Silence Breeds Criminals
Case Studies
Regulatory Cases

The ICO: Enabling Crime Through Inaction

Written by John Barwell
Information rights · ICO enforcement · Public accountability

The Information Commissioner’s Office presents itself as the UK’s authority for information rights. But where advice, guidance and proportionality are not matched by credible enforcement, data rights risk becoming paper rights: useful in theory, but too weak in practice for the people who need them most.

Category
Public-interest commentary
Jurisdiction
United Kingdom
Reading time
c. 6 minutes
Last reviewed
1 June 2026
By-line
Legal Lens

Publication snapshot

  • The article argues that information rights need credible enforcement, not only guidance and advisory correspondence.
  • Subject access is framed as a practical accountability tool, especially where records affect safety, legal rights or access to justice.
  • The critique focuses on regulatory culture: whether the ICO’s interventions change behaviour where organisations delay, obstruct or mishandle data rights.
  • The article avoids treating contested allegations as findings of fact and calls for clearer enforcement thresholds, stronger escalation and transparent outcomes.
  • The central question is whether the UK’s information-rights regulator is willing and able to act firmly when guidance has failed.
Reader note: this article is public-interest commentary about regulatory performance, data rights and accountability. References to regulatory failure, institutional avoidance and harm are made as criticism and analysis. They should not be read as findings of criminal conduct, bad faith or personal misconduct unless established by a court, tribunal, regulator, ombudsman, inquiry, audit finding or other competent public authority.

A regulator facing a public-confidence problem

The Information Commissioner’s Office presents itself as the UK’s authority for information rights. That public role matters because subject access, data accuracy, transparency and enforcement are not technical luxuries. They are often the practical route by which people understand what has happened to them, challenge institutional records and obtain evidence needed for accountability.

This article argues that the ICO’s public-facing emphasis on advice, guidance and proportionality has not been matched by sufficient confidence in enforcement. That is a regulatory problem. Where organisations learn that refusal, delay or incomplete disclosure is unlikely to attract meaningful consequence, information rights become harder to enforce in practice.

Core issue: a data right that cannot be enforced in a meaningful timeframe is not experienced by the public as a real right.

Subject access is not a paperwork exercise

Data protection is often described in administrative language: requests, responses, exemptions, complaints, guidance and casework. That language can make the subject sound dry. It is not dry for the person waiting for records about a workplace dispute, safeguarding incident, police contact, medical decision, housing matter, financial loss or alleged misconduct.

A subject access request can be the difference between knowing and guessing. It can reveal what was said, what was recorded, who saw it, how decisions were made and whether an organisation’s public explanation matches its internal records.

When access is refused or delayed without proper justification, the individual is not merely inconvenienced. They may lose the opportunity to challenge an unlawful decision, correct false information or obtain evidence before a limitation deadline expires.

Administrative view

A SAR is treated as another customer-service task, with delay handled as correspondence management.

Accountability view

A SAR is treated as a legal right that may affect evidence, safety, remedies and access to justice.

The danger of an enforcement gap

The concern is sharper where the requested data relates to serious harm. In cases involving vulnerable people, alleged criminal conduct, whistleblowing, abuse, surveillance or institutional failure, non-disclosure can alter the balance of power entirely. A regulator that treats such failures as ordinary customer-service problems risks missing the point of the right.

The ICO has guidance, complaints and enforcement functions. Advice has a legitimate place in that structure. Organisations need clear expectations, and not every breach requires a penalty. But guidance cannot become the destination when enforcement is required.

A regulator that only advises repeat or serious non-compliance risks normalising the conduct it is supposed to correct. The central issue is deterrence. If an organisation believes that the practical outcome of a complaint will be a letter, a recommendation or no meaningful consequence, the incentive to comply weakens.

How weak enforcement can undermine rights

  1. 1

    An organisation delays, narrows or refuses disclosure.

  2. 2

    The individual complains but receives limited practical remedy.

  3. 3

    The organisation sees little regulatory consequence for poor compliance.

  4. 4

    The right exists formally but becomes harder to use in practice.

The Edwards-era question

John Edwards’ period as Information Commissioner has become a focal point for criticism of the ICO’s regulatory posture. The argument is not that advice and proportionality are inherently wrong. The argument is that they become dangerous when they displace visible accountability.

Proportionality should mean selecting the right regulatory response for the seriousness, pattern and impact of the breach. It should not mean lowering the temperature until enforcement becomes exceptional even where the consequences for individuals are severe.

A watchdog does not need to punish every error to be effective. It does, however, need to create a credible expectation that serious or repeated failures will be met with formal action. Where that expectation is absent, organisations can absorb complaint handling as a cost of delay.

Regulatory test: the question is not whether the ICO can publish guidance. It can. The question is whether people whose rights have been ignored can rely on it to intervene effectively when guidance has failed.

The human impact of weak data enforcement

The impact of weak enforcement is not abstract. People may be left without evidence. Whistleblowers may be unable to show how their disclosures were handled. Victims and complainants may be blocked from understanding institutional records. Employees may struggle to prove discrimination, detriment or unfair treatment.

Families may be left trying to piece together decisions made by public bodies, care providers, schools, employers or police forces. In each case, access to data is not merely about privacy. It is about power. The organisation already has the record. The individual is trying to obtain it.

That imbalance is why the regulator matters. If the regulator does not act decisively where rights are ignored, the individual is pushed towards litigation, complaint escalation, publicity or abandonment. Many people lack the money, health, confidence or time to keep fighting.

What a stronger regulatory model would require

The ICO should be judged by whether its interventions change behaviour. Counting guidance, correspondence or case closures is not enough. The harder question is whether organisations that delay, obstruct or mishandle subject access requests face consequences that make future compliance more likely.

Stronger enforcement culture

  1. Clearer escalation thresholds for serious or repeated non-compliance.
  2. Greater transparency about why formal action is or is not taken.
  3. Priority for cases affecting safety, legal rights, whistleblowing or access to justice.
  4. Sharper distinction between genuine error and strategic avoidance.

Public accountability

  1. More visible outcomes where organisations repeatedly mishandle rights.
  2. Clearer explanations for complainants about what standard was applied.
  3. Better reporting on patterns of non-compliance.
  4. Regulatory action that makes future compliance more likely.

In serious cases, the regulator should be prepared to use formal powers. In repeated cases, it should identify patterns. In high-impact cases, it should treat the individual consequence as central, not incidental.

If the current institutional model cannot deliver that shift, then structural reform becomes unavoidable. That does not require reckless abolition or performative outrage. It requires a serious public question: whether the UK’s information-rights regulator is designed, resourced and led in a way that makes rights enforceable for ordinary people.

Practical conclusion

Information rights are only meaningful when they can be enforced. A regulator that lacks urgency, transparency or appetite for formal action risks leaving individuals with rights they cannot practically use.

The ICO’s challenge is therefore simple to state and difficult to meet: prove that it is not merely an adviser to organisations, but a regulator capable of protecting the public when organisations withhold, misuse or mishandle personal data.

Until that happens, public confidence will continue to weaken. The question is not whether the ICO should be helpful to organisations. It should. The question is whether it is prepared to be firm when help is no longer enough.

Closing point: advice may help organisations understand the law, but enforcement is what makes information rights real when organisations choose not to comply.

Legal Lens supports litigants in person in civil, employment and tribunal proceedings in England & Wales. Contact Legal Lens.

This article is public-interest commentary and general legal-policy analysis. It is not legal advice, and reading it creates no professional relationship. Data protection rights, subject access disputes, regulatory complaints and potential remedies are fact-sensitive and may change as law, guidance and policy develop.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar