Privacy Sold, Trust Stolen

The ICO’s Failings: Enabling Data Misuse and Abuse in Scotland

ICO · Data protection · Public accountability

A reported case involving “Police Scotland Angels” raises a serious regulatory question: what happens when an organisation holding an ICO certificate is accused of using personal data, legal threats and questionable identity details in ways that place vulnerable people at risk? The concern is not only the alleged conduct of the organisation. It is whether the ICO’s registration and complaint-handling processes are robust enough to stop a certificate becoming a badge of legitimacy for harm.

Category
Regulatory accountability
Jurisdiction
Scotland / United Kingdom
Reading time
c. 8 minutes
Last reviewed
1 June 2026
By-line
Legal Lens

Publication snapshot

  • This article concerns allegations about Police Scotland Angels and the ICO certificate/reference ZB291153.
  • The reported concerns include false registration details, blocked communication, unsafe data handling and alleged use of personal information in intimidation or legal pressure.
  • The ICO is criticised for allegedly renewing or maintaining registration despite serious complaint material.
  • Speculation about covert or national-security links is treated as unproven and should not be presented as fact.
  • The reform route is stronger applicant verification, faster high-risk complaint triage and victim-protection safeguards where data misuse is alleged.
Reader note: this article is public-interest commentary based on reported allegations and complaint material concerning Police Scotland Angels and the ICO. References to harassment, exploitation, extortion, false identity, unsafe data practices, malicious claims, law-enforcement links or regulatory failure are allegations and analysis. They should not be read as findings of fact, criminality, misconduct or liability unless established by a court, regulator, ombudsman, inquiry, audit body or other competent authority.

Why this case matters

The Information Commissioner’s Office is meant to protect information rights and regulate the handling of personal data. Its registration system should not be treated as a mere administrative formality where serious safeguarding concerns are raised.

The case described here concerns an organisation known as Police Scotland Angels, or PSA, which is said to operate under ICO certificate/reference ZB291153. Complainants allege that PSA has used personal data, legal threats and unclear organisational details in ways that have caused distress, fear and reputational harm.

The allegations are serious and contested unless independently proven. But the regulatory issue is immediate: if an ICO registration contains questionable details, and the organisation is accused of unsafe or abusive data practices, the regulator should be able to verify, investigate and act quickly.

Core issue: an ICO registration should never become a shield for an organisation accused of misusing personal data against vulnerable people.

Concerns about Police Scotland Angels

PSA presents itself, according to the reported account, as a support group. The concern raised by complainants is that the organisation lacks visible legal structure, appears to operate without a reliable registered address, and may be fronted by a person using a disputed or false identity.

Those concerns matter because personal data handling depends on accountability. A data subject should be able to identify who controls their data, where the controller can be contacted, what lawful basis is relied upon, and how complaints can be escalated.

The reported material includes an allegation that letters sent to the address appearing on the ICO certificate were returned undelivered, while attempts to contact the organisation through its registered email were blocked. If correct, that raises a basic regulatory question: how can individuals exercise data rights against a controller that cannot reliably be reached?

Support group

An organisation may offer informal or peer support, but it still needs clear governance where it handles sensitive information.

Data controller

An entity deciding how and why personal data is processed must be identifiable, contactable and accountable.

Alleged misuse of personal data

The allegations go beyond administrative irregularity. Victims are said to have described harassment, intimidation, reputational attacks and the weaponisation of personal information.

One reported example involves threatening correspondence on PSA letterheaded paper, using the address said to appear on the ICO certificate. The correspondence allegedly demanded money, used pseudo-legal language and made baseless allegations.

Another reported example concerns an alleged online campaign in which personal information was used to discredit and intimidate an individual. Other concerns include the alleged passing of sensitive personal data to law-enforcement agencies without consent, use of data obtained under questionable circumstances to support legal claims, and harassment of former volunteers who challenged the organisation’s practices.

How data misuse can escalate

  1. 1

    A person shares sensitive information with an organisation they believe to be supportive or legitimate.

  2. 2

    The organisation allegedly stores or uses that information without adequate safeguards or clear accountability.

  3. 3

    The information is allegedly used in threats, legal pressure, online reputational attacks or third-party reports.

  4. 4

    The affected person is left fearful of retaliation and uncertain how to enforce their rights.

These allegations require documentary support before being published in stronger terms. But they are serious enough to justify regulatory scrutiny if complaint material has been supplied to the ICO.

The ICO’s handling of the complaint

The complaint described in the draft raises three connected concerns about the ICO’s approach.

The first is certificate integrity. The certificate is alleged to list a fictitious address and a pseudonym or disputed identity as the data controller. If a regulator records controller details that cannot be verified, the registration system risks giving the public a false sense of legitimacy.

The second is unsafe data practice. Sensitive information, including police and court records, is alleged to have been stored at an unknown or unsecured location. If accurate, that should have triggered urgent questions about security, controller identity, access control and data-subject rights.

The third is complaint handling. Complainants say the ICO initially recognised the seriousness of the matter, but progress then stalled. They allege that case officers repeatedly asked complainants to allow PSA to respond, even though they had provided evidence that communication was obstructed.

Practical point: where a complainant says a controller cannot be contacted and may be using false details, asking the complainant to keep trying to engage can become circular and unsafe.

The human impact

The reported impact on affected individuals is severe. Former volunteers and complainants say they have faced threats, distress, reputational damage, legal pressure and fear of further retaliation.

One former volunteer is said to have faced a baseless legal claim involving an “invisible claimant” who did not appear in court. Another individual reportedly received threatening pre-action correspondence demanding significant sums of money and implying public humiliation if the demand was resisted.

The broader concern is that people who challenge unsafe data practices may become further targets. That is precisely why regulatory complaint systems need protective triage. A person reporting data misuse should not be pushed into direct engagement where they say the organisation is already harassing or intimidating them.

Ordinary data complaint

A dispute about access, delay, correction, erasure or compliance where normal controller engagement may be suitable.

Safeguarding complaint

A complaint involving alleged harassment, intimidation, vulnerable individuals or misuse of data to cause harm.

Speculation about wider links must be handled carefully

Some observers have speculated that the ICO’s failure to act may be connected to PSA’s possible role in monitoring activists or protest networks. The draft refers to activism, including protest activity linked to COVID-19 policies, and to public material identifying certain forms of single-issue extremism as a national-security concern.

That speculation is highly sensitive. It should not be presented as fact unless supported by reliable documentary evidence. A failure by the ICO to act may have several explanations, including bureaucracy, poor triage, inadequate verification systems, misunderstanding of risk, resource constraints or procedural caution.

The public-interest issue can be stated without overreach: if an organisation accused of misusing personal data appears to have links with law enforcement or claims access to law-enforcement channels, the regulator should be especially careful to verify identity, purpose, lawful basis and safeguarding controls.

Publication discipline: the evidence may justify urgent questions about data protection and safeguarding. It does not, without more, justify treating covert-operation theories as established fact.

What this exposes about the ICO

The PSA case, as reported, exposes a basic weakness in the registration model: if controller details are accepted without meaningful verification, a questionable organisation can obtain a certificate that appears official.

Registration should not be mistaken for endorsement. But the public may not see that distinction. A certificate can be used to project legitimacy, especially where vulnerable individuals are dealing with people who claim authority, insider access or law-enforcement connection.

The second weakness is complaint triage. A complaint involving alleged false identity, unreachable addresses, sensitive police and court records, intimidation, legal threats and vulnerable victims should not be handled like a routine administrative query.

The third weakness is regulatory consequence. If the ICO renews or maintains a certificate despite unresolved high-risk concerns, it risks enabling further harm by allowing the organisation to continue presenting itself as properly registered.

How weak registration can enable harm

  1. 1

    An organisation applies for, or maintains, ICO registration with questionable details.

  2. 2

    Data subjects see the certificate and assume legitimacy or regulatory oversight.

  3. 3

    Complaints are made about misuse, harassment or unsafe practices.

  4. 4

    If the regulator does not act decisively, the certificate continues to lend practical credibility.

What reform should require

The answer is not to treat every ICO registration dispute as evidence of wrongdoing. Many small organisations make administrative mistakes. Some complaints are incomplete or contested. A proportionate regulator must distinguish technical issues from serious risk.

But where complaint material alleges false controller identity, unreachable contact details, unsafe storage of sensitive records, harassment and misuse of personal information, proportionate regulation should mean escalation, not passivity.

Registration reforms

  1. Verify controller identity and contact details where high-risk processing is claimed or alleged.
  2. Require evidence of a real service address or accountable organisational structure.
  3. Flag registrations involving vulnerable groups, policing material or sensitive legal records for enhanced checks.
  4. Suspend or qualify public registration where credible evidence shows contact details are false or unusable.

Complaint-handling reforms

  1. Use urgent triage where complaints involve harassment, intimidation or vulnerable people.
  2. Do not require unsafe direct engagement where complainants allege retaliation or blocked communication.
  3. Publish clear criteria for when registration concerns trigger investigation or suspension.
  4. Provide complainants with reasons where the ICO declines to act despite serious evidence.

Practical conclusion

The case of Police Scotland Angels raises a wider question about regulatory trust. If an organisation accused of false details, unreachable contact routes, unsafe data practices and intimidation can retain an ICO certificate without visible consequence, vulnerable people may conclude that the regulator cannot protect them.

The ICO does not need to accept every allegation as true before acting. But it does need systems capable of recognising risk, verifying basic facts and preventing its registration process from being used as a badge of legitimacy.

The immediate need is clear: verify the certificate details, examine the complaint evidence, assess safeguarding risk, and explain publicly how the ICO handles registrations where the controller may be unreachable, unidentified or unsafe.

Closing point: data protection fails when vulnerable people report misuse and the regulator’s certificate remains more useful to the alleged abuser than to the people seeking protection.

Legal Lens supports litigants in person and public-interest accountability work in England & Wales. Contact Legal Lens.

This article is public-interest commentary and general legal-policy analysis. It is not legal advice, and reading it creates no professional relationship. ICO registration, data-controller identity, harassment, extortion allegations, police or court records, defamation, safeguarding, national-security speculation, data protection and regulatory complaints are fact-sensitive and should be assessed against the evidence, official records and independent legal advice where required.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar