The ICO's Silent Watchdog: A Sinister Reality Behind Data Privacy Enforcement

A Continuation of My Struggle with the ICO’s Reactive Stance on Subject Access Requests

Data protection, SARs and ICO accountability

A subject access request should give an individual a clear route to their personal data. When the organisation responding to the request is already in dispute with the requester, the issue is no longer just delay. It becomes a question of trust, process integrity and whether the ICO’s complaint handling is capable of addressing perceived conflicts before the SAR process loses credibility.

Category
Data protection
Jurisdiction
United Kingdom
Reading time
c. 7 minutes
Last reviewed
1 June 2026
By-line
Legal Lens

Publication snapshot

  • Core issue: whether a SAR can be handled fairly where the organisation’s chosen handler is also connected to an ongoing dispute with the requester.
  • Case context: this update concerns a complaint to the ICO about Balliol Property Services and its handling of a SAR, including the involvement of Burnetts Solicitors.
  • Practical focus: review request, SAR deadline, ID verification, ICO complaint limits, regulatory action and possible court route.
  • Risk point: a perceived conflict does not automatically prove unlawful handling, but it may justify a clearer audit trail, transparent safeguards and a focused review request.
Reader note: this article is public-interest commentary and practical legal education based on the author’s account of a live or recent data-protection dispute. References to SAR handling, perceived conflict, regulatory weakness or institutional failure are criticism and analysis. They should not be read as findings of unlawful conduct, bad faith, professional misconduct or regulatory failure by BPS, Burnetts Solicitors, the ICO or any individual unless established by a competent court, tribunal, regulator, ombudsman or official decision.

Why this matters

On 14 August 2024, I reached a further stage in my dispute with the Information Commissioner’s Office over the handling of my Subject Access Request to Balliol Property Services. The concern is straightforward: the SAR process should give an individual access to their personal data, but the process becomes strained when the response is handled through a party that is also involved in wider legal conflict with the requester.

In my case, the ICO had already accepted that there had been a failure by BPS to respond to the SAR. That should have been a moment for clear correction. Instead, the next stage created a deeper concern: BPS’s response route involved Burnetts Solicitors, a firm acting for BPS in disputes involving me.

The issue is not simply whether a solicitor or representative can ever assist a controller with a SAR. Organisations often use staff, external advisers, processors or lawyers to help manage data-protection requests. The real issue is whether the controller can still demonstrate fair, transparent and accountable handling where the person reviewing or controlling the process has an apparent litigation interest in the requester’s data.

The accountability test: a SAR response should be capable of audit. The requester should be able to see the deadline, the status of ID verification, who is handling the request, what searches are being carried out, and why any delay or restriction is justified.

What is established

The right of access is a core data-protection right. It allows an individual to ask whether an organisation is processing their personal data and to receive access to that data, subject to limits and exemptions. The ICO’s own guidance treats the right of access as a detailed compliance obligation for organisations, not a discretionary courtesy.

The ordinary SAR timeframe is also important. Organisations must respond without undue delay and at the latest within one month, subject to the rules on identity verification, authorised third parties, limited fee situations, clarification and extensions for complexity or multiple requests.

That framework means the key questions in this case are practical and evidential. When did the clock start? Was ID verification genuinely required? Was the request for identification reasonable and proportionate? Did the controller or its representative respond to the identification issue? Was any delay justified? And did the ICO review those matters with enough attention to the apparent conflict created by the wider dispute?

Established framework

A controller must deal with a SAR within the applicable statutory timescale and must be able to justify delay, clarification, ID verification or refusal.

Author’s account

The ICO had accepted a failure to respond, but later did not treat the involvement of Burnetts Solicitors as sufficient reason for stronger intervention.

Process issue

The central question is whether BPS and the ICO addressed the apparent conflict with a sufficiently transparent and accountable process.

The conflict question

The central concern is perceived conflict. If BPS instructed Burnetts Solicitors to handle the SAR while Burnetts also represented BPS in disputes involving me, the process required careful safeguards. The question is not whether the involvement of a solicitor automatically invalidated the SAR process. It is whether BPS and the ICO properly addressed the risk that the SAR might be handled through a litigation lens rather than a data-protection compliance lens.

A SAR is not supposed to become a tactical extension of a legal dispute. A controller remains responsible for complying with data-protection law even if a representative assists with correspondence. If a solicitor is involved, the controller should still be able to show what searches were undertaken, what data was considered, what exemptions were relied on, and why the requester was treated fairly.

Unsafe framing

“The ICO allowed BPS and Burnetts to manipulate the SAR process.”

