ICO Enforcement Actions

Information Commissioner's Office enforcement actions — monetary penalties, enforcement notices, reprimands, and undertakings for data protection and FOI failures.

211
Total Actions
58
Monetary Penalties
£51,139,873
Total Fines (£)

Actions by Type

Key Insights

The ICO has taken 211 enforcement actions tracked here, including 58 monetary penalties and 100 reprimands. Total fines: £51,139,873.

Public bodies subject to ICO enforcement — NHS trusts, police forces, councils — can be cross-referenced with their inquiry recommendation delivery records to surface patterns between governance failures and accountability gaps.

Showing 211 actions

Crown Glazing Ltd
Monetary Penalty Utilities crown-glazing-ltd-mpn
The case was part of Operation Tinago which was formed to assess and analyse complaint trends in relation to the energy and home improvements sector. The organisation made 503,445 unsolicited …
08 Jun 2023 Gangmasters Licensing Authority ICO
Crown Glazing Ltd
Enforcement Notice Utilities crown-glazing-ltd-en
The case was part of Operation Tinago which was formed to assess and analyse complaint trends in relation to the energy and home improvements sector. The organisation made 503,445 unsolicited …
08 Jun 2023 Gangmasters Licensing Authority ICO
Maxen Power Supply Limited
Enforcement Notice Privacy and Electronic Communications Regulations Utilities maxen-power-supply-limited-en
Maxen Power Supply Limited used overseas call centres to make unsolicited marketing calls to businesses in contravention of regulations 21 and 24 of PECR. The company was fined £120,000 and …
08 Jun 2023 Stabilisation Unit ICO
Maxen Power Supply Limited
Monetary Penalty Privacy and Electronic Communications Regulations Utilities maxen-power-supply-limited-mpn
Maxen Power Supply Limited used overseas call centres to make unsolicited marketing calls to businesses in contravention of regulations 21 and 24 of PECR. The company was fined £120,000 and …
08 Jun 2023
£120,000
Stabilisation Unit ICO
Thames Valley Police
Reprimand Data Protection Act 2018 Criminal justice thames-valley-police
The Information Commissioner (the Commissioner) issues a reprimand to Thames Valey Police (TVP) in accordance with Schedule 13(2)(c) of the Data Protection Act 2018 (DPA 2018) in respect of certain …
30 May 2023 Thames Valley Police ICO
Parkside Community Primary School
Reprimand UK GDPR Education and childcare parkside-community-primary-school
A reprimand has been issued to Parkside Community Primary School in relation to the infringements of Article 5 (1)(f), Article 24 (1) and Article 32 of UK GDPR.
23 May 2023 Committee on Mutagenicity of Chemicals in Food, Consumer Products and the Environment ICO
UK Direct Business Solutions Limited
Monetary Penalty Marketing uk-direct-business-solutions-limited
UK Direct Business Solutions Limited made 410,369 unsolicited marketing calls to businesses registered with the CTPS or TPS between 1 March 2020 and 31 October 2021.
16 May 2023 Office for National Statistics ICO
Ice Telecommunications Ltd
Monetary Penalty Marketing ice-telecommunications-ltd-mpn
Ice Telecommunications Ltd made 72,682 unsolicited marketing calls to businesses registered with the CTPS or TPS between 13 September 2021 and 31 January 2022.
16 May 2023 CAT ICO
Ice Telecommunications Ltd
Enforcement Notice Marketing ice-telecommunications-ltd-en
Ice Telecommunications Ltd made 72,682 unsolicited marketing calls to businesses registered with the CTPS or TPS between 13 September 2021 and 31 January 2022.
16 May 2023 CAT ICO
TikTok Information Technologies UK Limited and TikTok Inc (TikTok)
Monetary Penalty Online technology and telecoms tiktok
The Information Commissioner’s Office (ICO) has issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a number of breaches of data protection law, including …
15 May 2023
£12,700,000
Royal Mint ICO
Shropshire Council
Enforcement Notice Freedom of Information Act 2000 Local government shropshire-council
The Information Commissioner’s Office (ICO) has issued an enforcement notice to Shropshire Council for its poor handling of requests made under the Freedom of Information Act (FOIA) 2000.
09 May 2023 Shropshire Council ICO
Norfolk County Council
Reprimand Local government norfolk-county-council
Norfolk County Council has only responded to 260 out of 511 SARs it received within the statutory timescales from 6 April 2021 to 6 April 2022.
05 May 2023 Norfolk County Council ICO
Plymouth City Council
Reprimand UK GDPR Local government plymouth-city-council
A reprimand has been issued to Plymouth City Council in relation to the infringements of Article 12 (3) and Article 15 of the UK GDPR. This case forms part of …
28 Apr 2023 Plymouth City Council ICO
Ministry of Justice
Reprimand Central government ministry-of-justice-1
14 bags of confidential waste were found in an unsecured holding area in the prison, which both prisoners and staff had access to.
27 Apr 2023 Ministry of Justice ICO
University Hospitals Dorset NHS Foundation Trust
Reprimand UK GDPR Health university-hospitals-dorset-nhs-foundation-trust
The Information Commissioner (the Commissioner) issues a reprimand to University Hospitals Dorset NHS Foundation Trust (the Trust) in accordance with Article 58(2)(b) of the UK General Data Protection Regulation in …
25 Apr 2023 University Hospitals Dorset NHS Foundation Trust ICO
Join the Triboo Limited
Enforcement Notice Marketing join-the-triboo-limited-en
Between 1 August 2019 and 19 August 2020, a confirmed total of 107 million direct marketing messages were sent by Join the Triboo Limited and from those messages 437,324 were …
14 Apr 2023 Historic England ICO
Join the Triboo Limited
Monetary Penalty Marketing join-the-triboo-limited-mpn
Between 1 August 2019 and 19 August 2020, a confirmed total of 107 million direct marketing messages were sent by Join the Triboo Limited and from those messages 437,324 were …
14 Apr 2023 Historic England ICO
Sussex Police
Reprimand Criminal justice sussex-police
In June 2020, the ICO became aware that staff members across both Sussex Police and Surrey Police had access to an app that recorded all incoming and outgoing phone calls. …
03 Apr 2023 Sussex Police ICO
Surrey Police
Reprimand Criminal justice surrey-police
In June 2020, the ICO became aware that staff members across both Sussex Police and Surrey Police had access to an app that recorded all incoming and outgoing phone calls. …
03 Apr 2023 Surrey Police ICO
Achieving for Children
Reprimand Social care achieving-for-children
Due to communication failure and a lack organisational measures, Achieving for Children (AfC) inappropriately disclosed personal data, special category data and criminal conviction data in a report.
03 Apr 2023 ICO
London Borough of Lewisham
Enforcement Notice Freedom of Information Act 2000 Local government london-borough-of-lewisham
The London Borough of Lewisham has been served with an Enforcement Notice as a result of the evidence seen by the Commissioner about its performance in relation to its statutory …
21 Mar 2023 Lewisham Council ICO
Gain Capital UK Limited
Reprimand Online technology and telecoms gain-capital-uk-limited
Gain Capital UK have been issued a Reprimand in respect of Articles 32 (2) and 32 (1) (b). An unauthorised third party leveraged an unpatched software vulnerability to access Gain …
10 Mar 2023 Capita ICO
NHS Highland
Reprimand Health nhs-highland
A formal reprimand has been issued to NHS Highland, which emailed 37 people likely to be accessing HIV services, inadvertently using CC (carbon copy) instead of BCC (blind carbon copy). …
09 Mar 2023 NHS ICO
University Hospitals Bristol and Weston NHS Foundation Trust
Reprimand Health university-hospitals-bristol-and-weston-nhs-foundation-trust
Patient records were saved on to an Electronic Document Viewing System. The Trust decided to terminate the use of this system and the records on it were downloaded prior to …
07 Mar 2023 University Hospitals Bristol and Weston NHS Foundation Trust ICO
NHS Blood and Transplant
Reprimand UK GDPR Health nhs-blood-and-transplant
The Commissioner has decided to issue NHSBT with a reprimand in accordance with Article 58 of the GDPR, after they inadvertently released untested development code into a live system for …
03 Mar 2023 British Library ICO
Metropolitan Police Service
Reprimand Criminal justice metropolitan-police-service-reprimand
MPS was unable to ensure that sensitive criminal records were not able to be uploaded correctly to the Police National Database (PND), or amended, or deleted and that this situation …
02 Mar 2023 Metropolitan Police Service ICO
Chartered Institute for Securities & Investment
Reprimand Charitable and voluntary chartered-institute-for-securities-investment
An unauthorised third party exploited a known vulnerability in the Sitefinity software to leverage a bruteforce attack to upload a malicious code to the Chartered Institute for Securities & Investment …
21 Feb 2023 ENT ICO
It's OK Limited
Monetary Penalty Privacy and Electronic Communications Regulations Retail and manufacture its-ok-limited-mpn
Between 1 July 2019 and 1 June 2020, It’s OK Limited engaged in the transmission of 1,752,149 unsolicited calls for direct marketing purposes to subscribers who had been registered with …
15 Feb 2023 ICO
It's OK Limited
Enforcement Notice Privacy and Electronic Communications Regulations Retail and manufacture its-ok-limited-en
Between 1 July 2019 and 1 June 2020, It’s OK Limited engaged in the transmission of 1,752,149 unsolicited calls for direct marketing purposes to subscribers who had been registered with …
15 Feb 2023 ICO
Monetise Media Limited
Monetary Penalty Privacy and Electronic Communications Regulations Marketing monetise-media-limited-mpn
Between 28 July 2020 and 28 July 2021, Monetise Media Limited (MML) sent 3,506,157 direct marketing emails and text messages without valid consent, contrary to the regulation 22 of PECR.
14 Dec 2022 Sport England ICO
Power Leisure Bookmakers Limited
Reprimand UK GDPR General business power-leisure-bookmakers-limited
The ICO has issued PLB with a reprimand, in accordance with Article 58 of the UK GDPR, following breaches reported to the ICO on 27 August 2021, 3 September 2021, …
06 Dec 2022 Stabilisation Unit ICO
Royal Free London NHS Foundation Trust
Reprimand Health royal-free-london-nhs-foundation-trust-reprimand
Hysteroscopy scans were saved on to a series of three USB sticks over a period of nine years from May 2013 until the remaining two encrypted USB sticks became inaccessible …
