A reprimand was issued to United Lincolnshire Teaching Hospitals NHS Trust as during the period between 01 March 2021 to 31 March 2022, it had failed to respond to 32% of Subject Access Requests within the statutory timeframe of one calendar month, thereby infringing Articles 12(3), 15(1) and 15(3) of the UK GDPR.

It was found that between October – November 2022, the company made 168,852 spam calls resulting in several further complaints being made to the ICO and TPS. MBL did not provide evidence that anyone whose number had been called had consented to receiving calls from the company. The ICO has issued a £120,000 fine.

It was found that between October – November 2022, the company made 168,852 spam calls resulting in several further complaints being made to the ICO and TPS. MBL did not provide evidence that anyone whose number had been called had consented to receiving calls from the company. The ICO has issued a £120,000 fine.

Breathe Services Ltd (BSL), a debt advice company based in Bolton, first came to the attention of the ICO as part of a wider investigation into complaints received about unsolicited phone calls to potentially vulnerable individuals. In a failed attempt to hide their real identity, BSL was found to have spoofed its outbound phone number by presenting over 1,000 different telephone numbers on calls. In March 2023 the ICO carried out a search at BSL’s office in Bolton, seizing evidence including documents and electronic devices. Our extensive investigation revealed that between March - July 2022 and October - December 2022, BSL bombarded people with 4,376,037 unsolicited direct marketing calls to numbers that had been registered to the Telephone Preference Service (TPS). This resulted in 58 complaints to the TPS and a further 193 complaints to the ICO.

Breathe Services Ltd (BSL), a debt advice company based in Bolton, first came to the attention of the ICO as part of a wider investigation into complaints received about unsolicited phone calls to potentially vulnerable individuals. In a failed attempt to hide their real identity, BSL was found to have spoofed its outbound phone number by presenting over 1,000 different telephone numbers on calls. In March 2023 the ICO carried out a search at BSL’s office in Bolton, seizing evidence including documents and electronic devices. Our extensive investigation revealed that between March - July 2022 and October - December 2022, BSL bombarded people with 4,376,037 unsolicited direct marketing calls to numbers that had been registered to the Telephone Preference Service (TPS). This resulted in 58 complaints to the TPS and a further 193 complaints to the ICO.

City of London Police (CoLP) has been served with an Enforcement Notice as a result of evidence seen by the Commissioner about its performance in relation to its statutory duties under the Freedom of Information Act. At the date of the notice, CoLP had a significant backlog of requests. The Enforcement Notice requires CoLP to provide responses to all requests that are currently more than 20 working days old by 20 May 2025 and to devise and publish an action plan within 30 working days of this Notice.

We issued a reprimand to Southend-on-Sea City Council in Essex after hidden data on a spreadsheet released as part of a freedom of information request revealed the sensitive personal details of staff

An ICO investigation revealed that Quick Tax Claims Limited had sent 7,863,547 unlawful text messages over the course of a month, resulting in 66,793 complaints – 93% of these stating there was no ‘opt out’ option. During the investigation, the ICO found that the company had purchased personal information from third-party suppliers that did not obtain valid consent. This led to the ICO issuing Quick Tax Claims Limited with a £120,000 fine.

An ICO investigation revealed that Quick Tax Claims Limited had sent 7,863,547 unlawful text messages over the course of a month, resulting in 66,793 complaints – 93% of these stating there was no ‘opt out’ option. During the investigation, the ICO found that the company had purchased personal information from third-party suppliers that did not obtain valid consent. This led to the ICO issuing Quick Tax Claims Limited with a £120,000 fine.

National Debt Advice sent 129,902 unsolicited direct marketing text messages to individuals in breach of regulation 22 of PECR resulting in over 4,000 complaints to the 7726 spam reporting service. The company was fined £30,000 and issued with an enforcement notice.

National Debt Advice sent 129,902 unsolicited direct marketing text messages to individuals in breach of regulation 22 of PECR resulting in over 4,000 complaints to the 7726 spam reporting service. The company was fined £30,000 and issued with an enforcement notice.

Reprimand issued to Levales Solicitors LLP (‘Levales’) in respect of Articles 32(1)(b) and 32(1)(d). A threat actor accessed Levales’ cloud-based server using legitimate credentials and subsequently published data on the dark web. The incident affected 8,234 UK individuals, of which 863 individuals were deemed at high risk because of the nature of the data involved. The investigation found Levales were not ensuring the ongoing confidentiality of its processing systems and did not implement appropriate organisational measures.

WerepairUK Ltd made 42,688 marketing calls to individuals in breach of regulation 21 of PECR. The company has been fined £80,000 and issued with an enforcement notice.

WerepairUK Ltd made 42,688 marketing calls to individuals in breach of regulation 21 of PECR. The company has been fined £80,000 and issued with an enforcement notice.

Service Box Group Limited made 5,361 marketing calls to individuals in breach of regulation 21 of PECR. The company has been fined £40,000 and issued with an enforcement notice.

Service Box Group Limited made 5,361 marketing calls to individuals in breach of regulation 21 of PECR. The company has been fined £40,000 and issued with an enforcement notice.

The Police Service of Northern Ireland has been fined £750,000 for infringing Articles 5(1)(f), 32(1) and (2) of the UK GDPR between 25 May 2018 and 14 June 2024.

We issued a reprimand to Bonne Terre Limited, trading as Sky Betting and Gaming, for unlawfully processing people’s data through advertising cookies without their consent.

The Labour Party were issued with a reprimand for failing to respond to people’s request for their own personal data, also know as a subject access request, and for failing to respond to peoples request for erasure.

Coastal Windows & Conservatories Limited made over 18,000 unsolicited marketing calls between 1 January and 1 June 2023 to numbers registered with the TPS. The ICO and TPS received numerous complaints from people variously saying they had not consented to receiving such calls or received repeated calls despite requests to stop.

Reprimand issued to the Electoral Commission in respect of Articles 5(1)(f) and 32(1)(b). Between 24 August 2021 and 27 October 2022, a threat actor had access to the Electoral Commission’s systems and was able to access personal data held as part of the Electoral Register. This incident impacted approximately 40,000,000 individuals, and the initial access was gained via several unpatched software vulnerabilities. The investigation highlighted that appropriate technical and organisational measures were not in place at the time of the breach.

Chelmer Valley High School have been issued a reprimand in respect of Article 35(1). The school failed to complete a Data Protection Impact Assessment (DPIA) prior to introducing facial recognition technology for the purposes of cashless catering.

The Information Commissioner’s Office (ICO) has issued an enforcement notice to Dyfed Powys Police for its poor handling of requests made under the Freedom of Information Act (FOIA) 2000.

South Wales Police has been served with an Enforcement Notice as a result of evidence seen by the Commissioner about its performance in relation to its statutory duties under the Freedom of Information Act. Compliance levels fell to 45% in July 2023 and as of 31 April 2024, 167 requests were overdue, with one case being 122 days old. By 20 December 2024, SWP is required to respond to all information requests which were outside of 20 working days when the Enforcement Notice was served on 20 June 2024.

The Information Commissioner’s Office (ICO) has issued an enforcement notice to the Metropolitan Police Service for its poor handling of requests made under the Freedom of Information Act (FOIA) 2000.

The Information Commissioner’s Office has issued the London Borough of Hackey with a reprimand following a cyber-attack in 2020 that led to hackers gaining access to and encrypting 440,000 files, affecting at least 280,000 residents and other individuals including staff.

Reprimand issued to Birmingham Children’s Trust Community Interest company in respect of Article 5(1)(f) and 32(1)(b) and 2. A child protection plan containing inappropriate personal data, in the form of criminal allegations against a child, was sent to the family the plan was produced for. Although the care plan itself was authorised for the family to view, the criminal allegations were not relevant to the plan, or authorised for the family’s view. The investigation highlighted that appropriate technical and organisational measures were not in place at the time of the breach.

The Central YMCA sent an email to individuals participating in a programme for people living with HIV using “CC” rather than “BCC”, revealing the email addresses to all recipients. 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV. The Central YMCA have been fined £7,500 and issued a reprimand.

The Central YMCA sent an email to individuals participating in a programme for people living with HIV using “CC” rather than “BCC”, revealing the email addresses to all recipients. 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV. The Central YMCA have been fined £7,500 and issued a reprimand.

Outsource Strategies Ltd made 1,346,503 unwanted marketing calls between 11 February 2021 and 22 March 2022 to numbers registered with the TPS. The ICO received 74 complaints from people variously saying they received repeated calls despite requests to stop and that the callers were aggressive.

Outsource Strategies Ltd made 1,346,503 unwanted marketing calls between 11 February 2021 and 22 March 2022 to numbers registered with the TPS. The ICO received 74 complaints from people variously saying they received repeated calls despite requests to stop and that the callers were aggressive.

