Watchdogs or Window Dressing

The ICO: A Regulator in Name Only

Data protection · SAR enforcement · ICO accountability

The Information Commissioner’s Office presents itself as the UK’s independent guardian of information rights. This article examines one SAR complaint, case reference IC-304160-D5V8, and asks whether the regulator’s response shows a wider enforcement problem: advice where enforcement is needed, delay where urgency matters, and legal action pushed back onto individuals who have already been denied their data.

Category
Public accountability
Jurisdiction
United Kingdom
Reading time
c. 8 minutes
Last reviewed
1 June 2026
By-line
Legal Lens

Publication snapshot

  • The article concerns the ICO’s handling of case reference IC-304160-D5V8.
  • The underlying dispute involved a Subject Access Request made to Balliol Property Services in connection with Flashback Toys Ltd.
  • The source article says the ICO identified non-compliance but did not escalate to decisive enforcement action.
  • The article contrasts Burnetts LLP’s alleged handling of the Balliol SAR with its more detailed response to a separate SAR concerning the author’s Will.
  • The wider issue is whether the ICO’s enforcement model leaves individuals with rights on paper but little practical remedy.

A regulator tested by one SAR complaint

The Information Commissioner’s Office is intended to protect information rights and promote lawful data handling. In theory, it should be a route of practical redress when organisations fail to comply with data protection obligations. In this case, the source article argues that the ICO did not perform that role.

The complaint, identified as ICO case reference IC-304160-D5V8, arose from a Subject Access Request connected to a lease dispute involving Balliol Property Services and the author’s business, Flashback Toys Ltd.

The central criticism is straightforward: the author says the ICO recognised non-compliance, encouraged or secured further engagement, but ultimately closed the case without using stronger regulatory powers to compel a proper response.

Core issue: if a regulator identifies non-compliance but does not require a meaningful remedy, the individual’s right of access may become theoretical rather than practical.

The SAR dispute

According to the source material, the author submitted a Subject Access Request to Balliol Property Services in April 2024. The request was made to obtain data said to be important to a wider dispute about rent arrears and unreturned deposits.

The source article says Balliol Property Services did not respond within the required timeframe and redirected the request to its solicitors, Burnetts LLP, without the author’s consent. It also says the ICO later found that Balliol Property Services had breached data protection requirements and advised compliance.

The article then describes continued difficulty over identity verification. The author says Balliol Property Services and Burnetts LLP persisted with excessive ID demands despite previous correspondence and prior verification.

How the SAR dispute developed

  1. 1

    A SAR was submitted to Balliol Property Services in April 2024.

  2. 2

    The request was allegedly redirected to Burnetts LLP rather than handled directly by Balliol.

  3. 3

    The source article says the statutory response position was missed and the ICO identified non-compliance.

  4. 4

    The author says further ID demands and a limited disclosure response then left the SAR unresolved in substance.

The Burnetts contrast

The source article places particular weight on the contrast between two SAR responses involving Burnetts LLP. In the Balliol-related SAR, Burnetts is said to have described itself as a liaison and provided only a single screenshot as the entirety of the data held.

The author says that response was implausible given the extent of the wider relationship and the evidence that more information was held. When pressed for a final response, the source article says Balliol and Burnetts failed to reply.

By contrast, the author says a separate SAR to Burnetts concerning his Will was handled professionally by Burnetts’ Data Protection Officer, with a detailed response addressing identity documents, a credit card statement, the Will, retention periods, processing scope and justification.

Balliol-related SAR

The source article says the response was limited to a single screenshot and did not reflect the wider data the author believed was held.

Will-related SAR

The source article says Burnetts provided a detailed and structured data-protection response in a separate matter.

That contrast is important because it goes to capability. The author’s argument is not simply that Burnetts or Balliol misunderstood SAR compliance. It is that the difference between the two responses suggests proper compliance was possible.

The ICO response

The source article states that the author presented the contrast between the two SARs to the ICO and urged the regulator to use enforcement powers to compel compliance. The article refers to GDPR Article 58(2)-type corrective powers, including the ability to require compliance.

Instead, the ICO is said to have closed the case. The article quotes the ICO as stating: “The ICO does not act on your behalf and we do not take instructions from you. Your case is now closed.”

That sentence is legally understandable in one respect: the ICO is not a private representative for complainants. But the public-interest concern is different. If the ICO closes a case after identifying non-compliance, without requiring a meaningful remedy, individuals may be left to enforce their rights through litigation they cannot realistically afford.

Practical distinction: the ICO need not act as an individual’s solicitor. But it remains the public regulator responsible for effective protection of information rights.

The enforcement gap

The article’s wider criticism is that the ICO’s approach risks enabling non-compliance. If an organisation delays, creates procedural barriers, provides an inadequate response and then faces no meaningful consequence, the incentive to comply weakens.

The source article relies on ICO performance figures for 2024, stating that the ICO received 36,049 data protection complaints but issued only 12 reprimands, and received 7,448 Freedom of Information complaints but issued only 10 enforcement notices.

36,049

Data protection complaints cited in the source article.

12

Reprimands cited against those complaints.

7,448

FOI complaints cited in the source article.

10

FOI enforcement notices cited in the source article.

