ICO Enforcement Actions

Information Commissioner's Office enforcement actions — monetary penalties, enforcement notices, reprimands, and undertakings for data protection and FOI failures.

211
Total Actions
58
Monetary Penalties
£51,139,873
Total Fines (£)

Actions by Type

Key Insights

The ICO has taken 211 enforcement actions tracked here, including 58 monetary penalties and 100 reprimands. Total fines: £51,139,873.

Public bodies subject to ICO enforcement — NHS trusts, police forces, councils — can be cross-referenced with their inquiry recommendation delivery records to surface patterns between governance failures and accountability gaps.

Showing 211 actions

Finham Park Multi Academy Trust
Reprimand Education and childcare finham-park-multi-academy-trust
Finham Park Multi Academy Trust have been issued a Reprimand in respect of Articles 5 (1) (f) and 32 (1) (b). An unauthorised third party utilised compromised credentials to access …
07 Dec 2023 Highways Agency ICO
Daniel George Bentley and Taipan Trading Ltd
Enforcement Notice Privacy and Electronic Communications Regulations Marketing daniel-george-bentley-and-taipan-trading-ltd
Daniel George Bentley is a sole trader and director of Taipan Trading Ltd. Between 1 May 2022 and 31 July 2023 he and his company sent over 2.5 million unsolicited …
05 Dec 2023 Defence Academy of the United Kingdom ICO
Bank of Ireland
Reprimand Finance insurance and credit bank-of-ireland
BOI failed to ensure the accuracy of customers’ default loan status which led to inaccurate personal data being held on their account which was subsequently incorrectly recorded on customers’ credit …
30 Nov 2023 ICO
Charnwood Borough Council
Reprimand Local government charnwood-borough-council
Reprimand issued for the disclosure of the new address of the data subject to an ex-partner who was the alleged perpetrator of domestic abuse against the data subject. This caused …
29 Nov 2023 Crossrail International ICO
NHS Fife
Reprimand Health nhs-fife
The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Fife, after an unauthorised individual was able to enter a ward and access the personal information of 14 patients.
23 Nov 2023 NHS ICO
Intelling Ltd
Monetary Penalty Online technology and telecoms intelling-ltd
16 Nov 2023 ICO
GRS (Roadstone) Limited
Reprimand UK GDPR General business grs-roadstone-limited
The Information Commissioner (the Commissioner) issues a reprimand to GRS (Roadstone) Limited in respect of infringements of Article 32 (1) (b) and Article 32 (1) (d) of the UK GDPR. …
14 Nov 2023 ADS ICO
DPG Professional Services Ltd
Monetary Penalty Finance insurance and credit dpg-professional-services-ltd-mpn
09 Nov 2023 Independent Case Examiner ICO
Complete Marketing Services Ltd
Enforcement Notice Marketing complete-marketing-services-ltd-en
09 Nov 2023 Committee on Mutagenicity of Chemicals in Food, Consumer Products and the Environment ICO
Complete Marketing Services Ltd
Monetary Penalty complete-marketing-services-ltd-mpn
09 Nov 2023 Committee on Mutagenicity of Chemicals in Food, Consumer Products and the Environment ICO
DPG Professional Services Ltd
Enforcement Notice Finance insurance and credit dpg-professional-services-ltd-en
09 Nov 2023 Independent Case Examiner ICO
University Hospital of Derby and Burton NHS Trust (UHDB)
Reprimand Health university-hospital-of-derby-and-burton-nhs-trust-uhdb
UHDB failed to have adequate processes in place, especially when processing special category data, which resulted in referrals for out-patients’ appointments not being processed in a timely manner. In some …
30 Oct 2023 Housing Ombudsman ICO
Argentum Data Solutions Ltd
Monetary Penalty Privacy and Electronic Communications Regulations General business argentum-data-solutions-ltd-mpn
Between 1 January 2021 and 31 January 2022 there were a total of 2,330,423 SMS sent without consent. 24,309 were sent by ADS directly and it allowed its lines to …
26 Oct 2023 Defence Academy of the United Kingdom ICO
