Home > ICO
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

The Information Commissioner's Office (ICO)

The Information Commissioner's Office (ICO) advises on and enforces the Privacy and Electronic Communications Requlations 2003 and the Data Protection Act 1998. The focus however, is definitely on guidance and the ICO sees its role as one of promoting good data handling practices and educating organisations regarding data protection matters rather than prosecuting them. Personally I think this approach may have been okay five years ago but it's about time that they started kicking some ass. To be fair though, the Information Commissioner has asked for increased powers so it's down to the MPs I guess to make some changes to the laws.

What to expect when you submit a compliant to the ICO

The first thing you want to do is lower your expectations because no matter how serious you might think the contravention is, the ICO will judge each case solely on whether the company has contravened data protection law. They might sympathise with your plight but at the end of the day it won't influence their decision; which will be impassive and based on the facts as you gave them. You should be aware though that the ICO will be extremely reluctant to prosecute a company for sending you direct marketing; even if it is proved that they contravened your data protection rights. In the 30+ cases that I have submitted they have only threatened to prosecute a company once.

When I submit my complaint I always write it out in Microsoft Word first and then copy and paste it into their online form. I tend to list the facts in date order and refer to any correspondence between me and the company using reference numbers. I have to admit that I usually add my opinions too even though I know I'm wasting my time by doing so. When you submit the form you will receive an automated e-mail to confirm that the form has been submitted and received. You will also receive an e-mail at a later date to inform you when a member of the ICO's staff has started to work on your case.

In my experience it usually takes about two to three months to get the results of a complaint. They will always quote the relevant law and if they feel that the company has committed a contravention they will usually say something like, 'it is unlikely* that [the company] has complied with the Data Protection Act 1998/Privacy and Electronic Communications Requlations 2003 in this case'. Ultimately, if they feel that the company has contravened your data protection rights they will tell you that they will write to the company to remind them of their obligations. And that's it really. They may also inform you that, 'The Commissioner has no powers to punish an organisation for a breach of the Regulations. His aim is rather to achieve compliance with them'. This isn't necessary true though as the Commissioner can now refer a case to the ICO's Regulatory Action Division (RAD). The RAD have the powers of criminal prosecution, non-criminal enforcement and audit against non-compliant organisations.

The really frustrating thing for me is that I can go to to the effort of submitting a complaint, the ICO go to the effort of investigating it, and at the end of the day, the company only needs to comply with the law affecting me; they can carry on breaking the law for everyone else. The ICO told me that they do record the number of complaints that they receive against a particular company but I don't think they've ever acted on it.

*You may notice that the ICO use the words 'likely' and 'unlikely' a lot in their assessments. This isn't because they're unsure of what they're saying, it's because they can only interpret the law; they cannot change the law. So instead of saying "the company has contravened the DPA", they say "the company has likely contravened the DPA.". The company has the right to contest the ICO's assessment.