Data protection law requires us to investigate a complaint to the extent we feel is appropriate and to inform you of the outcome. Most organisations want to do the right thing and comply with the law.
There are a number of potential outcomes for a complaint:
- We may tell you the organisation has done nothing wrong and there hasn't been an infringement of the law.
- We may log your complaint and use it for intelligence but do nothing further with it. Information like this can help us build a picture of an organisation's information rights practices.
- We can tell the organisation to do more work to help resolve your complaint or explain their position more clearly to you. This could mean getting the organisation to provide you with your information or correct any inaccuracies.
- We can make recommendations to the organisation about how they can improve their information rights practices. This can include asking an organisation to review their policies or procedures, guidance or standards.
- We can take regulatory action, but this is only in the most serious cases. We do not normally take regulatory action for individual complaints as we want organisations to comply with the law without us using our formal powers. It is therefore unlikely we will take regulatory action as a result of your complaint. However, even if we don’t take action, we will keep a record of the complaint to help us to build up a picture of how well an organisation is following the law.
- We can consider complaints about the way your information has been handled and whether there has been an infringement of data protection law. We will share a decision about what we think should happen next. Sometimes this can help to resolve the detail of your complaint but this may not always be the case.
- We can make recommendations to organisations to put things right or to improve their practices, when we think it is necessary to do so.
- We will usually ask the organisation to do everything it can to explain how they have handled or processed your personal data as the law expects.
- Where we have significant concerns about an organisation's ability to comply with the law, we can take regulatory action.
- We can't award compensation like a court or a tribunal.
- We can't consider complaints that do not involve the processing of personal information. The information has to relate to living individuals.
- We can't deal with cases of fraud. Action Fraud have advice about this on their website.
- We can't stop individuals using CCTV on their own property. You can find more information about domestic CCTV in our guidance.
- We can't usually deal with cases where there’s been an undue delay of three months or more in bringing it to our attention. If there’s a reason for the delay you may want to contact us for advice about what to do.
- We can't deal with complaints that are ONLY about customer service, for example if you’ve been locked out of an online account or are unhappy with the service you’ve received.
- We can't make an organisation apologise to you if things have gone wrong.
No. The ICO can't award compensation, even when we give our opinion that an organisation has broken data protection law.
You have a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both material damage, for example if you have lost money, or non-material damage, for example if you have suffered distress.
You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you. However, if they do not agree to pay, your next step would be to make a claim in court. The court would decide your case. If it agreed with you, it would decide whether or not the organisation would have to pay you compensation.
We strongly recommend you take independent legal advice on the strength of your case before taking any claim to court.