We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Data Protection complaints – ICO issues new guidance

Following a public consultation at the end of 2013, the Information Commissioner’s Office (ICO) has published new guidance on complaint handling, in its capacity as the data protection regulator.

The ICO had expressed concern that the number of customers asking it for advice has increased every year. In 2012/2013 it dealt with just over 40,000 written enquiries about data protection and nearly 214,000 phone calls from individuals, however the ICO assessed that only 35% of the complaints dealt with involved a breach of legislation. 

The new guide highlights that data controllers are expected to respond to complaints by individuals in the first instance and must clarify how they have processed the individual’s personal information and explain how they will put right anything that has gone wrong.

Therefore the emphasis is that data controllers should try to resolve more issues themselves before the ICO is involved, however consumers can still refer a case to the ICO if they are not satisfied that their complaint has been dealt with adequately by the data controller. Individuals will be required to produce copies of documents evidencing their concern, together with their relevant correspondence with the data controller.

The data controller will be expected to provide evidence of how they have tried to deal with the concern and this evidence will be used by the ICO to help it to judge the severity of a potential breach and whether it should pursue enforcement action. The ICO has said that it will keep a record of the concerns raised about an organisation for future regulatory purposes.

The new guidance should aid the ICO to reduce its workload but the ICO has stated that it would provide more resources into cases where it believes that a decision will improve
data protection practice.

The outcome of this new guidance is that data controllers will need to be vigilant when receiving a complaint from an individual about the processing of personal data as they will need to be able to provide evidence that they have adequate procedures in place for the handling of complaints, which are then carried out in a satisfactory manner and well documented.

This article was written by Vanessa Barnett.

For more information contact Vanessa on +44 (0)20 7203 5228 or vanessa.barnett@crsblaw.com