Skip to main content
For people with criminal records
For people with criminal records

Our mission is to support & advocate for people with criminal records to be able to move on positively in their lives. Find out more

The ‘Right to be Forgotten’ and the role of the Information Commissioner’s Office (ICO)

Information on the role and effectiveness of the ICO

Topics
Tags

Overview

The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection. It makes sure that people’s personal information is handled fairly and safely, and that organisations follow the UK General Data Protection Regulation’s (GDPR) and the Data Protection Act 2018 (DPA 2018).

The ICO’s work covers anyone who processes personal data in the UK, from large companies and government bodies to individuals running websites or online groups.

What allows the ICO to take action?

Under the law, personal data can only be used if there is a lawful reason (known as a “lawful basis”).

Information about criminal convictions or alleged offences is particularly sensitive. It can only be used by authorised organisations, and only with strong safeguards in place.

Websites that share conviction details, “name and shame” individuals, or post allegations without a lawful purpose are likely breaking data protection rules. They may be violating these key principles:

  • Lawfulness, fairness and transparency: data must be used legally and fairly.
  • Purpose limitation: data collected for one reason can’t be reused for another.
  • Data minimisation: only the minimum information necessary should be used.

Sometimes, people running these sites claim they are doing “journalism.” However, posting names and photos to shame people is not journalism and does not serve the public interest.

What can the ICO do?

The ICO has a range of powers to investigate and take action against unlawful data use:

How effective is the ICO?

Many people have raised concerns about how effective the ICO really is. Whilst they are supposed to protect people’s data rights, critics say they often fall short. Common concerns include weak enforcement, slow complaint handling, limited accountability, and questions about its independence.

Weak and inconsistent enforcement

  • Few formal actions: Around 93% of complaints reportedly lead to no formal action. This leaves many people feeling that their data rights aren’t being properly protected.
  • Avoiding fines: Under its current leadership, the ICO has moved away from issuing fines, especially to public sector bodies. Instead they give ‘reprimands’ (letters expressing disapproval without legal consequences). This approach doesn’t deter bad behaviour.
  • Focus on headline cases: The ICO is often seen as prioritising large, high-profile investigations over individual complaints. As a result, smaller organisations may feel less pressure to comply with data protection laws.

Complaint handling and accountability

  • Long delays: People often wait a long time to have their complaints reviewed. Automated responses suggest it can take around 29 weeks (203 days) just for a case to be assigned. This is well beyond the expected three-month update period.
  • High bar for action: The ICO often only takes stronger action when there’s evidence of a widespread or systemic problem. This can leave individuals feeling that their personal cases don’t matter.
  • Few options to challenge: If the ICO decides not to take action, there are very limited ways for people to appeal or challenge that decision. The ICO has also stated that it isn’t required to investigate every complaint it receives.

Independence and potential conflicts of interest

  • Funding model: The ICO is funded mainly by fees from the organisations it regulates. This raises concerns about a conflict of interest, as it may be reluctant to take tough action against major fee-paying companies.
  • Political influence: Proposed changes in the Data Protection and Digital Information (DPDI) Bill could allow ministers to influence the ICO’s work. Critics fear this could weaken its independence and objectivity.

What can you do if you believe your data is being breached?

If personal or criminal record information about you has been shared online without your consent, you can:

  1. Contact the organisation, website host or platform and request the removal of the information. This is often referred to as the Right to Erasure or Right to be Forgotten (under Article 17 of GDPR). You can find further information on what to include in your request at ‘The Google Effect and the Right to be Forgotten.
  2. Complain to the ICO if your request to the organisation is refused, and ask them to investigate.
  3. Ask for compensation through the civil courts if the misuse has caused you distress or harm.

Summary

Everyone deserves a fair chance to move on from the past.

The ICO plays a crucial role in protecting that right, ensuring that personal information is handled lawfully, fairly, and with respect for privacy and dignity.

Comments

Add Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn more about this topic

Most popular articles from Unlock

Photo of Head of Advice, Debbie Sadler
Debbie Sadler
Head of Advice

Do you need help & support with an issue you’re facing?

We provide support and advice for people in England and Wales who need guidance with either their own, or someone else’s, criminal record.

Please use the search box to start typing your issue. If you cannot find an answer to your problem then you’ll be given options to contact us directly.

Find out more about the helpline

Popular advice

We want to make sure that our website is as helpful as possible.

Letting us know if you easily found what you were looking for or not enables us to continue to improve our service for you and others.

Was it easy to find what you were looking for?

Thank you for your feedback.

12.5 million people have criminal records in the UK. We need your help to help them.

Help support us now