General feedback
-
This guidance explains what you need to do to meet the new requirements for you to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, we think it is useful for this to be published now so that you are ready for these changes. Even before these requirements are in force, we think that what’s set out in this guidance represents good practice.
General feedback
Independent review
A small number of respondents said the new requirements limit when people can bring a complaint to the ICO for a more independent review. They also said that asking organisations to review their own decisions won’t always help move things forward for complainants (eg where complainants may have limited trust in the organisation).
ICO response
The requirement to have a complaints process, along with the existing requirements to be transparent and accountable, gives organisations a chance to put things right and reduces complaints being brought to us too early. It encourages organisations to review the lessons learned, and opens dialogue between organisations and people who want to complain. This doesn’t replace people’s right to complain to us. We’ve expanded the guidance to say that people can do this at any point.
We’ve also explained the various points at which organisations must tell people about their right to complain, including to us, such as when responding to a subject access request (SAR).
Sector-specific advice
Some respondents shared suggestions, or asked for advice, which applied specifically to their sectors.
ICO response
Complaint obligations apply to organisations across the whole economy, so we haven’t included references to particular sectors or unique cases. However, when respondents shared sector-specific suggestions or asked for advice which could apply more generally, we’ve included reference to these. We’ll keep the guidance and feedback under review, and provide further clarity if needed.
Accessibility requirements
Respondents asked us for more advice on how the complaints process should interact with equality legislation.
ICO response
We can’t advise on legislation we don’t regulate. When organisations need more information on how to meet equality requirements, we signpost them to the relevant regulatory body.
Recording and reporting for compliance
Some respondents asked for more advice on recording complaint numbers and outcomes, and reporting these to the ICO. A small number of respondents also asked about tracking compliance with SARs and related complaints within care records.
ICO response
In the future, the Secretary of State may introduce legislation that requires organisations to tell us how many complaints they receive within a given period. There’s no requirement to do this yet. We’ve said that organisations may wish to record the number of complaints they receive, as well as recurring trends and themes to help them improve.
We’ve recently published guidance about our care records standards which also suggests that relevant organisations should monitor compliance rates.
We also have advice on monitoring and improving performance in relation to requests for access, in our data protection audit framework.
Templates and training
Respondents asked if we can produce templates, including acknowledgements and outcomes. Respondents also asked if we can produce training for staff.
ICO response
We’re keen to help organisations as much as we can, so we’ll look at providing some templates in due course. We’re also launching our data protection essentials training in Spring 2026.
Better compliance with SARs can reduce complaints
A small number of respondents said that improving the handling of SARs would reduce the volume of complaints. This was raised in relation to organisations that hold or create care records and respond to requests for access to those records.
ICO response
We’ve recently published guidance about our care records standards and have also published updated detailed SAR guidance for organisations. By implementing these standards and following the obligations for complying with SARs, this may lead to better outcomes and fewer complaints.