Argentum Data Solutions Ltd
Enforcement Notice Privacy and Electronic Communications Regulations General business argentum-data-solutions-ltd-en
Between 1 January 2021 and 31 January 2022 there were a total of 2,330,423 SMS sent without consent. 24,309 were sent by ADS directly and it allowed its lines to …
26 Oct 2023 Defence Academy of the United Kingdom ICO
Police Service of Northern Ireland (PSNI)
Reprimand Criminal justice police-service-of-northern-ireland-psni
Police Service of Northern Ireland (PSNI) failed to have appropriate measures in place to prevent unlawful sharing of personal data including criminal data with the United States Department of Homeland …
26 Oct 2023 Historic England ICO
Outsource Strategies Ltd
Monetary Penalty outsource-strategies-ltd-mpn
Outsource Strategies Ltd made 1,346,503 unwanted marketing calls between 11 February 2021 and 22 March 2022 to numbers registered with the TPS. The ICO received 74 complaints from people variously …
20 Oct 2023 Active Travel England ICO
Outsource Strategies Ltd
Enforcement Notice Marketing outsource-strategies-ltd-en
Outsource Strategies Ltd made 1,346,503 unwanted marketing calls between 11 February 2021 and 22 March 2022 to numbers registered with the TPS. The ICO received 74 complaints from people variously …
20 Oct 2023 Active Travel England ICO
Gap Personnel Holdings Limited
Reprimand UK GDPR General business gap-personnel-holdings-limited
The Information Commissioner (the Commissioner) issues a reprimand to Gap Personnel Holdings Limited in respect of infringements of Article 32 (1), Article 32 (1) (b) and Article 32 (1) (d) …
19 Oct 2023 ICO
Optionis Group Limited
Reprimand UK GDPR Finance insurance and credit optionis-group-limited
The data controller suffered a ransomware attack, which resulted in the exfiltration of personal data. A reprimand was issued in respect of specific infringements of the UK GDPR, which include …
10 Oct 2023 ICO
Chief Constable West Mercia Police and Chief Constable Warwickshire Police
Reprimand Criminal justice chief-constable-west-mercia-police-and-chief-constable-warwickshire-police
On 21 June 2021 West Mercia Police and Warwickshire Police erroneously decommissioned a server containing a Warwickshire Police application. This application contained Warwickshire Police data from between November 2001 and …
06 Oct 2023 British Library ICO
Digivo Media Limited
Enforcement Notice Privacy and Electronic Communications Regulations Finance insurance and credit digivo-media-limited-en
Between 24 March 2021 and 7 September 2021 there were 415,041 texts delivered without valid consent – breach of Regulation 22 of PECR. Digivo came to the ICO’s attention following …
03 Oct 2023 ICO
Digivo Media Limited
Monetary Penalty Privacy and Electronic Communications Regulations Finance insurance and credit digivo-media-limited-mpn
Between 24 March 2021 and 7 September 2021 there were 415,041 texts delivered without valid consent – breach of Regulation 22 of PECR. Digivo came to the ICO’s attention following …
03 Oct 2023 ICO
MCP Online Ltd
Enforcement Notice Privacy and Electronic Communications Regulations Finance insurance and credit mcp-online-ltd-en
Between 1 January 2022 and 28 September 2022 there were 20,939 calls made to CTPS or TPS registered numbers – breach of Reg 21 and 24 of PECR. MCP came …
28 Sep 2023 ICO
MCP Online Ltd
Monetary Penalty Privacy and Electronic Communications Regulations Finance insurance and credit mcp-online-ltd-mpn
Between 1 January 2022 and 28 September 2022 there were 20,939 calls made to CTPS or TPS registered numbers – breach of Reg 21 and 24 of PECR. MCP came …
28 Sep 2023 ICO
Nottinghamshire County Council
Reprimand Local government nottinghamshire-county-council-reprimand
A social worker sent copies of a Child and Family Assessment report to the mother and her two ex-partners: each the father of one of her two children. The report …
27 Sep 2023 Nottinghamshire County Council ICO