Safer and stronger framing

“The involvement of a dispute-connected representative created a perceived conflict that required a clearer audit trail, sharper ICO scrutiny and transparent safeguards.”

That distinction matters. It keeps the criticism focused on process integrity rather than unsupported findings of motive.

The ICO review request

On my account, I contacted the ICO again on 14 August 2024 and asked for the case to be reviewed. The request raised three practical points: the current deadline for BPS to comply with the SAR; what the ICO would do if BPS missed that deadline; and whether the ICO had properly noted my response to the ID-verification issue raised through Burnetts.

Those are the right questions. They move the complaint away from general dissatisfaction and towards reviewable process points. A strong ICO review request should identify what was missed, what evidence supports the concern, why the issue matters, and what action is being requested.

1

Confirm the SAR clock

Identify the original SAR date, any ID request, any clarification request, any response date and whether the time limit was lawfully paused or extended.

2

Challenge the ID issue precisely

Ask whether the ID request was reasonable and proportionate, whether it was answered, and whether the controller or representative failed to respond.

3

Separate conflict from proof

Frame the issue as perceived conflict and need for safeguards, not as a finding that the solicitor or controller acted unlawfully.

4

Ask for a specific review outcome

Request confirmation of the deadline, further ICO enquiry if BPS has not complied, and an explanation of why the representative’s involvement was or was not treated as material.

The ICO’s response that a review would be conducted within a month is useful, but it does not resolve the underlying concern. A review is only meaningful if it addresses the evidence, not merely repeats the earlier conclusion.

If the SAR remains unresolved, there are several possible routes. They should not be blurred together.

The first route is continued ICO review and complaint handling. That may be useful where the issue is missed evidence, delay, lack of explanation, or failure to press the controller to resolve the complaint.

The second route is direct legal action against the controller. The ICO cannot award compensation. Where an organisation has broken data-protection law and caused material loss or distress, a compensation claim may be considered against the organisation responsible for the breach. If the issue is access to data rather than compensation alone, the court route may need to be framed carefully around the specific remedy sought.

The third route is public-law scrutiny of the ICO. Judicial review is a specialist and high-risk route. It is not a general appeal from a disappointing ICO outcome. It requires a public-law error, prompt action, careful pre-action correspondence and assessment of alternative remedies.

Review

ICO review

Use where the ICO may have missed evidence, misunderstood the SAR chronology, or failed to address the perceived conflict properly.

Controller

Direct claim

Use where the organisation’s alleged breach has caused loss, distress, or ongoing failure to provide access to personal data.

Public law

Judicial review

Use only where there is an arguable public-law error by the ICO and urgent specialist advice has been taken.

A Letter Before Action or claim form should not be treated as a campaigning device. It must identify the legal basis, the breach, the remedy sought, the evidence relied upon and the correct defendant.

Source anchors

These source anchors help separate the legal framework from the author’s case-specific account and public-interest criticism.

Closing point

Data protection rights are weakened when individuals are left to chase basic compliance through delay, unclear deadlines, unexplained representative involvement and limited regulatory intervention. The right of access depends on more than a formal entitlement. It depends on a process that the requester can trust.

In this case, the central issue is whether the ICO’s review will grapple with the real concern: not simply whether BPS eventually responds, but whether the SAR has been handled fairly, transparently and with proper accountability in circumstances where the chosen response route creates a perceived conflict.

The message is clear. A SAR should not become a side-channel of litigation strategy. Where that risk arises, the controller and the regulator should be able to show exactly how fairness was protected.

Decision support before review, claim or escalation

Legal Lens helps complainants turn SAR disputes into structured, evidence-led next steps. The aim is practical: map the SAR chronology, identify the missed evidence, separate perceived conflict from proven breach, and decide whether ICO review, direct action, compensation or solicitor advice is the right route.

SAR chronology ICO review Conflict risk Claim route

What we assess

SAR request, ICO complaint, review grounds, deadline calculation, ID verification, correspondence gaps, and possible court route.

Use it before

Requesting ICO review, sending a letter before action, filing a claim, or raising a perceived conflict involving a named firm or organisation.

What you get

A concise written view on the strongest next route, missing evidence, legal risk and whether solicitor review is needed before action.

Independent Legal Lens consultancy. This is not a regulated solicitors’ firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.

This article is general legal information and public-interest commentary. It is not legal advice or a finding of wrongdoing. SAR disputes, ICO complaints, compensation claims, judicial review and disputes involving solicitors require evidence-specific assessment and, where appropriate, regulated legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar