When Enforcement Isn’t Enough: What Bristol’s Transparency Failures Teach Us About FOI, DSARs and Accountability

Enforcement notices from the ICO are supposed to be the stick that ensures compliance. Yet Bristol City Council’s recent history shows us something worrying when enforcement becomes repetitive, it starts to look less like a deterrent and more like a cycle.

In March 2024, the ICO issued an enforcement notice against Bristol for a backlog of 158 Freedom of Information (FOI) requests.[i] The council’s recovery plan stretched to 39 months, almost ten times longer than the legal 20 day deadline. The First-tier Tribunal upheld the ICO’s intervention, but the backlog remains a public embarrassment.[ii]

Just over a year later, the ICO issued a separate enforcement notice against the council over Data Subject Access Requests (DSARs). The issue was the same: unanswered requests, missed deadlines, lost trust.[iii]

The Limits of ICO Enforcement

This is not the first time the ICO has issued enforcement notices to public bodies over transparency failures, and it will not be the last. The regulator’s powers often stop at setting deadlines and demanding reports. Rarely do we see financial penalties, and the cultural problems of under-resourcing, deprioritisation, and avoidance of scrutiny, go unaddressed.

The result? Organisations can stumble from one enforcement notice to the next. Citizens are left waiting. Trust erodes further.

FOI and DSARs: Two Sides of the Same Coin

FOI is about public transparency; DSARs are about personal transparency. Both are legal rights that anchor accountability. When organisations fail to comply with either, it’s not just a missed deadline, it’s a missed opportunity to show integrity.

Bristol’s dual failures highlight a dangerous culture: treating transparency duties as administrative burdens rather than core governance responsibilities.

Why This Matters for Your Organisation

If you think this is just a local authority problem, think again.

• Courts are raising the stakes: In Ashley v HMRC[iv], the High Court criticised HMRC for confining its data search to one division while ignoring related data held by another. The judgment made clear that controllers must take a holistic view of their data estate, not artificially silo their searches.
• The ICO is under pressure: Facing increased criticism of its lack of enforcement abilities, expect more enforcement not less as the regulator seeks to prove its credibility.[v]
• Stakeholders notice: Delays and failures affect customers, employees, investors, and regulators alike. Ultimately it can lead to costly complaints, loss of trust and action against you, both legal and regulatory.

The message is clear: the cost of poor compliance is not just regulatory, it’s reputational and commercial.

Breaking the Cycle

Enforcement may expose failure, but it does not build resilience. That’s where organisations need to step up. The question is: do you want to be forced into compliance under the spotlight of an ICO notice (whether lacking in teeth or not) or build processes now that make enforcement unnecessary?

At Athlex, we help organisations:

• Design robust DSAR processes that withstand regulatory scrutiny.
• Train staff to spot and respond to requests promptly.
• Build governance frameworks that treat transparency as a strength, not a risk.
• Anticipate ICO expectations before they become enforcement notices.

The Bottom Line

Bristol’s story shows that enforcement alone won’t save an organisation from reputational damage. The only real solution is cultural and operational change done before the regulator knocks on the door.

The ICO may be raising its voice, but the real question is: will your organisation be next on the list, or will you break the cycle?

References

[i] Bristol City Council Enforcement Notice, ICO (14 March 2024) https://ico.org.uk/action-weve-taken/foi-regulatory-action/2025/02/bristol-city-council/

[ii] Bristol City Council v Information Commissioner [2025] UKFTT 948 (GRC) https://caselaw.nationalarchives.gov.uk/ukftt/grc/2025/948

[iii] Bristol City Council Enforcement Notice, ICO (27 August 2025) https://ico.org.uk/action-weve-taken/enforcement/2025/09/bristol-city-council/

[iv] [2025] EWHC 134 (KB)< https://www.judiciary.uk/wp-content/uploads/2025/01/Ashley-v-HMRC.pdf>

[v] See for example https://www.linkedin.com/pulse/icos-collapse-shows-its-longer-fit-purpose-john-barwell-vecje/