Cover Appliance Limited
Enforcement Notice Privacy and Electronic Communications Regulations Marketing cover-appliance-limited-en
Cover Appliance Ltd made 511,499 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £200,000 and issued with an enforcement notice.
21 Sep 2023 VisitEngland ICO
F12 Management Ltd
Enforcement Notice Privacy and Electronic Communications Regulations f12-management-ltd-en
F12 Management Ltd made 1,346,019 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £200,000 and issued with an enforcement notice.
21 Sep 2023 ENT ICO
SGS Home Protect Ltd
Monetary Penalty Privacy and Electronic Communications Regulations Marketing sgs-home-protect-ltd-mpn
SGS Home Protect Ltd made 24,214 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £70,000 and issued with an enforcement notice.
21 Sep 2023
£70,000
Office of Manpower Economics ICO
SGS Home Protect Ltd
Enforcement Notice Privacy and Electronic Communications Regulations Marketing sgs-home-protect-ltd-en
SGS Home Protect Ltd made 24,214 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £70,000 and issued with an enforcement notice.
21 Sep 2023 Office of Manpower Economics ICO
Cover Appliance Ltd
Monetary Penalty Privacy and Electronic Communications Regulations Marketing cover-appliance-ltd-mpn
Cover Appliance Ltd made 511,499 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £200,000 and issued with an enforcement notice.
21 Sep 2023
£200,000
VisitEngland ICO
F12 Management Ltd
Monetary Penalty Privacy and Electronic Communications Regulations Marketing f12-management-ltd-mpn
F12 Management Ltd made 1,346,019 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £200,000 and issued with an enforcement notice.
21 Sep 2023
£200,000
ENT ICO
House Hold Appliances 247 Ltd
Monetary Penalty Privacy and Electronic Communications Regulations Marketing house-hold-appliances-247-ltd-mpn
House Hold Appliances 247 Ltd made 19,069 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £55,000 and issued with an enforcement notice.
21 Sep 2023
£55,000
Sport England ICO
House Hold Appliances 247 Ltd
Enforcement Notice Privacy and Electronic Communications Regulations Marketing house-hold-appliances-247-ltd-en
House Hold Appliances 247 Ltd made 19,069 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £55,000 and issued with an enforcement notice.
21 Sep 2023 Sport England ICO
RHAP Ltd
Monetary Penalty Privacy and Electronic Communications Regulations Marketing rhap-ltd-mpn
RHAP Ltd made 15,288 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £65,000 and issued with an enforcement notice.
21 Sep 2023
£65,000
Highways Agency ICO
RHAP Ltd
Enforcement Notice Privacy and Electronic Communications Regulations Marketing rhap-ltd-en
RHAP Ltd made 15,288 marketing calls to individuals in breach of regulation 21 of PECR. The company was fined £65,000 and issued with an enforcement notice.
21 Sep 2023 Highways Agency ICO
Ministry of Justice
Reprimand UK GDPR Criminal justice ministry-of-justice-reprimand
The Information Commissioner (the Commissioner) issues a reprimand to the Ministry of Justice (the MoJ) in accordance with Article 58(2)(b) of the UK General Data Protection Regulation in respect of …
08 Sep 2023 Ministry of Justice ICO
Simply Connecting Ltd
Enforcement Notice Privacy and Electronic Communications Regulations Marketing simply-connecting-ltd-en
Simply Connecting Ltd sent 441,830 direct marketing text messages to individuals in breach of regulation 22 of PECR. The company was fined £40,000 and issued with an enforcement notice.
06 Sep 2023 ICO
Simply Connecting Ltd
Monetary Penalty Privacy and Electronic Communications Regulations Marketing simply-connecting-ltd-mpn
Simply Connecting Ltd sent 441,830 direct marketing text messages to individuals in breach of regulation 22 of PECR. The company was fined £40,000 and issued with an enforcement notice.
06 Sep 2023
£40,000
ICO
Gloucester City Council
