The UK Information Commissioner has welcomed the Court of Appeal’s ruling on a long-running court battle over a subject access request complaint.
In a judgment published today, the court upheld an earlier High Court decision by Mr Justice Mostyn to dismiss a claim by Mr Ben Delo that the ICO had unlawfully failed to determine his complaint about a subject access request he had made to Wise Payments Limited.
The case raised important questions about how far the ICO has to go in investigating and reaching a decision on the merits of every complaint.
The ICO welcomes the Court of Appeal’s confirmation that the ICO has broad discretion in deciding the extent to which it investigates each complaint and is entitled to reach and express a view on the complaint, without necessarily determining whether there has been an infringement.
The ICO also welcomes the court’s decision that the ICO acted lawfully in deciding the outcome of Mr Delo’s complaint.
“We take pride in providing a great service to customers and getting the best outcomes we can for people complaining about breaches of their information rights. This is at the heart of what the ICO does.
“We received more than 33,500 data protection complaints in 2022/23 and issued nearly 40,000 outcome decisions in the same period – figures that clearly demonstrate how many people we help each year. We’re pleased that the Court of Appeal agrees that it’s important we’re able to prioritise appropriately, taking into account the merits of each complaint and likely outcome of further investigation.
“We’re always thinking about how we can improve our service. For example, in response to the fact that more than a third of complaints are about subject access requests, we’ve recently launched a new service to help people exercise their rights more easily.”
John Edwards, the Information Commissioner
Information about what to expect when making a complaint to the ICO is available on our website, where we explain the possible outcomes.
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.