Additional issues raised
Stakeholder inclusion
The consultation asked whether there were any other groups of stakeholders that they thought the proposed complaint handling approach would affect. Some respondents identified groups of people they considered ’vulnerable’ – for example, people who may be at particular risk, need extra support to protect themselves, or both.
ICO response
We have reviewed the EqIA and are confident that we’ve already considered people who may be experiencing vulnerability in the sense outlined above. The EqIA already covers ‘legal guardians, representatives, parents or next of kin’. We have considered whether it would be helpful to add the other stakeholders identified and have updated the EqIA where appropriate.
General considerations about the proposed approach
We invited respondents to provide any further general comments or suggestions about the proposed approach. We also asked if respondents found any terms or sections in the proposed approach unclear or overly technical.
Many responses repeated points covered in answers to previous questions. We have included those responses in previous sections of this report where appropriate. This section includes any general comments or suggestions not covered in detail elsewhere.
Suggestions to improve the proposed approach
Some respondents asked for accessible documents in plain language and in multiple formats. For example, they requested an infographic mapping for each stage as a navigable tool or a flowchart.
One respondent thought each complaint should be fully auditable and traceable so we’re accountable.
Several respondents said that we should pilot the approach with vulnerable complainants and advocates before implementing it.
A few said that there should be focus groups with complainants prior to changing the approach to complaints.
Respondents also said that a review should evaluate whether the backlog has reduced and if the proposed approach has led to improved satisfaction and upheld people’s rights and our legal obligations.
They said that there should be periodic reviews to determine if the new process effectively managed complaints and whether the criteria were fit for purpose.
Feedback and clearer guidance
Several organisations thought that clearer feedback loops were required. A few organisations wanted us to provide them with clear outcomes and decisions and recommend any improvements that they needed to make. They also said there should be a process to enable them to request a review of a complaint if they disagreed with the outcome.
Some organisations wanted more information about whether we’d refer complaints to them and, if so, how.
A few organisations recommended that we provide sector-specific guidance, particularly for complex organisations and public service bodies. They said there should be ongoing engagement between us and large public services entities to ensure there is proportionality and shared learning.
Several organisations asked for greater assurance that everything would be considered and that the complaint outcome would be quality assessed. They thought that we should record whether an organisation is considered to have complied or not. They felt that there should be a process to enable organisations to validate the outcome of any complaint prior to us including it in an internal report or external publication.
Some organisations thought that our scale of harm should be set out on the website alongside examples.
Publishing information
A few organisations requested that we publish anonymised data and statistics for complaints and their outcomes. They also said it should include data about any anonymised organisation that meets the threshold and we should provide a list of themes for organisations to review. Some organisations asked for examples of best practice as they said this would further support the guidance.
Several organisations said they would like regular reports on complaints arranged by category, such as right of access or right of retention, and with the outcomes. They thought we should review what other regulators publish, such as fine charts for specific breaches. They also believed we should publish more rigorous enforcement actions.
Some organisations thought it was important for us to be more transparent about our role. They said we should publish whether we’d look at other issues, such as customer service matters, alongside the data protection issue. One organisation said that there was a need for further guidance about how organisations should approach vexatious complainants.
Several respondents believed we should actively educate the public on using our complaints process appropriately and that our guidance should discourage people from escalating complaints to the regulator before first engaging with the organisation.
Joint framework and accreditation
It was thought that we should explore a joint framework with the National Cyber Security Centre (NCSC) to ensure that certified organisations remain demonstrably compliant with data protection law. One respondent indicated that we should introduce a professional accreditation scheme for GDPR consultants and Data Protection Officers. They considered this would ensure consistent competence and enable controlled outsourcing of lower-risk complaint handling.
ICO response
We welcome the feedback from respondents that the proposed approach was more structured and would allow for effective triage. It was helpful to be told that the proposed approach linked to our existing regulatory methodology.
We acknowledge the feedback about reviewing how effective the proposed approach is. We commit to undertaking a review and evaluation as part of an external audit.
We recognise that several respondents supported the early resolution of complaints by organisations. Our website messaging encourages people to complain to the organisation before making a complaint to us. When the changes requiring organisations to have a complaints process come in this year, we’ll review the wording on our website to further encourage people to contact the organisation first.
We welcome the comments about making documents accessible and have checked them for this again before publishing them. We have also ensured that our website is accessible in line with our accessibility statement.
We agree with respondents that publishing the scale of harm on our website would be helpful, so we will make it available online.
We support all organisations to comply with data protection law, and we provide sector-specific guidance where appropriate. We will continue to review existing guidance and issue new guidance, including any sector-specific guidance where appropriate.
We already publish complaints and concerns data sets and trends reports. The published data sets include the outcome of the complaint, sector and sub-sector information and the legislation reason (the part of the law the data protection issue is about, such as providing copies of personal data) for the complaint.
We recognise that respondents want more information about the themes of complaints. We will publish guidance on our website if it becomes apparent that a particular data protection theme requires more information.
Our website already provides information about what we do and the action we’ve taken. This provides transparency about our role. As the UK’s independent data protection regulator, we can only consider data protection issues. We wouldn’t comment on other issues, such as customer services matters.
The complaints process on our website provides the information people need to ensure that they make a complaint at the appropriate point. We have updated this information to reflect our new approach.
We are part of the Digital Regulation Cooperation Forum and work with the Competition and Markets Authority, Ofcom and the FCA to support our regulatory action. We also work with other regulators and agencies to deliver our remit. This includes the NCSC. We believe that our strong working relationships with these organisations enable us to ensure that there is a coordinated and clear regulatory approach.