Reprimand UK GDPR Local government gloucester-city-council
The Information Commissioner (the Commissioner) issues a reprimand to Gloucester City Council in respect of infringements of Article 32(1)b, Article 32(1)c and Article 32(1)d of the UK GDPR. Gloucester City …
01 Sep 2023 Crossrail International ICO
This Is The Big Deal Limited
Monetary Penalty Privacy and Electronic Communications Regulations Utilities this-is-the-big-deal-limited
This Is The Big Deal Limited sent or instigated the sending of 41,417,889 unsolicited direct marketing messages (39,906,342 emails and 1,511,547 text messages) to individuals who had not consented to …
25 Aug 2023
£30,000
Big Lottery Fund ICO
London Borough of Lewisham
Reprimand UK GDPR Local government london-borough-of-lewisham-reprimand
During the period of 3 January 2022 to 3 January 2023, 35% of subject access requests (SARs) that London Borough of Lewisham received were not responded to within the statutory …
16 Aug 2023 Lewisham Council ICO
Swinburne, Snowball and Jackson
Reprimand UK GDPR Legal swinburne-snowball-and-jackson
The Information Commissioner (the Commissioner) issues a reprimand to Swinburne, Snowball and Jackson in respect of infringements of Article 5(1)(f), which requires personal data is processed securely, and Article 32(1)(b) …
12 Aug 2023 Judicial Appointments Commission ICO
Recruitment company reprimand
Reprimand UK GDPR General business recruitment-company-reprimand
The Information Commissioner (the Commissioner) issues a reprimand to a recruitment company in respect of infringements of Article 5(1)(f) and 32(1)(b) of the UK GDPR. The organisation misconfigured a storage …
09 Aug 2023 Committee on Mutagenicity of Chemicals in Food, Consumer Products and the Environment ICO
NHS Lanarkshire
Reprimand UK GDPR Health nhs-lanarkshire
The Information Commissioner (the Commissioner) issues a reprimand to NHS Lanarkshire in accordance with Article 58 (2)(b) of the UK General Data Protection Regulation (UK GDPR) for the sharing of …
31 Jul 2023 NHS ICO
My Media World Limited t/a Brand New Tube
Reprimand UK GDPR Media my-media-world-limited-ta-brand-new-tube
Reprimand has been issued to the above organisation in respect of Article 32 (1) and Article 32 (1) (d) of the GDPR. My Media World Limited failed to implement appropriate …
25 Jul 2023 Royal Armouries Museum ICO
Executive Office
Reprimand Central government executive-office
On 22 May 2020, the Interim Advocate’s Office sent a newsletter by email to 251 subscribers on its mailing list using the ‘To’ field. The email addresses of the recipients …
21 Jul 2023 Chief Executive Officer ICO
The Patient and Client Council
Reprimand UK GDPR Health the-patient-and-client-council
A reprimand has been issued to The Patient and Client Council in relation to infringements of Article 5 (1)(f) and Article 32 (1) of the UK GDPR. The infringements were …
19 Jul 2023 Crossrail International ICO
Fortis Insolvency Limited
Enforcement Notice Privacy and Electronic Communications Regulations fortis-insolvency-limited-en
Fortis Insolvency Limited sent 558,354 direct marketing SMS messages without valid consent with 527,481 received by subscribers between 26 July 2020 and 26 July 2021 in contravention of regulation 22 …
28 Jun 2023 The National Shipbuilding Office ICO
Fortis Insolvency Limited
Monetary Penalty Privacy and Electronic Communications Regulations fortis-insolvency-limited-mpn
Fortis Insolvency Limited sent 558,354 direct marketing SMS messages without valid consent with 527,481 received by subscribers between 26 July 2020 and 26 July 2021 in contravention of regulation 22 …
28 Jun 2023
£30,000
The National Shipbuilding Office ICO
Nottinghamshire Police
Reprimand Criminal justice nottinghamshire-police
The breach in this case was an unauthorised disclosure of the personal data of witnesses via a police officer’s unredacted statement on the CPS Digital Case Management system. The evidence …
21 Jun 2023 Nottinghamshire Police ICO