Nope.

Still waiting on a response.

I tried calling them on Monday but was on hold for nearly an hour waiting to speak to someone so gave up. I did email them initially when this all kicked off on Saturday. If their time frame is anything like the initial complaint I made then I'll update this thread around Christmas when they finally respond...

Wondered if that might be the case. If it was me I'd be chasing them daily as quite frankly it's not acceptable - not that doing so will change the situation but it will certainly raise the seriousness of the issue with them (and potentially in the future any compensation you receive from them - should it go down that route).

Perhaps interestingly - I did get a call from the officer that looks after me and apparently that post with my picture and name stating "make him famous" doesn't count as a (targeted) threat, harassment, or abuse. Seemingly they'd have to explicitly say "I want you all to kick him in the face when you see him" or if they stated they'd do it themselves.

It has to show a statement of intent like "I will hunt down lotsofquer and set fire to his house" which would be the offence, however, if I were to say "Imagine if someone found lotsofquer and burned down his house. Here is what he looks like and his street" that isn't an offence.

Perhaps interestingly. I did have a call with the officer than oversees me and I did bring up that post on the our local Guy Fawkes Enthusiast Group and apparently it isn't deemed a concern legally and isn't deemed as (targeted) harassment, bully, incitement, or abuse due to them not specifically stating what should be done.

They posted my name, my picture, my street and stated to "make me famous". This is fine and acceptable. They need to be more definite in what they are stating.

For example:

"I'm going to track down lotsofquer and kick his head in" - This is an offence and I could be spoken to about it.

"Someone should track down lotsofquer and kick his head in. Here's what he looks like, here's a rough approximation of a small street he lives on" - This is not an offence.

I mentioned the UK Database website as essentially the crux of this. He agrees and if you look around the vast majority of police throughout the UK agree this website and "vigilante" groups are a nuisance and cause more harm than good. Then why don't they shut them down? You can point to numerous laws they all break. Most of them are well known by their local police force. They have the power to knock on their door and go "Shut this down now or else you're getting arrested".

My tinfoil hat theory why they don't though is due to the public outcry that would happen: "oH ThEy ArE pAeDo SyMpAtHiSErS!!111OnE!", "HoW WiLl My chIlDrEn bE SaFe noW?!".

I feel that would be more than hassle than it is worth for the police to deal with so when something does happen as a result of one of these groups then they just deal with that on a case-by-case basis. But to me that is a poor attitude as the damage is already done by that point.

You smother a pan fire in your kitchen as soon as you notice it to stop it spreading. You don't chuck a bottle of water on a burning building.

Bit rambly now but I've always felt strongly about this sort of lynch mob justice stuff and could talk for days about it.

Hmm interesting. Did they say anything else - like sorry we gave your details to a group we know do this sort of thing even though you asked us not to and our privacy policy explicatly states we won't do this without asking you first?!

He may be right on the legal bit (from the brief bit I read on the CPS website - although I'm no lawyer).  There could be another avenue however and that is facebooks community standards which I've pulled some bits out of below - that you might be able to use to get the facebook posts removed.

https://en-gb.facebook.com/communitystandards/bullying
Bullying and harassment happen in many places and come in many different forms, from making threats to releasing personally identifiable information, to sending threatening messages and making unwanted malicious contact. We do not tolerate this kind of behaviour because it prevents people from feeling safe and respected on Facebook.

Context and intent matter, and we allow people to share and reshare posts if it is clear that something was shared in order to condemn or draw attention to bullying and harassment. In certain instances, we require self-reporting because it helps us understand that the person targeted feels bullied or harassed.

Do not:
Target anyone maliciously by:

• Threaten to release an individual's private phone number, residential address or email address

Sending messages that contain the following attacks when aimed at an individual or group of individuals in the thread

• Calls for death, serious disease or disability, or physical harm

https://en-gb.facebook.com/communitystandards/violence_criminal_behavior
1. Violence and incitement
We aim to prevent potential offline harm that may be related to content on Facebook. While we understand that people commonly express disdain or disagreement by threatening or calling for violence in non-serious ways, we remove language that incites or facilitates serious violence. We remove content, disable accounts and work with law enforcement when we believe that there is a genuine risk of physical harm or direct threats to public safety. We also try to consider the language and context in order to distinguish casual statements from content that constitutes a credible threat to public or personal safety. In determining whether a threat is credible, we may also consider additional information such as a person's public visibility and the risks to their physical safety.


Given that it's your personal data they've posted (both photo and address are considered PII - personally identifiable information - especially when posted together in this situation) you could also go down the GDPR route of right of erasure.
https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX:02016R0679-20160504

Article 17

Right to erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;  (e.g. you haven't given them your permission to process your personal data)

Article 21
Right to object

1.  The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Article 6 
Lawfulness of processing 
1.  Processing shall be lawful only if and to the extent that at least one of the following applies:   
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; 
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

It looks like the above would come down to legitimate interest however for which the ICO says to apply a test (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/). I personally can't see that facebook could justify legitmate interests but they may be able to with the large legal team I imagine they have.
The bits to point out in the above link if they claim this would be the third test and in particular the below.
Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

Is any of the data particularly sensitive or private?

