Information Commissioner's Office
Enforcement & Investigations Division
Training Operations Unit
CASE REF: ODS-2025-BTEC
CLEARANCE: STUDENT
STATUS: ACTIVE
Operation Data Shield
// UK GDPR & DATA PROTECTION ACT 2018 β FIELD AGENT TRAINING //
Mission Briefing
You have been recruited as a trainee investigator for the Information Commissioner's Office.
Your mission is to master the legislation protecting personal data in the UK.
Each case file uses real enforcement cases and links to official ICO guidance,
primary legislation, video resources, and real news coverage. Use all sources β investigators don't work from one file.
Β£17.5mMax ICO fine (or 4% global turnover)
Β£12.7mTikTok fined 2023 β children's data
6.6mPeople affected β Capita 2023 breach
72 hrsICO breach notification deadline
MISSION PROGRESS
0 / 6
π Case File β Key Legislation Overview
UK GDPR (from Jan 2021)
The UK's post-Brexit version of EU GDPR, retained in domestic law. Sets out core principles, rights, and obligations for processing personal data in the UK.
Data Protection Act 2018
UK Parliament Act supplementing UK GDPR. Covers law enforcement processing, intelligence services, and UK-specific exemptions. Both laws must be read together.
ICO β The Regulator
Enforces data protection law in the UK. Can impose fines up to Β£17.5m or 4% of global turnover, issue enforcement notices, reprimands, and prosecute individuals.
Personal Data
Any information identifying a living person β directly (name, email) or indirectly (IP address, cookie). Special category data (health, ethnicity, biometrics) has extra protections.
The 7 Principles of UK GDPR (Article 5)
PRINCIPLE 1Lawfulness, fairness & transparency
PRINCIPLE 2Purpose limitation
PRINCIPLE 3Data minimisation
PRINCIPLE 4Accuracy
PRINCIPLE 5Storage limitation
PRINCIPLE 6Integrity & confidentiality (security)
PRINCIPLE 7Accountability
CASE FILE // 01What is the ICO?Research
π°
Real World β ICO v TikTok (May 2023)
The ICO fined TikTok Β£12.7 million for illegally processing data of approximately 1.4 million children under 13 without parental consent, and for failing to verify user ages. It breached Articles 5, 6, 9, 14β17, 21, 22, and 35 of UK GDPR.
β Read the ICO enforcement notice
A new recruit arrives at ICO headquarters and asks: "Who actually enforces data protection in the UK β and what powers do they have? Can they really hurt big companies?" Your job is to write a thorough briefing.
Visit the ICO website. In your own words, describe the ICO's role, purpose, and who it regulates in 3β4 sentences.
What three types of enforcement action can the ICO take? Explain: monetary penalty notices (fines), enforcement notices, and reprimands.
Find a real enforcement case in the ICO register (link below). Summarise: who was penalised, why, how much, and which UK GDPR articles were breached.
What is the maximum fine? How does the 4% global turnover rule actually work? Use TikTok or British Airways (fined Β£20m) as a real example to illustrate its scale.
Extension: The ICO uses reprimands β not fines β for public sector bodies (NHS, councils). Why? What does the ICO say about this approach and is it effective?
A written briefing (300β400 words) covering all four main points. Include the URL of the enforcement case you found, the name of the current Information Commissioner, and one statistic about ICO enforcement from the annual report.
CASE FILE // 02The 7 Principles β Field AnalysisAnalyse
π°
Real World β Advanced Computer Software Group (2024)
The ICO fined Advanced Computer Software Β£3.07 million after a 2022 ransomware attack exposed NHS patient data β including information used to direct carers to vulnerable people's homes. Root cause: no multi-factor authentication on remote access systems.
β Read the ICO enforcement notice
A local GP surgery keeps patient records in an unlocked corridor filing cabinet. They share appointment data with a private marketing company without patients knowing. They still hold records of patients who left the practice 30 years ago. The ICO has received three separate complaints from patients.
Using the ICO's guidance, write a one-sentence definition of each of the 7 principles in your own words.
For each of the three problems in the scenario, identify which principle(s) have been violated and explain precisely why the surgery is in breach.
Write three specific, actionable compliance recommendations β one for each problem β that would bring the surgery into line with UK GDPR.
What is the accountability principle? What is a Record of Processing Activities (ROPA) and why must data controllers maintain one?
Extension: Review the Advanced Computer Software case. Which specific principle did their security failure breach? What should they have done differently?
An analysis table mapping each breach to its principle(s), your three recommendations, plus one paragraph on the accountability principle and why the ROPA matters.
Real World β Meta (Facebook) β¬1.2 Billion Fine (EU, 2023)
Ireland's DPC issued the largest GDPR fine ever β β¬1.2bn β against Meta for unlawfully transferring EU user data to US servers. Meta had switched from "consent" to "contract necessity" as its lawful basis β a move regulators rejected as insufficient.
β BBC coverage
DataHarvest Ltd collects your name, email, location, browsing history, and purchase history without telling you. They use it to: send you marketing emails; share it with "advertising partners"; train their AI model; and file tax records. Their privacy policy buries this in 40 pages of legalese. They claim: "You agreed to our T&Cs, so we can do anything."
List and briefly explain all six lawful bases for processing personal data under UK GDPR Article 6.
For each of DataHarvest's four uses of your data, identify which lawful basis they might claim β and evaluate whether it genuinely applies. Justify your answer.
What makes valid consent under UK GDPR? It must be freely given, specific, informed, and unambiguous. Does accepting T&Cs or using a service meet this standard? Why/why not?
