"and been given the nod by the ICO before it happened."
Very unlikely that ICO will have had ANY say on this: the ICO actively discourages requests for it to rubber-stamp (in particular) iffy projects, in case - if/when said project crashes and burns - the ICO's "approval" is cited in defence.
The ICO is FAR more likely to say "you're the data controller - it's for you to assess the risks against the benefits..."