What can Councils learn from recent ICO enforcement action?

One of the realities of failing to comply with data protection legislation is that enforcement actions and decision notices by the Information Commissioner’s Office (ICO) are often made public. This is shared via its website.

While this can seem intimidating, this also offers a valuable learning opportunity. Public bodies can see where others have gone wrong, resonate with the issues at play, and use those insights to improve their own practices. With regulatory actions widening under the new Data Use and Access Act 2025, it is vital that public bodies take note.  

To assist our readers, here are some key lessons drawn from recent ICO decisions. While the notices name specific organisations, this article focuses on the broader takeaways rather than singling out any organisation specifically.

1. Know and meet your deadlines

Several decisions highlight that public bodies have been penalised from late, even missing, responses. This has resulted in regulatory breaches, even if the content of the response was lawful and appropriate. 

Takeaway: Your internal systems and policies/procedures must support timely and effective handling of requests. Many organisations have policies that don’t reflect how requests are actually managed in practice. Simple measures such as dedicated diaries/logging, early-stage triaging of requests or clear escalation routes can prevent delays and reduce stress during high-pressure situations. 

2. Apply exemptions and exceptions correctly (and document your reasoning)

I often come across misapplication of exemptions and exceptions; and this is a common theme across ICO enforcement notices. This varies from a miscalculation of costs leading to incorrect application of applicable costs limits; to mislabelling of vexatious requests. There is also a common misapplication of the exemptions relating to personal data (third-party and personal to the requestor).

Takeaway: Exemptions and exceptions are complex – even for legal professionals. However, clear, explanatory records on why a particular exemption or exception was applied can make a world of difference. Proper documentation can be the difference between a severe penalty and constructive guidance from the ICO. You should always show your workings; without it, your job in defending a decision becomes much harder.

3. Conduct thorough and effective searches

There have been several examples of the ICO asking public bodies to re-perform searches, concluding that the searches to date were not effective.

Takeaway: Ensure your systems enable comprehensive and efficient searching. If the search relates to personal data, your well-maintained Record of Processing Activities should be key in this investigative process by identifying all known landing points for data once held. The Information Commissioner has a handy short-form checklist which may also assist your efforts – this can be found here Conducting searches for information checklist | ICO. 

Finally, I’d urge readers with a role in data to set up notifications via the ICO RSS (https://ico.org.uk/global/rss-feeds/).  I find this to be a useful tool to keep on top of what decisions are being made and enforcement action taken.

Our Data Protection team is always here to give you recommendations and advice, and can be contacted on 0345 450 5558 or enquiries@stephens-scown.co.uk