Would people expect you to use their data in this way?

What is the possible impact on the individual?

How big an impact might it have on them?

The ICO page also mentions Recital 47 of GDPR which can be found at https://www.privacy-regulation.eu/en/r47.htm
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.

Don't know why my post ended up in a bit of a mess there.

But no. So far it has been radio silence from ICO, not heard a single peep from them.

I tried the Facebook route ages ago and they're not even remotely interested a picture, street and where I worked (at the time) wasn't/isn't enough personal information apparently. It was just Madeup Street, City. If it was "123 Madeup Street, City" then it might constitute something. Worth noting that when someone puts in a complaint to Facebook about a post it does notify the account holder which post is the offending one so all that'd do is just poke the fire a bit more and bring me right up on their RADAR. Certainly not something I want.

I'm sure if I lodged some kind of proper legal attack with cease & desist letters etc. then something might happen but I don't have the financial means or mental energy to do it.

So thought I'd update this as I've now received a response in regards to my complaint to ICO. They've closed my case against the UK Database as well as marked my complaint as closed/resolved too. They have mentioned they will still be passing on the website for investigation. I won't hear anything back about this as my case is closed but hey-ho.

Here is the email response if you're interested.

Dear Mr. [REDACTED]

I am writing further to your service complaint about our handling of your concern held under reference [REDACTED]. This relates to the data protection concern that you reported to the Information Commissioner’s Office (ICO) about the UK Database, the Data Controller in this case.

I have attached a leaflet which explains how we handle requests for a case review.

Your concerns

The concern you raise is that you asked us not to disclose your information to the Data Controller, the UK Database , and that despite your request we did so.

I have reviewed the case and can see that unfortunately, we did disclose your name and email address to the Data Controller.

Please accept my sincerest apologies for this oversight on our part which is as a result of human error. Unfortunately, I cannot turn back the clock and amend the error in your case but I will use this error to learn lessons and remind colleagues of the need to ensure that cases do not contain specific requests not to disclose details.

With regard to the concerns you raised about the Data Controller in question, we will now pass these to the relevant department for consideration. This outcome means that your case under the above reference is now closed.

As a responsible regulator, we use the concerns brought to our attention by individuals to inform our decisions as to whether it is appropriate to investigate an organisation’s information rights practices and consider further regulatory action. If we decide to take any action in a case, we do so in line with our Regulatory Action Policy and I have provided a link below.

https://ico.org.uk/media/about-the-ico/documents/2259467/regulatory-action-policy.pdf

Any action we do take in line with the policy is published on our website.

Once again, may I apologise for the oversight in this case and for any distress caused.

Taking your complaint further

A case review is the final stage of the ICO’s case handling process. Please take this as our final response on this matter.

Should you remain dissatisfied with our review outcome, the attached leaflet outlines the options available to you.

Yours sincerely

[REDACTED NAME]
Team Manager
Information Commissioner’s Office

So you can all glean from that what you will.

Unsure if I should just drop it or push a bit more. Not entirely sure what my end goal would be though.

Interesting to see if anything happens to the website. I suspect if any notification or push from ICO to UKD will end up flagging me up again considering how close in time the two situations are.

Hmm - seems a bit of a cop out/pussy footed response especially since you actively called them when they told you that they would be sending your details (after already stating you didn't want that) and tried to get them to stop and were fobbed off by being told you have to speak to the person directly. That's not human error - that's actively going against something you requested not to happen as is your right on more than one occasion.

Like you say though I'm not sure what the end goal would be.

I don't hold much hope of any action given that the website has been reported several times and remains active. Maybe something will happen - I doubt it will be soon if it does given they like to take their time about any action. The latest ICO action published in June this year relates to June 2017-June 2018. So you can probably not worry about it being linked to you if anything does happen.

I wonder if you should use the response letter to formally escalate the data breach they made as a tool to get the underlying issue redressed. 

The ICO reports to someone. 

Policy to beat the policy with. Government at its finest 

They report directly to Parliament, usually via the The Digital,Culture, Media and Sport Committee. This means that a complaint about the ICO itself (as opposed to a complaint about a decision by them) will in the first hand be made via your MP, although you could try the chair of the DCMS if you think it is that serious. Ultimately you can request a judicial review of their actions. One person who wanted to go down this path was told they required £75,000 up front and, assuming that that sort of money is not to hand, I suspect a crowdfunded attempt to secure that amount would have some attendant "publicity" issues.

There is also this to bear in mind: https://panopticonblog.com/2015/07/21/right-to-be-forgotten-claim-rejected-by-the-administrative-court/

I have no connection or dealings with that law firm, but they seem to specialise in information law, so you could try contacting them.