The proposed framework document, criteria and how we’ll assess harm

The framework document

Overall, respondents were evenly split over whether the framework document was clearly worded.

Clarity and transparency

Some respondents thought the framework sets out clearly how we will manage complaints and is more transparent than what we have at present. Others thought it was too technical and bureaucratic and needs to be in plain language. Several respondents thought it was vague or confusing and wanted more detail about:

• how we define a complaint;
• how we assess complaints;
• the key differences between the current and new processes;
• how we’ll handle specific types of complaints or data protection issues or those affecting particular members of society, such as children;
• what we’ll do if we receive a complaint which doesn’t explain the data protection issue clearly enough;
• whether we’ll look at customer service issues if the complaint is also about data protection issues;
• whether we’ll contact the organisation people have complained about;
• whether we’ll write to everyone who made a complaint;
• timescales;
• how we’ll use our discretion and oversight;
• when we won’t investigate complaints further (such as clear, quantitative thresholds or concrete examples);
• when organisations or complainants can challenge, or ask us to explain, decisions not to investigate further;
• what we’ll do if we decide to investigate a complaint further, including when we’ll refer it for formal investigation;
• what happens if we decide not to investigate a complaint further; and
• the right to a case review and any next steps.

Some respondents felt we needed to define some terms used in the framework, such as ‘further investigation’ and ‘recorded for information purposes only’. Others thought we should include examples of when we’ll investigate a complaint further.

A few respondents suggested making the framework clearer by:

• including infographics, a decision tree or flow chart;
• using case examples to show how we would use the framework; and
• explaining the framework more simply for complainants.

They suggested we include some of the details listed in the bullet points at the beginning of this section as well as:

• how we’ll record the complaint – for example, the different decisions we could make;
• whether we’ll be able to give feedback, as some information may be confidential, such as any action we take against an organisation;
• details of how people making complaints can find out how we’ve used information about them as part of the threshold approach; and
• how we expect to interact (or not) with other regulators who deal with complaints.

The criteria we’ll consider when assessing complaints

Almost half the respondents strongly agreed or agreed with the criteria, finding them useful, risk-led, proportionate, sensible, broadly aligned with expected priorities and likely to support more informed regulatory action. A few were unsure, and just under half strongly disagreed or disagreed with the criteria, including specific criteria. They found them too broad and subjective or too narrow and likely to exclude various types of complaint. Some suggested removing specific criteria, while others proposed further criteria we could add. Some respondents commented on the following aspects of the criteria.

Clarity and consistency

Some respondents thought the criteria were vague, ambiguous or not sufficiently detailed, saying we didn’t define terms such as ‘high level of harm’, ‘significantly affected’, ‘substantial number’ or ‘vulnerable situation’. One respondent suggested defining the criteria and giving worked examples. They said it wasn’t clear how we would determine the seriousness of a complaint, systemic risk or public interest.

One respondent thought they couldn’t be certain what the criteria were and what they meant if the list was non-exhaustive and we can review them. Another felt we should review and refine them over time. Another thought that having non-exhaustive criteria would undermine accountability.

A few respondents felt the criteria were subjective and there were no safeguards. Respondents also considered it was unclear how we’d assess, weight or apply them in practice, particularly without a formal scoring system. One respondent asked about the number of criteria needed to make it more or less likely that we would investigate a complaint further.

Use of discretion

Some respondents considered that the criteria were too discretionary and suggested having some which, if they applied to a complaint, would automatically mean we’d investigate it further, such as:

• a data protection issue affecting a specified number of people;
• complainants in some ‘vulnerable’ situations; and
• breaches involving special category data.

Additional criteria

Respondents suggested additional criteria such as:

• whether there are other options available to people to put the situation right, such as another means of redress;
• whether there’s a power imbalance with people having to provide their personal information;
• how the organisation has handled the complaint, whether other people have made similar complaints about them, whether we have taken action against them previously and whether they continue to not follow the law;
• whether the organisation is unaware of its obligations or is deliberately avoiding them;
• whether a complaint is vexatious or malicious or a repeat complaint (and the criteria for evaluating this);
• the risk involved;
• the economic cost of a breach;
• how the data protection issue affects public confidence, the environment or the community;
• whether the complaint would help people and organisations to understand our regulatory approach;
• how sensitive the personal information is and how the organisation is using it (eg does it involves high-risk processing that would require a data protection impact assessment, special category data, large-scale processing or automated decision-making?); and
• whether it would establish best practice for a wider sector or has educational value such as making the law clearer.

A respondent suggested rewording some criteria and merging the two lists in the proposed framework to produce one set of criteria only that shows when it would be more likely that we’d investigate the complaint further.

How we plan to assess harm

Several respondents said that the levels of harm were vague and contradictory and didn’t include material damage, such as financial loss. There was disagreement about the examples and the level of harm attributed to them, with a few respondents considering what we described as a low or relatively low level of harm to be moderate harm. Some respondents felt that the documents were high level and didn’t feel robust. Suggestions included providing specific criteria for measuring harm with clear definitions and thresholds.

A few respondents asked how we’d obtain details of harm and evaluate it.

Examples

Some respondents thought more examples would make it clearer what the criteria and the different levels of harm mean. Suggestions included:

• worked examples for terms such as ‘substantial number of people’;
• examples of high and low severity;
• examples showing how we’d use the criteria in practice;
• examples of data protection issues that we’re more likely or less likely to investigate; and
• for harm, examples across different contexts based on case law or data protection law.

A further suggestion was to clearly explain how individual circumstances may affect how we assess harm.