Those figures should be checked against the ICO’s official performance data before publication. If accurate, they raise a legitimate policy question: whether the ICO’s enforcement posture is too cautious to deter repeat or strategic non-compliance.

The cost of weak enforcement

The source article identifies three consequences. First, the author says he suffered stress, financial harm and obstruction in a dispute where the withheld data was important. Secondly, the article argues that weak enforcement reduces GDPR from enforceable law to guidance. Thirdly, it says public confidence is damaged when the regulator appears unwilling to act decisively.

These criticisms should be framed as the author’s experience and analysis. The stronger public-interest point is not that every ICO decision will satisfy every complainant. It is that a rights framework depends on credible enforcement where voluntary compliance fails.

Individual impact

The author says delayed and inadequate disclosure affected his ability to deal with a live dispute.

Systemic impact

The article argues that weak enforcement signals to organisations that delay and obstruction may carry little practical risk.

Leadership and regulatory culture

The source article criticises the ICO’s leadership under Information Commissioner John Edwards. It argues that the regulator has prioritised advice and proportionality over decisive enforcement.

That criticism should be handled with care. It is legitimate to criticise institutional strategy, enforcement culture and regulatory priorities. Personalised criticism should be avoided unless it is directly relevant, evidenced and fairly presented.

The source article also states that John Edwards appeared to view the author’s LinkedIn posts criticising the ICO. That point is not necessary to the central argument and should only be retained if evidenced and if it adds genuine public-interest value.

What must change

The reform argument is practical. If the ICO is to restore confidence, it must show that clear non-compliance can lead to meaningful regulatory consequences. Advice, guidance and informal resolution have a place, but they cannot be the default answer where obstruction persists.

For the ICO

  1. Use corrective powers in clear cases of unresolved non-compliance.
  2. Explain why enforcement is or is not used after a breach is identified.
  3. Stop directing individuals towards private litigation as the practical substitute for regulation.
  4. Publish clearer data on complaint outcomes and enforcement escalation.
  5. Rebuild confidence through transparent, decisive and proportionate action.

For SAR complainants

  1. Keep the original SAR, proof of delivery and deadline calculation.
  2. Record every ID-verification request and explain why it is excessive if challenged.
  3. Preserve evidence showing that further data is likely to be held.
  4. Ask the controller for a final response before escalating.
  5. Keep ICO correspondence organised by date, issue and requested outcome.

The publication test

This article is strongest if it keeps the evidence categories separate. The author’s SAR chronology should be supported by correspondence. The ICO’s findings and closure wording should be quoted accurately. The performance figures should be checked against official ICO data. The criticism of Balliol Property Services and Burnetts LLP should be confined to what the documents show.

The public-interest point does not require overstatement. If the documents show that non-compliance was identified but not meaningfully remedied, the core accountability issue is already clear.

Practical conclusion

Data protection rights are only as strong as the system that enforces them. A person who is denied access to their own data should not have to fund litigation simply to make a basic right effective.

The ICO’s role is not to act as a private solicitor for every complainant. But it must be more than a complaints-processing body that identifies non-compliance and then leaves the individual to carry the burden.

If the ICO cannot act decisively in clear cases, the public is entitled to ask whether the UK’s information-rights framework is functioning as a real system of protection or merely as a promise without practical enforcement.

Closing point: the test of a regulator is not how confidently it describes its mission, but whether it protects rights when an organisation refuses to comply voluntarily.

Legal Lens supports litigants in person in civil, employment and tribunal proceedings in England & Wales. Contact Legal Lens.

This article is public-interest commentary based on the author’s account, correspondence and material available at the time of preparation. It is not legal advice, and reading it creates no professional relationship. Data protection rights, ICO complaints and enforcement powers are fact-sensitive; check the underlying documents and take advice on individual circumstances before acting.

3 thoughts on “The ICO: A Regulator in Name Only

  1. We have had a similar experience with ICO over the past few months and regulator in name only is absolutely right. This is our opinion from what we know. There is no protection for the public. In our case one instance was a legal firm that lied, they were dishonest, they had no idea we had evidence to disprove. I provided that evidence, the law firm then admitted what they had done. They had little choice but to admit it, we had a witness and documents. The ICO simply accepted their excuses. They offered us no evidence from the law firm just closed the case. I’ve gone from the original caseworker, who had no clue, to an ICO internal review (which was done without evidence OR a name) – to a senior caseworker on a service complaint. There is no changing a decision unless you offer new evidence and we did. It made no difference. Now we’ve asked for a SAR and the next stage, another case review. It won’t do any good we know that. These “case officers” are literally clueless, they don’t investigate, they back the rogue firms. There is no transparency just senseless waffle. They push you on to the Legal Ombudsman who ALSO won’t investigate! Our case is far more in depth than mentioned here but the system is broken and as for the SRA. That’s not fit for purpose either. We were amazed to see how many people had been affected like us. Trustpilot one star reviews are literally shocking on all three regulatory bodies.

  2. Anyone who has had experience of dealing with the ICO will find it hard tp quarrel with any of this. The problem is that it’s now clear from a number of recent cases before the First Tier Tribunal, GRC that we’re seeing similar failings by the ICO in relation to its FOI responsibilities. It really is beginning to feel like a fish that’s rotting from the head down.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar