Data protection framework

How we handle data protection complaints

This page explains how we handle data protection complaints, including how we assess them. We list the main sections below:

• How do we check if we can handle a complaint?
• How do we determine the extent to which we will investigate a complaint?
  • Criteria for triaging complaints
    • What we’ll consider to help us decide if we need to look into a complaint in more detail
    • What we’ll consider to help us decide if we don’t need to look into a complaint in more detail
• What happens if we decide to look into a complaint in more detail?
• What happens if we don’t need to look into a complaint in more detail?
• What happens if the complainant disagrees with our outcome?
• What will we do with the information we collect from complaints?

If people are concerned about how an organisation has handled their personal information, they can come to us at the ICO for help.

The law requires us to:

• investigate a data protection complaint to the extent appropriate; and
• inform the person making the complaint (the complainant) of the outcome.

We assess each complaint individually and decide the extent of our involvement using the criteria set out below. Triaging complaints and handling them based on their individual circumstances allows us to:

• focus on the most serious data protection issues;
• provide timely outcomes; and
• support organisations to comply with their data protection obligations.

This means we record some complaints for information purposes only, without further investigation. However, every complaint helps us to:

• identify trends;
• spot emerging risks; and
• inform our wider regulatory work.

We’ve designed this framework, including the criteria for when we look into a complaint, to:

• be transparent about how and why we make decisions;
• give us structure and support when we consider the different types of complaints we receive; and
• help us to be as consistent as possible, while giving us the flexibility to use our judgement.

We ask people to use our complaint form as it prompts them to provide us with the information we need.

If complainants use other methods to submit their complaint, it is important that they provide as much relevant information as possible, particularly about any harm experienced. If we don’t receive all the information we need, we may record the complaint for information purposes only.

When considering a complaint, we review the details provided to determine the appropriate extent of our involvement. This can range from a light-touch review to carrying out more detailed enquiries, depending on the circumstances and in accordance with our published criteria. This is different from deciding to open an investigation, where we send a case opening letter to an organisation to notify them.

How do we check if we can handle a complaint?

Before bringing a complaint to us, we recommend that people give the organisation a chance to put things right. People and organisations can resolve many data protection concerns quickly and easily by doing this.

When we receive a complaint, we check that it relates to how an organisation has handled personal information. In some cases, another regulator may be better placed to handle a complaint where the issues overlap with their responsibilities. Our role means we don’t handle complaints that:

• aren’t about data protection issues;
• should have gone to another organisation or regulator for them to deal with because the complaint is about an area they cover; or
• are solely about an organisation’s customer service. If a complaint is about both an organisation’s customer service and a data protection issue, we handle the data protection aspect of the complaint.

How do we determine the extent to which we will investigate a complaint?

We examine each complaint carefully and use the criteria below to decide whether we can provide an outcome at this stage or need to look into it in more detail.

Due to the range of complaints we receive, this requires a degree of judgement, so we use the following criteria to help us remain as consistent as possible.

Criteria for triaging complaints

What we’ll consider to help us decide if we need to look into a complaint in more detail:

• Has the data protection issue caused, or is it likely to cause, anyone a high level of harm?

  See harm in complaints for more information.

• Has the data protection issue significantly affected anyone, including people who need extra support to protect themselves, or is it likely to?

  For example, where the issue involves children, or people who may find it harder to understand risks or take action themselves.

• Has the data protection issue had a significant adverse impact on a substantial number of people, or is it likely to?

  For example, where a policy or practice has negatively affected many people.

• Will looking into the data protection complaint in more detail help us to significantly improve data protection rights or the way the organisation uses personal information?

  For example, where there could be changes to the organisation’s policies or practices that would benefit many people if we intervene.

• Do people have to provide their personal information to the organisation?

  For example, where people have to provide their information to get essential services they need and there isn’t a practical alternative.

• Does the data protection issue relate to our strategic priorities?

  For example, where the complaint concerns an area we have decided to focus on in our regulatory work.

• Is making enquiries in the public interest?

  For example, does it raise a new or high-profile data protection issue?

• Do we already know about the data protection issue?

What we’ll consider to help us decide if we don’t need to look into a complaint in more detail:

• Do we already know about the data protection issue?

  For example, where we’ve already been told about the issue and it is being addressed.

