Absolute waste of time especially if the organisation is government run. I had two situations in one a data breach by South Yorkshire Police which they had to admit prior to my case being concluded. However when I got my response from the ICO they confirmed the data breach but then said they were satisfied with the investigation. When I asked the ICO if the breach was reported to them the answer I got was “I don’t know” I asked how you can be satisfied if you don’t even know if they followed your own guidelines set out clearly on your own website. I asked for this to confirmed and instead I got an email stating they could not find evidence of the breach being reported and some breaches don’t need reporting however this one definitely did according to ICO guidelines. Very poor and disappointing experience. The second was against the London Fire Brigade I submitted a SAR and it was backed using the third party exemption which is fine. When I asked for the process to allow the willing and capable third party to give their consent I never was provided with the process to facilitate the consent and therefore did not get my SAR. As the DPA 2018 clearly states “There is an exemption in the DPA 2018 that says you do not have to comply with a SAR, if doing so means disclosing information which identifies another individual, except where:the other individual has consented to the disclosure;”I knew this was not correct so I took it to the ICO. What a waste of time they actually answered a whole different question and when I requested a review they answered a totally different question yet again I have since had to take this to the PHSO as a complaint. All I will say is do your own research seek legal advice as GDPR and DPA2018 have set firm rules that have to be followed and do carry legal ramifications. The ICO is literally a glorified opinion especially when dealing with government agencies they no longer give monetary fines to therefore they are toothless and a waste of time.
