Mr I complains that the ICO failed to meet its statutory responsibilities to uphold his daughter’s information rights in relation to information held by a construction company, persistently failed to meet its customer standards; was not open and accountable, and failed to act fairly and impartially.
23. Before we decide if we should conduct a detailed investigation of a complaint, we look at whether there are signs the organisation has got something wrong. We do this by comparing what should have happened with what did happen. We have done this and have not found any indications that something has gone wrong.
24. As part of the ICO’s investigation into Mr I’s complaint, it contacted the construction company in July 2023 to relook at the SAR and ask if it had provided all relevant information.
25. The ICO contacted Mr I in October and explained that the construction company had provided all the relevant information. The ICO informed Mr I that he would need to have evidence of any data he believed the construction company was withholding. Mr I submitted the information in contention to the ICO and it explained that he would need to send this to the construction company to consider.
26. Mr I sent an email to the ICO in November which was a complaint about the service he had received. The ICO said it would respond to the service complaint within 30 days.
27. We have seen call notes from the ICO at the start of December, which were a response to Mr I’s service complaint. The ICO understood Mr I was concerned that it took too long to respond to emails and that it did not fully investigate his complaint or reach an outcome about data compliance. The ICO said that some of its previous email responses fell outside of its service level agreement and apologised for this and would be providing further training to the member of staff.
28. The ICO explained it could not address the issue of the missing data regarding the SAR unless there was evidence of this. The ICO also said it sent an accountability letter to the construction company to search its systems for any missing data held within documents.
29. Mr I sent an additional email to the ICO in the middle of December with further details about the information he believed the construction company held. The ICO passed this on to the construction company at the end of January 2024 and gave it two weeks to respond.
30. Towards the end of February, the ICO sent Mr I an email confirming that the construction company did not hold the data which he believed it had. The ICO explained its enforcement powers did not allow it to interrogate the construction company’s systems, so it could not check the information which Mr I believed it held. It also said Mr I had not provided evidence to show that information had been withheld.
31. Mr I was not happy with this response, so he asked for a review of his case. The ICO wrote to Mr I in the middle of May. It responded to Mr I’s concern about how the organisation was able to decide how consent is obtained and did not find anything had gone wrong. The ICO explained that the construction company had redacted Mr I’s personal information in the SAR and it found this was a suitable measure. The ICO also said that it understood why there was confusion when the construction company provided data which his daughter already had. The ICO stated that the organisation could have been clearer about this and it would feed this back.
32. The ICO addressed Mr I’s complaint that the construction company had not provided all the relevant data in the SAR. It explained it had sent the construction company a SAR which Mr I had sent to the ICO. The ICO said that the construction company did not indicate that the specific information in this SAR was included in a search. The ICO found that it had not fully addressed this matter, and it upheld this part of Mr I’s complaint. To put this right, it said it would write to the construction company and ask it to respond directly using the search criteria Mr I had sent to the ICO.
33. Additionally, the ICO said it could not arbitrate disputes between individuals and data controllers. It said if Mr I remained concerned the construction company was withholding data, and had evidence of this, he could take this matter to court.
34. Mr I had also complained about the service he received from the ICO. The ICO explain it had allocated Mr I’s complaint within 90 days in line with its service level agreement. It also said some of Mr I’s concerns were discussed in a call in December 2023. The ICO apologised and said that it would be providing additional training and guidance for its staff.
35. Shortly after, Mr I sent an email to the ICO to clarify what it meant by asking the construction company to search its records with the specific data in the revised SAR. He also stated he was not wanting the ICO to arbitrate but to ensure that the construction company had lawfully replied to the SAR.
36. In the middle of August, Mr I sent a letter to the ICO, where he explained he had received a response from the construction company, but it had failed to address the information he requested in his SAR. He asked the ICO to take regulatory action to resolve his complaint.
37. In December Mr I sent a complaint to the ICO about the level of service he had received. He also resent the letter from August.