10 Nov 2022 Royal Free London NHS Foundation Trust ICO
Department for Education
Reprimand Central government department-for-education
The DfE permitted third party access to the LRS database outside of the DfE and subsequent processing took place of some of that personal data (including children) for the purposes …
02 Nov 2022 Department for Education ICO
Department for Work and Pensions
Reprimand Central government department-for-work-and-pensions
A reprimand has been issued after the inappropriate disclosure of individuals personal data by Child Maintenance Appeals (CM Appeals) within the Department for Work and Pensions (DWP).
31 Oct 2022 Department for Work and Pensions ICO
Secretary of State for the Home Department
Reprimand Central government secretary-of-state-for-the-home-department
On 5 September 2021 an envelope containing four documents classified 'Official Sensitive' (the Documents) was found at a venue in London, by venue staff. On 6 September 2021, the venue …
07 Oct 2022 Active Travel England ICO
Processing of special category biometric data
Reprimand Transport and leisure processing-of-special-category-biometric-data
In November 2022, the Information Commissioner committed to publish all reprimands from 2022 onwards unless there is a good reason not to.
04 Oct 2022 Active Travel England ICO
Chief Constable of Kent Police
Reprimand Criminal justice chief-constable-of-kent-police
From October 2020 to February 2021, Kent Police received over 200 SARs, 60% were completed during the statutory deadline. However, some of the remaining SARs are reported to have taken …
23 Sep 2022 British Library ICO
London Borough of Lambeth
Reprimand Local government london-borough-of-lambeth
London Borough of Lambeth has only responded to 74% of the SARs it has received within the statutory timescales from 1 August 2020 to 11 August 2021. This equates to …
23 Sep 2022 London Borough of Lambeth ICO
Wakefield Council
Reprimand Local government wakefield-council
A reprimand was issued after the Council sent papers prepared as a Court bundle, in relation to Child Protection Legal Proceedings, to the parents of the child in question. The …
22 Sep 2022 Wakefield Council ICO
Secretary of State for the Home Department (Home Office)
Reprimand Central government secretary-of-state-for-the-home-department-home-office-1
A reprimand has been issued to the Home Office following investigations that showed between March 2021 and November 2021, they had a significant back log of SARs, amounting to just …
21 Sep 2022 Active Travel England ICO
London Borough of Hackney
Reprimand Local government london-borough-of-hackney
For the period of April 2020 to February 2021, London Borough of Hackney did not respond to over 60% of the SARs submitted to them in the statutory timeframe. The …
21 Sep 2022 London Borough of Hackney ICO
Virgin Media Limited
Reprimand virgin-media-limited-reprimand
Over a 6 month period in 2021, Virgin Media received over 9500 SARs. 14% of these were not responded to during the statutory timeframe. However, their compliance in 2022 has …
20 Sep 2022 Virgin Media ICO
National Crime Agency
Reprimand national-crime-agency
The exception reports were to highlight where the work of the RPA could not be completed and manual officer intervention was required in order to complete the necessary work on …
06 Sep 2022 National Crime Agency ICO
South Wales Police
Reprimand Criminal justice south-wales-police
A reprimand has been issued after the disclosure of personal information by South Wales Police on two separate occasions, the first reported was for an incident in April 2020 (the …
26 Aug 2022 South Wales Police ICO
Ministry of Justice
Reprimand ministry-of-justice
A reprimand has been issued after an unauthorised disclosure of personal information.
26 Aug 2022 Ministry of Justice ICO
Jackson Quinn
Reprimand jackson-quinn
Jackson Quinn was representing two children in relation to step-parent adoption proceedings at the family court. The case was listed for a final hearing to take place on 13 February …
19 Aug 2022 Judicial Appointments Commission ICO
Secretary of State for the Home Department (Home Office)
Reprimand Central government secretary-of-state-for-the-home-department-home-office
A Home Office employee contacted members of the public as part of the creation of an education programme for staff into the historical background and circumstances of individuals arriving into …
16 Aug 2022 Active Travel England ICO
Crown Prosecution Service
Reprimand Central government crown-prosecution-service-reprimand
A reprimand was issued after an investigation into three separate incidents involving the loss of personal data.
12 Aug 2022 Crown Prosecution Service ICO
Ministry of Defence
Reprimand Central government ministry-of-defence
The MoD has been issued with a reprimand following an identified SAR backlog dating back to March 2020. Despite setting up a recovery plan, this backlog has continued to grow, …
27 Jul 2022 Ministry of Defence ICO
London Borough of Croydon
Reprimand UK GDPR Local government london-borough-of-croydon
From April 2020 to April 2021, the London Borough of Croydon Council responded to less than half of their SARs within the statutory timescales. This meant that 115 residents did …
26 Jul 2022 London Borough of Croydon ICO