shows that the ICO’s failure to enforce decisively—especially against public sector bodies—is already placing the public interest at risk openrightsgroup.org, privacylaws.com, and groups like Statewatch warn that proposed changes to UK law could further weaken data rights, putting EU adequacy status at risk and reducing redress options for individuals statewatch.org.
In effect, regulated entities get a delay buffer to complete work, alter evidence, or avoid transparency—all while the ICO (often called a quango) issues generic replies and lets justice drift. This vacuum isn’t just frustration—it’s a civil liberties crisis.
🛠️ What You Can Do If the ICO Lets You Down
While the ICO is legally the UK’s data and information regulator, it’s clear it’s no longer functioning properly for individuals. But you do still have options:
✅ 1. Persist — and Document Everything
Even if you're stuck in a months-long queue, keep a detailed paper trail:
Save all your emails, complaints, follow-ups, and responses (even if templated).
Use this later to prove systemic delay or mishandling if needed.
Consider publishing your experience (as I have) — the pressure matters.
✅ 2. Contact Your MP
MPs can write to the ICO on your behalf, and ICO teams are often more responsive to Parliamentary queries.
Ask your MP to raise concerns about the ICO’s delay crisis and how it’s affecting your rights.
If they’re on a relevant committee (like the Public Administration & Constitutional Affairs Committee), even better.
✅ 3. Go Public: Use Media, FOI, and Open Letters
If you're being ignored, consider:
Writing to local or national journalists (especially tech or civil rights reporters),
Submitting your story to sites like OpenDemocracy, Byline Times, or Liberty,
Starting a petition or open letter to pressure government and regulators.
✅ 4. Involve Watchdog Groups
Several independent organisations can help advise or amplify your case:
Open Rights Group – digital rights & data justice
Big Brother Watch – surveillance & privacy campaigning
Liberty – civil liberties and accountability
Good Law Project – legal reform and strategic litigation
Even if they don’t take on individual cases, they may reference yours as part of broader campaigns.
✅ 5. Escalate to the Courts (as a Last Resort)
If the issue is urgent and you’ve exhausted internal routes, it is possible to:
Launch a judicial review for unreasonable delay (especially for FOIA/EIR refusals),
File a complaint with the Parliamentary & Health Service Ombudsman (in rare cases),
Seek legal advice — particularly if your data rights breach has caused harm.
📌 Legal Basis for a Distress Claim
Under Section 168 of the Data Protection Act 2018, you can claim:
“Compensation for material or non-material damage... including for distress.”
This is backed by UK case law — particularly the 2015 Gulati v MGN case, which established that non-material damages (like anxiety, frustration, reputational harm) can be awarded even where there's no financial loss. The Vidal-Hall v Google Inc [2015] EWCA Civ 311 case, was one of the first major UK cases to establish that you can claim compensation for distress caused by a data breach, even without financial loss.
Key Legal Cases:
Vidal‑Hall v Google (2015) → first UK case to allow distress claims without financial loss
Gulati v MGN (2015) → confirmed compensation for extreme privacy violations
Lloyd v Google LLC (2021) → upheld individual rights to claim distress but rejected mass class actions
⚖️ When You Might Have a Valid Claim
You could bring a small claims case if:
A company ignored or refused your SAR without lawful basis.
They delayed well beyond the statutory one-month deadline without valid extension.
They gave you incomplete or misleading data.
The breach caused you significant distress, frustration, or reputational impact.
📌 Note: You don’t need to show that you suffered financial loss
— emotional distress alone is valid.
💷 Typical Compensation Amounts
Awards typically range from £250–£2,500 depending on severity, though higher amounts can occur in exceptional cases.
The amount depends on:
- Duration of breach or delay,
- Sensitivity of data,
- Emotional or psychological effect,
- Whether it was deliberate or negligent.
📌 For more information and advice , consult a solicitor,
or Citizens Advice Bureau.
💬 Most Importantly: Don’t Be Silenced
The more people document and speak out about these systemic failures, the harder it becomes for government and regulators to hide behind “resource constraints.” Public rights only survive when we fight for them.