The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

You have the right to complain to an organisation if you think it has not handled your personal information responsibly and in line with good practice.

When can I complain to an organisation?

You can complain to an organisation about how it is handling your information; if it:

  • has not properly responded to your request for your personal information;
  • is not keeping your information secure;
  • holds inaccurate information about you;
  • has disclosed information about you;
  • is keeping information about you for longer than is necessary;
  • has collected information for one reason and is using it for something else; or
  • has not upheld any of your data protection rights.

How do I complain to an organisation?

1. Complain directly to the organisation involved

You should give the organisation you’re unhappy with a chance to sort things out before bringing your complaint to us. Many data protection complaints can be resolved quickly and easily with the organisation. See our top tips for making a complaint.

We recommend you complain to the organisation as soon as possible using this letter template.

       [Your full address]
   [Your phone number]
                  [The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Data Protection Complaint
[Your full name and address and any other details such as account number to help identify you]

I am concerned that you have not handled my personal information properly.

[Give details of your complaint, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]

I understand that before reporting my complaint to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my complaint to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within 30 days. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].

Yours faithfully
[Signature]

Raising a concern template letter - word version

2. Give the organisation 30 days to respond to your complaint or request.

It may take some time for your complaint to be considered. Don’t be afraid to chase politely if nothing seems to be happening.

3. Ask the organisation involved for clarification if you don’t understand or you’re unhappy with their  response.

Organisations have an obligation to clearly explain why they are using your information in the way they are doing or why they have refused a request.

If the organisation gives you a response that you do not understand, you should write to them to ask for clarification. You may want to use this template letter.

 

     [Your full address]
[Your phone number]
                [The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Information rights complaint.

[Your full name and address and any other details to help identify you, for example an account number.]

I am writing further to your recent letter/email about my information rights complaint because I would like further clarification.

Organisations have an obligation to clearly explain why they are using data in the way they do or why they have refused a request. This is set out under the accountability principle of the DPA 2018.

Accountability is one of the key principles in data protection law – it makes organisations responsible for complying with the legislation and says that they must be able to demonstrate their compliance.

I would like further clarification about

[Give details of what you don’t understand. You should refer specifically to the response you have already received where appropriate]

I understand that before reporting my complaint to the Information Commissioner I should give you the chance to provide a full explanation.

If, when I receive your response, I would still like to report my complaint, I will give them a copy of your response to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].

Yours faithfully/sincerely
[Signature]

Clarification template letter - word version 

4. Complain to the ICO

If you have followed these steps or the organisation is refusing to respond to you, you can complain to the ICO.

Before you submit a complaint about an organisation you should read about what to expect from the ICO.

Top tips for raising your concern with an organisation

Raise your concern quickly. People move on, memories fade and records are deleted in line with retention policies. The longer it takes to raise your concern with an organisation, the harder it will be for them to look into it thoroughly.

Send it to the right place. Check the organisation’s website or give them a call to make sure you have the right address. In some cases, you may be able to find it on our Register of fee payers.

Be clear and brief. Explain clearly and simply what has happened and, where appropriate, the effect it has had on you.

Be specific. If you have had a long relationship with the organisation concerned, resist any temptation to include historical or unrelated complaints in your letter. This can confuse matters and leave the organisation unsure which of your complaints you want them to deal with.

Don’t move the goalposts. Include full details of your concern at the beginning. If the organisation responds properly, don’t raise additional unrelated matters as part of that complaint. However, if it appears that the organisation has misunderstood you, or has not given a full response, you should let them know.

Stay reasonable. You may be justifiably angry or upset about what has happened. Keeping your letter calm and polite will help you get your points across more clearly.

Include all necessary information and evidence. Include all relevant details such as account or patient numbers to help the organisation identify you and your concern correctlySend copies of all the key documents you have to evidence your complaint. Don’t send the originals as you might need them later. Also, don’t include additional documentation ‘just in case’.

Keep good records. Clearly date all letters, make notes of all related conversations and keep copies of everything.

Exhaust the process. If the ‘final’ response you receive does not resolve the matter to your satisfaction but also signposts you to any further complaints or review procedure, make sure you exhaust that process before complaining to the ICO.