You have the right to be confident that organisations handle your personal information responsibly and in line with good practice.
If you have a concern about the way an organisation is handling your information; if it:
- is not keeping your information secure;
- holds inaccurate information about you;
- has disclosed information about you;
- is keeping information about you for longer than is necessary; or
- has collected information for one reason and is using it for something else;
we believe that the organisation responsible should deal with it. We expect them to take your concern seriously and work with you to try to resolve it.
How should I raise my concern about how an organisation has handled my information?
You can use the template letter below to help you raise your concerns.
[Your full address]
[Name and address of the organisation]
[Reference number (if provided within the initial response)]
Dear [Sir or Madam / name of the person you have been in contact with]
Information rights concern
[Your full name and address and any other details such as account number to help identify you]
I am concerned that you have not handled my personal information properly.
[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within 28 calendar days. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number [telephone number].
What else should I do?
Here are some tips to follow when you raise your concern.
- Raise your concern quickly. People move on, memories fade and records are deleted in line with retention policies. The longer it takes to raise your concern with an organisation, the harder it will be for them to look into it thoroughly.
- Send it to the right place. There’s no point in raising a matter quickly if it then takes weeks to get to the right department. Check the organisation’s website or give them a call to make sure you have the right address. In some cases, you may be able to find it on our Register of data controllers.
- Write legibly. Typed or word processed documents are easiest to read. If you write your complaint by hand, make sure your writing is easy for others to understand.
- Keep your language simple. Although you will have checked our website to see what the relevant legislation says, don’t feel you have to quote it to raise a complaint. Just explain clearly and simply what has happened and, where appropriate, the effect it has had on you.
- Be specific. If you have had a long relationship with the organisation concerned, resist any temptation to include historical or unrelated complaints in your letter. This can confuse matters and leave the organisation unsure which of your concerns you really want them to deal with.
- Don’t move the goalposts. Include full details of your concern at the beginning. If the organisation responds properly, don’t raise additional unrelated matters as part of that complaint. However, if it appears that the organisation has misunderstood you, or has not given a full response, you should let them know.
- Stay reasonable. You may be justifiably angry or upset about what has happened. Keeping your letter calm and polite will help you get your points across more clearly. Remember that the person you are dealing with might have had nothing to do with the problem you had. Also, remember that they are only human. A rude letter might make it difficult for them to want to help.
- Don’t get personal. Don’t insult members of the organisation’s staff. Apart from being unreasonable behaviour, the response may lack focus if the writer feels obliged to defend his or her colleagues or staff.
- Request and respect timescales. Ask when you can expect the organisation to respond and resist any temptation to contact them again before that. However, if you do not receive a response on time, you should chase it, although we recommend giving an extra couple of days to allow for administrative or postal delays.
- Include all necessary information. Include all relevant details such as account or patient numbers to help the organisation identify you and your concern correctly.
- Include all necessary evidence. Send copies of all the key documents you have to evidence your complaint. Don’t send the originals as you might need them later. Also, don’t include additional documentation ‘just in case’. The more documents you send, the more likely it is that key information will be missed.
- Keep good records. Clearly date all letters, make notes of all related conversations and keep copies of everything.
- Exhaust the process. If the ‘final’ response you receive does not resolve the matter to your satisfaction but also signposts you to any further complaints or review procedure, make sure you exhaust that process before bringing the matter to our attention.
What’s the ICO’s role?
We give guidance and support to organisations to help them get things right. We can also help you take steps to address your concern. We can’t act as your representative, award compensation or – apart from from in the most serious cases – punish an organisation for breaking the law. But we can help you understand how to best work with the organisation to resolve your concern.
Should I raise my concern with the ICO?
If the organisation has been unable, or unwilling, to resolve your information rights concern, you can raise the matter with us. We will use the information you have provided, including the organisation’s response to your concerns, to decide if your concern provides an opportunity to improve information rights practice.
If we think it does provide that opportunity, we will take appropriate action. This could take a variety of forms.
You should raise the matter with us within three months of your last meaningful contact with the organisation concerned.
You can follow the advice on this page, or you can raise your concern with us.