Data Controller First Port of Call for Data Protection Complaints

New guidance issued by the Information Commissioner indicates that anyone wishing to complain that their data is being processed in breach of the Data Protection Act 1998 should approach the data controller in the first instance. 

The Information Commissioner’s Office (ICO) will not normally look into a complaint unless it has first been raised with the data controller who will be expected to respond, explaining how they have processed the individual’s personal information and how they will put right anything that has gone wrong.

As part of its investigation of a complaint, the ICO will ask a complainant for copies of the correspondence with the data controller which should include a clear explanation of the actions taken to address or respond to the concern. The ICO can reach a decision based solely on this information and so data controllers will need to take complaints seriously. The ICO will use the explanation given to make a decision about whether there has been a breach of data protection laws. 

When deciding whether to take action the ICO will take into account the severity of the potential breach, how the data controller dealt with the concern raised and any other relevant information it holds about the matter, the organisation or the sector, as well as its own regulatory priorities. 

The ICO’s focus when considering enforcement action will be on whether the concern provides an opportunity for the data controller to improve their information rights practices. If the breach is minor and provides no such opportunity, the data controller will be told of the breach and details kept on file. If a possible opportunity for improvement is identified, the ICO will contact the data controller who will be expected to reconsider their practices and discuss how things can be improved in future. 

If an opportunity to improve information rights practices is identified, the ICO will take appropriate action which could include advice about the way the data controller responds to concerns, asking them to put right what went wrong, asking them to produce an action plan to make improvements to information rights policies or taking more formal action in accordance with its regulatory action policy. A failure to commit to any recommended action could result in a monetary penalty. 

The new approach reflects the ICO’s desire to use its time more efficiently so that it can focus on those who repeatedly get things wrong and take action against those who commit serious breaches. 

The new guidance is contained in “How we deal with complaints and concerns- a guide for data controllers".