What is special category data? Give four examples. What extra conditions must be met to process it legally?
Extension: Research the Legitimate Interests Assessment (LIA) β the three-part test organisations must pass. When does legitimate interests definitely NOT apply?
A written analysis (200β300 words) of DataHarvest's four data uses, identifying the claimed lawful basis, whether it is valid, and what the actual problem with their consent approach is.
Real World β Clearview AI: A Case Still in the Courts (2022βpresent)
Clearview AI scraped 20+ billion facial images from the internet to build a facial recognition database sold to foreign law enforcement. The ICO fined them Β£7.5m in 2022 for breaching rights to information, access, and erasure. Clearview appealed; the First-tier Tribunal overturned the fine on jurisdiction grounds. But in October 2025, the Upper Tribunal overturned that decision, confirming the ICO does have jurisdiction β and sent the case back to the FTT for a full hearing on the merits. Discussion: Why does territorial scope of UK GDPR matter so much for companies like this?β ICO enforcement notice (2022)
Maya applied for a job at NovaCorp and was rejected with no explanation. She suspects their AI hiring tool made the decision with no human involvement. NovaCorp holds a file on her containing inaccurate employment history from a third-party referencing agency. Maya wants to see the data, correct it, and challenge the AI decision.
List and define all eight individual rights under UK GDPR: right to be informed, access, rectification, erasure, restriction, portability, object, and rights relating to automated decision-making.
Which three rights are most relevant to Maya? Explain precisely how each right applies and what steps she would take to exercise them.
What is a Subject Access Request (SAR)? What is the time limit for a response? What information must the organisation provide? Give two valid exemptions.
What does Article 22 say about automated decision-making? What specific protections does Maya have if NovaCorp's decision was made entirely by an algorithm?
Extension: Research data portability (Article 20). When can you request your data in machine-readable format? How might this benefit consumers switching between services?
A formal letter from Maya to NovaCorp's Data Protection Officer exercising her relevant rights. Use correct legal terminology and cite specific UK GDPR articles. The letter should be persuasive, clear, and professional.
CASE FILE // 05Data Breach β Incident ResponseAnalyse
π°
Real World β Capita Plc Β£14m Fine (ICO, 2025)
In March 2023, a hacker entered Capita's network via a malicious email attachment. Over 48 hours, they exfiltrated 974GB of data on 6.6 million people. Capita discovered the breach on 31 March but notified the ICO 9 days later β missing the 72-hour window. The ICO fined them Β£14 million.
β Read the ICO enforcement notice
At 2:17am, CareLink NHS Trust's database is accessed by an unauthorised party. 500,000 patient records β including NHS numbers, diagnoses, medications, and home addresses β are stolen. The breach is discovered at 9am by a junior IT technician. The CEO's response: "Let's keep this internal β it'll damage our reputation and I'm not wasting time on regulators."
What is a personal data breach under UK GDPR Article 4? Give one example each of a confidentiality breach, an integrity breach, and an availability breach.
Explain the 72-hour rule (Article 33). When must a breach be reported? What information must be included? When does a breach NOT need to be reported to the ICO?
When must affected individuals also be notified directly (Article 34)? What makes the CareLink breach high-risk enough to require this? What must the notification contain?
Identify at least four specific legal violations in the CareLink scenario β including the CEO's response. Cite the exact UK GDPR article for each.
Extension: The Capita breach happened partly because there was no MFA on remote access. Read the NCSC guidance. What specific technical controls would have reduced the risk?
An incident response memo written as CareLink's new Data Protection Officer β addressed to the CEO β outlining exactly what must happen in the next 72 hours and why the CEO's suggestion is illegal and would make things significantly worse.
Real World β TikTok and the Children's Code (2023)
TikTok's Β£12.7m fine was the ICO's first major action under the Age Appropriate Design Code (Children's Code). TikTok failed to prevent under-13s accessing the platform, collected their data without parental consent, used it to recommend content, and profiled child users β knowing they formed a large part of their user base.
β ICO press release
"QuizMe!" is a free revision app used by 40,000 UK secondary school students. It collects: names, ages, school names, quiz scores, device GPS location, and browser history. This data is shared with US advertising companies. There is no privacy notice on the app or website. Parents have never been informed. Students cannot delete their accounts or data. The developer's website states: "GDPR only applies to companies that sell data β we're free, so it doesn't apply to us."
Is the developer correct? What is the legal definition of a data controller under UK GDPR? Does making money from data processing matter for whether GDPR applies?
Identify at least five separate UK GDPR violations in the QuizMe scenario. For each one: name the specific article or principle breached and explain exactly what the problem is.
What additional protections apply because the users are children? Research the ICO's Children's Code (Age Appropriate Design Code). What are its core standards and why do they matter here?
Why does sharing data with US-based advertising companies raise a specific UK GDPR issue? What is an "international transfer restriction" and what mechanisms can make such a transfer lawful?
Write the ICO's formal enforcement decision: what orders would be issued, what fine range is appropriate, and what specific actions must QuizMe take to become compliant?
A structured ICO Investigation Report (400β600 words) with clear sections: Executive Summary β Violations Found (min. 5 with article references) β Children's Code Assessment β International Transfer Analysis β Enforcement Recommendation.
All six case files have been closed. You are now a certified ICO Field Investigator.
You have demonstrated knowledge of UK GDPR principles, lawful bases, individual rights, data breach procedures, the Children's Code, and ICO enforcement powers.