Provide an outcome
-
This guidance explains what you need to do to meet the new requirements for you to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, we think it is useful for this to be published now so that you are ready for these changes. Even before these requirements are in force, we think that what’s set out in this guidance represents good practice.
Provide an outcome
Respondents were asked to what extent they agreed that this section clearly explains how to provide complainants with an outcome without undue delay. They answered:
- Strongly agree: 20 (26%)
- Agree: 38 (49%)
- Disagree: 12 (16%)
- Strongly disagree: 1 (1%)
- Unsure / don’t know: 6 (8%)
Respondents were asked if they thought there was anything else we should include here. They answered:
- Yes: 26 (34%)
- No: 51 (66%)
Respondents highlighted the following areas:
Providing the outcome
Many respondents asked us what an outcome should include.
A small number also wanted to know whether outcomes should be categorised (eg ‘upheld’ or ‘not upheld’). Others asked for more clarity on what format outcomes should be in, and whether there should be a review process. A small number of respondents asked questions about how long organisations should keep records of the complaint.
A small number of respondents asked where the final escalation route ends when a complaint covers multiple regimes.
ICO response
We’ve clarified that organisations can decide the best way to communicate with complainants in general, but it will usually make most sense to use the complainant’s preferred method.
We haven’t included reference to whether organisations should categorise complaints. It’s unlikely to apply to the majority of organisations, but there are no barriers to doing this.
The guidance already recommends responding to each issue in turn and explaining any changes the organisation has made as a result. We’ve added a suggestion that organisations may want to explain why they think they’ve complied with data protection law, if necessary.
We’ve also added information about a review step that organisations can use to reassess their own decision. Although this isn’t a requirement, we’ve clarified that organisations can include it if they want to.
The guidance already signposts to existing guidance on record keeping and retention, but we’ve made this clearer.
We've explained that although there is no requirement to include information about the right to complain to us within the outcome, this would be a good idea.
Some complaints will relate to data protection and other regulatory or legislative frameworks. The ICO can only consider the data protection elements and this hasn’t changed, so organisations may need to signpost people to us for those issues and to another regulator for the rest.
The requirement to tell people they can complain
In the draft guidance, we said organisations “should” let people know they can complain to the ICO if they’re unhappy with the organisation’s response. A small number of respondents told us that organisations “must” let people know about the right to complain.
ICO response
There are various points in data protection legislation where organisations must inform people of their right to complain to the ICO, for example Articles 12 – 15 of the UK GDPR, and Sections 44 – 48 in Part 3 of the DPA. We’ve clarified that there’s no requirement to do this when providing the outcome of a complaint, but it’s good practice.
We’ve also added a new paragraph explaining the points at which organisations “must” tell people they have the right to complain to both the ICO, and to the organisation.