ICO says it only has jurisdiction to determine whether or not the data controller has complied with its obligation to respond within twenty one days. It takes the view that a decision on the merits can only be made by the court. I'm not sure that's correct as a matter of law (section 42 of the Data Protection Act 1998 requires ICO to make an assessment as to whether it is likely or unlikely that processing has been or is being carried out in compliance with the provisions of the DPA. I can't see anything which ousts ICO from determining whether processing is likely to cause substantial damage or substantial distress (and from taking action to require a data controller to cease, or not begin, such processing)).
Nonetheless, that is the apparent position of the ICO. See this site
, where the ICO internal "lines to take" have been uploaded (after they were disclosed in response to an FOI request).
The "line to take" on section 10 is here