• Is the organisation currently taking steps to respond to the complaint? Do those steps seem adequate?

  For example, where the organisation is actively looking into the complaint and appears to be taking appropriate action.

• Do we think the organisation has complied with data protection law?

  For example, where we think the information provided in the complaint suggests the organisation has done what the law requires.

• Has the organisation already addressed the data protection issue and taken appropriate action?

  For example, where the organisation has fixed the problem and put measures in place to prevent it happening again.

This list is not exhaustive. We will review the criteria periodically.

What happens if we decide to look into a complaint in more detail?

If, based on the criteria above and our judgement, we need to investigate further before providing an outcome, we allocate the complaint to a case officer. The case officer:

• weighs up the facts of what’s happened, fairly and impartially;
• asks the complainant and the organisation for further information, if they think they need it; and
• provides an outcome.

There are a number of possible outcomes for a complaint:

• We log the complaint but may only keep a record of it at this stage. Information like this can help us learn more about the way an organisation handles personal information and information rights requests.
• We may tell the complainant that it appears the organisation has complied with data protection law.
• We may tell the organisation to do more work to help resolve the complaint or explain their position more clearly to the complainant. This could mean getting the organisation to provide them with their information or correct any inaccuracies.
• We may recommend that the organisation improves how it handles personal information. For example, we might ask them to review their policies or procedures, guidance or standards.
• We may take regulatory action, although we are not able to do so for each individual complaint, and it would not be proportionate for us to do so. It is important that we focus our resources on cases where we can have the biggest impact. However, the information we gather from complaints does help us to identify broader issues with an organisation’s compliance and inform our regulatory interventions.

What happens if we don’t need to look into a complaint in more detail?

We may conclude, based on the above criteria and our judgement, that we don’t need to obtain further information or contact the organisation. We may instead decide to record the complaint for information purposes.

What happens if the complainant disagrees with our outcome?

If the complainant disagrees with the outcome of their complaint, they can ask us for a review.

To support their request, they can provide additional information, including further details about the harm they or others experienced or any circumstances that may be relevant to their case.

A reviewing officer looks at how we’ve handled the complaint and writes to the complainant explaining what they’ve found out within 30 calendar days.

Organisations can also complain to us if they disagree with the outcome of a complaint.

What will we do with the information we collect from complaints?

This summary outlines our proposed approach that is still under development.

We’ll record how many data protection complaints we receive about each organisation. If the number of complaints goes above a certain amount (the threshold) within a certain time period, we may analyse the available information we have about the organisation to determine whether to intervene. This includes, but isn’t limited to, information we hold within the ICO, and information in complaints we’ve received about them. This is so we can determine why the organisation has hit the threshold.

We haven’t finalised the threshold details and time period. We will continue to explore possibilities and publish the final details on this page before we implement this process.

It’s important to note the following:

• The threshold isn’t itself a way of handling complaints, and we’ll continue to investigate each complaint to the appropriate extent. The purpose of this approach is to:
  • draw out useful trends, themes and insights from the bulk of complaints received; and
  • intervene at an early stage where organisations are demonstrating patterns of non-compliance before further harm occurs.
• We won’t necessarily reopen individual cases if organisations have hit the threshold. We will instead contact organisations to discuss high-level trends or recurring issues within the complaints we’ve received.
• Reaching the threshold will not automatically trigger regulatory action. We expect that we may receive a substantial number of complaints about some organisations that will mean they reach the threshold. This doesn’t necessarily mean, however, that they haven’t complied with data protection law. If we believe that there is little evidence of systemic non-compliance within that organisation, we won’t act further. We will only contact the organisation if we believe they would benefit from our intervention.

We will only consider taking further regulatory action if organisations don’t engage with us, or we feel the steps they’ve taken to address the issues are inadequate. However, if we consider the issue to be sufficiently serious, we may take further regulatory action even when organisations have engaged with us.

This work will feed directly into our wider regulatory work. The information we collect from complaints helps us to identify issues that may need more detailed investigation. When we detect patterns or serious concerns emerging in this way, we can escalate them for further consideration.

We will share information we gather from these complaints with relevant teams within the ICO to provide them with a clear, overall view of all the complaints we receive. This will support us to prioritise and make decisions effectively across our regulatory functions.