Between 11 February 2021 to 24 January 2022, there were 80,240 connected calls unsolicited direct marketing calls being made to subscribers who were registered with the TPS and who had not notified DRT that they were willing to receive such calls, and two complaints being submitted as a result. Calls were about the Irish Lottery. DRT stopped engaging with the Commissioner part way through the investigation and failed to provide a satisfactory explanation for the Lotto Express calls involved in the contravention.

Between 11 February 2021 to 24 January 2022, there were 80,240 connected calls unsolicited direct marketing calls being made to subscribers who were registered with the TPS and who had not notified DRT that they were willing to receive such calls, and two complaints being submitted as a result. Calls were about the Irish Lottery. DRT stopped engaging with the Commissioner part way through the investigation and failed to provide a satisfactory explanation for the Lotto Express calls involved in the contravention.

Clyde Valley Housing Association have received the following reprimand because of an infringement that occurred in July 2022 when they released a new customer portal. This portal included personal data of data subjects and residents found they were able to view personal information such as names and addresses about other residents. A resident reported this to Clyde Valley Housing Association, however this concern was not escalated appropriately which led to data remaining viewable on the portal for a further 5 days until further residents reported the issue and Clyde Valley Housing Association suspended the portal.

A reprimand is being issued to University Hospital of Southampton NHS Foundation Trust as they have only responded to 59% of incoming SARs within the statutory timeframe during the period of 01 August 2022 to 01 July 2023.

An enforcement notice and a warning have been issued to the Home Office for failing to assess the privacy risks posed by the electronic monitoring of people arriving in the UK by unauthorised means. The ICO has been in discussion with the Home Office regarding its pilot to place ankle tags on, and track the GPS location of, up to 600 migrants who arrived in the UK and were on immigration bail. Although the pilot ended in December 2023, the Home Office has retained the GPS location data collected by the tags and will continue to be able to access and use that data including sharing it with other third-party organisations. The enforcement notice orders the Home Office to update its internal policies, access guidance and privacy information in relation to the data retained from the pilot. The warning issued also states that any future processing on the same basis will be in breach of data protection law and will attract enforcement action.

A reprimand is being issued to Dover Harbour Board in respect of the creation and use of a social media distribution group, initially created in WhatsApp but later migrated to Telegram. From the evidence provided to the ICO, the distribution groups were used by multiple UK police forces and international law enforcement agencies for the purpose of combatting vehicle crime. The distribution groups were created by an officer from the Port of Dover Police using his personal mobile phone without organisational oversight or compliance with data protection legislation.

A reprimand is being issued to Kent Police in respect of an incident in February 2021 when a Kent Police officer took a photograph of an individual’s identity document using her personal mobile phone and uploaded the image onto Telegram, a social media application. From the evidence provided to the ICO, the Telegram distribution group onto which the image was uploaded was being used by multiple UK police forces and international law enforcement agencies for the purpose of combatting vehicle crime. The Kent Police officer did not inform the individual that further processing of his personal data would take place; how it would be processed; or the purpose for doing so.

Within the London.gov.uk website, there was a webform to contact the London Victims’ Commissioner as well as other webforms. Between 11-14 November 2022, a member of GLA intended to give four members of MOPAC permission to the webforms. However, instead of granting permission to the four members of MOPAC, they made two web forms public. On 23 February 2023 MOPAC were made aware by a member of the public that it was possible for users to click a button that would enable users to access information on every query that had been submitted via the form. 394 people were later notified of the breach due to the nature of the personal data that was made publicly accessible on the forms.

Between 5 May 2021 to 5 May 2022, there were 47,998 connected calls unsolicited direct marketing calls being made to subscribers who were registered with the TPS and who had not notified Pinnacle Life Limited that they were willing to receive such calls, and four complaints being submitted as a result.

Between 5 May 2021 to 5 May 2022, there were 47,998 connected calls unsolicited direct marketing calls being made to subscribers who were registered with the TPS and who had not notified Pinnacle Life Limited that they were willing to receive such calls, and four complaints being submitted as a result.

The Information Commissioner’s Office (ICO) has issued an Enforcement Notice to Penny Appeal, for sending 461,650 spam text messages over a ten day period. These messages were sent to a database of individuals who had never agreed to receive marketing communication from Penny Appeal.

A reprimand has been issued to West Midlands Police after the force repeatedly incorrectly linked and merged the records of two individuals with similar personal data. West Midlands Police failed to ensure the accuracy of the personal data of these two individuals, resulting in multiple incidents where officers attended a wrong address, including on one occasion when there were serious safeguarding concerns relating to one of the individuals.