Information Commissioner's Office

5. Mr B complains that the ICO failed to undertake a satisfactory investigation of his data handling concerns. This includes

• a failure to make use of the three-part test for Legitimate Interest • a failure to make reference to its online process for lawful processing of data • a failure to make reference to a violation of Article 82 • a failure to seek assurances from the organisation who shared his data.

6. He also complains that despite him raising these issues in the complaint process they did not address them.

7. Mr B tells us that he felt abandoned by the ICO at a vulnerable time and he has lost trust in it. He was distressed by the unsatisfactory approach taken in the ICO’s investigation.

8. Mr B tells us he would like a remedy to address the injustice he experienced and an apology to acknowledge it.

9. Mr B complained to the ICO in March 2024 with concerns about his personal data being shared with the employment agency (the Agency) that he worked with.

10. The ICO responded on in June 2024 saying that it had considered his complaint and decided not to take any further action.

11. Mr B replied on the following day to say that he disagreed with the decision and sought a review of it. Mr B then spoke with the ICO to offer further insight into his complaint in July 2024. In the meantime, the ICO made further enquiries with the organisation that shared the information.

12. In early August 2024 it wrote again to Mr B to say it had reviewed the information provided by the organisation alongside that which Mr B had provided. It concluded that in its view the organisation had applied the DPA appropriately and it would ask the organisation to keep a copy of Mr B’s dispute about the accuracy of the data.

13. In August 2024 Mr B wrote to request a review of this decision and in September 2024 the ICO replied. It said that it was satisfied it had dealt with his complaint appropriately and directed him to our Office.

Did not undertake a satisfactory investigation

14. Mr B complained to the ICO about his personal data being shared by an organisation that he had worked with on placement from the Agency. He said it should not have shared that data with the Agency. He told the ICO that he believed the organisation had not acted in line with certain aspects of the GDPR, particularly Article 6(1)(f) which deals with ‘Legitimate interests’.

15. The ICO explanation for organisations that handle data says:

‘Legitimate interests is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Where there is an impact on individuals, it may still apply if you can show there is an even more compelling benefit to the processing, and the impact is justified.’

16. If someone wants to complain about the way their personal data has been processed, they can request an assessment under Section 165 of the DPA as to whether it is likely or unlikely the processing has been conducted in compliance with the provisions of the DPA. The ICO make an assessment in such a manner as it considers appropriate and notify the person who made the request of any view formed or action taken as a result. The DPA does not require the ICO to take any other action. The ICO has discretion when deciding how to conduct an assessment. This means that is it for the ICO to decide how it conducts its assessment, so long as the approach it takes is reasonable.

17. The ICO’s service standards say:

‘Our role is not to investigate or adjudicate on every individual complaint. We are not an ombudsman. But we will consider whether there is an opportunity to improve the practice of the organisations we regulate and we will share our decisions with you.

It is up to us to decide whether we should take further action. Even where we decide that further action is not required at the moment, perhaps because the organisation has made a mistake but is working to put things right, we will keep complaints on file. This will help us over time to build a picture of an organisation’s information rights practices.

We may ask organisations to explain to us what they have done in response to issues or complaints raised.’

18. In Mr B’s case we can see in the evidence that the ICO contacted the Organisation and asked it to provide information about how it had handled Mr B’s data and how it had responded to his concerns. It then reviewed the information alongside that which Mr B had provided and reached its decision that the Organisation had ‘applied the DPA appropriately in this matter.’ This is in line with the ICO standards.

19. We acknowledge that Mr B was left disappointed with the ICO’s decision and felt that it had not protected his individual rights. We are sorry to hear that, especially given the events that led him to go to the ICO in the first place.

20. Given we have not seen that the ICO did anything wrong, we will not take any action on this aspect of the complaint.

Did not address the specific concerns

21. Mr B complained that it did not address the ‘three-part test’ which he raised with it. This is part of the Legitimate Interest aspect of GDPR. He set out a range of statements and questions that he wanted answers to in his review request of August 2024.

22. The ICO Service Standards say, ‘Where appropriate, we will give you advice about how we think the law applies to your issue or complaint.’

23. We can see that the ICO did not provide any advice to Mr B though it did request that the organisation act on his Article 16 GDPR request. That Article relates to the right of an individual to have inaccurate personal data rectified. The ICE asked the organisation to maintain a copy of Mr B’s disagreement with its decision to share his information.

24. We can appreciate that Mr B wanted to know how the ICO could have reached the decision it did if it had applied the three part test (and other measures) in its consideration. We know he feels strongly that the organisation acted improperly and is clear about which elements of the DPA should have been considered by the ICO.

25. The Standards say it is up to the ICO to decide if it wants to provide advice and detail to the complainant about the specifics of the DPA. The Standards only say that it must provide Mr B with a decision which it did. As it did this, in line with its Standards, we will not take any further action on this part of the complaint.

26. We acknowledge that Mr B was disappointed with the ICO’s investigation and that he expected more from it. We hope that by showing it has acted in line with its Standards he is able to appreciate that it provided the service that it is legislated to provide.

1. We have carefully considered Mr B’s complaint about the Information Commissioners Office (ICO).

2. We are sorry to hear that he was disappointed with the service he received from the ICO and that he felt it did not live up to its role as the protector of an individual’s data rights.

3. We have considered all the evidence and have found that the ICO has acted in line with its Service Standards in its consideration of Mr B’s complaint about the handling of his data. It also acted in line with those Standards in how it addressed his complaint about the ICO investigation.

4. We will not take any further action on his complaint to us, and we explain below how we reached our decision.