38. In January 2025, the ICO sent a response to Mr I’s letter of August 2024 and the service complaint he lodged in December. The ICO firstly addressed Mr I’s concern with the construction companies’ response to his SAR. The ICO recognised that Mr I could have been given a clearer response but found that it did not hold the information within his SAR. The ICO also said that it had not taken action against the construction company and that it had provided advice and instruction as it had found a failure to comply with data protection law.
39. The response also addressed Mr I’s service complaint. The ICO apologised for the lack of response to his letter of August 2024 and said it had fallen short several times in his case.
40. In February 2025, Mr I sought clarification of what the ICO meant when it said the construction company failed to comply with the law and had given advice. He asked for evidence of this as well.
41. The ICO respond within the same month and stated that it had identified a potential infringement of data protection law. This was because the construction company had more work to do comply with data protection laws as advised in the ICO’s email of June 2024. The ICO apologised if this was unclear and said it was likely to take an advisory approach and not enforcement action and offered to send Mr I a copy of the email.
42. In March 2025, the ICO contacted Mr I and informed him that it was unable to send the email it had sent to the construction company and it had treated it as an internal request for information. This was because some of the information could not be disclosed under section 132 of the Data Protection Act 2018 as it would prejudice its function and could damage its ability to regulate. The ICO said Mr I could request a review of this decision.
Our view
43. The ICO’s responsibilities upon receiving complaints are set out under section 165(4) of the Data Protection Act 2018 (the Act):
(4) If the Commissioner receives a complaint under subsection (2), the Commissioner must — (a) take appropriate steps to respond to the complaint, (b) inform the complainant of the outcome of the complaint, (c) inform the complainant of the rights under section 166, and (d) if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
44. We have found that the ICO had taken appropriate steps to respond to Mr I’s complaint in July 2023 when it asked the construction company to review Mr I’s SAR. It then responded to Mr I’s further enquires in October and considered the construction company had provided all relevant data. The ICO provided further updates to Mr I from January to March 2025. We have seen that this was consistent with section 165(4)(a) of the Act, as the ICO took reasonable and appropriate steps to respond to Mr I’s complaint.
45. In January 2025 the ICO issued its decision and review of Mr I’s SAR request, which we have found to be in line with section 165(4)(b) of the Act. In its review response, the ICO also stated that if Mr I wanted to dispute the accuracy of information held by the construction company, he could consider taking legal action. This is consistent with section 165(4)(d), which requires the ICO to provide further information on how to pursue a complaint.
46. We have taken the ICO’s service standards into account, which explain that the ICO decides whether regulatory action is required. The standards make clear it is not the ICO’s role to resolve every individual dispute, but to consider whether an organisation’s practices indicate wider compliance issues. This means the ICO may close a complaint if it is satisfied an organisation has responded appropriately, even if the individual remains unhappy.
47. In February, the ICO informed Mr I it had identified a potential infringement of data protection law, as outlined above. We have found the ICO’s actions were consistent with our Principles of Good Administration – getting it right. This principle states that public bodies should act in accordance with the law, follow their own policies and procedures, and take proper account of relevant guidance. When investigating Mr I’s complaint, we have seen that the ICO followed the requirements of the Data Protection Act 2018 and its own service standards.
48. We also note that Mr I was unhappy with the way the ICO responded to his complaint in line with its service standards, which we have set out below:
• A commitment to promoting equality, fairness and respect. You will be treated in a professional and courteous manner that promotes understanding, empathy and respect.
• A reliable and responsive service. We will deal with your call or correspondence in line with our service standards.
• We will provide information that is complete, accurate and written clearly and plainly.
• We will be impartial, proportionate, transparent and consistent in our approach to work.
• We will be transparent about our process and decisions.
• We will tell you what we do with your information and enable you to exercise your rights.
49. We can see that overall, the ICO met it service standards, as it provided information to Mr I regarding his complaint and it acted fairly and with respect. The ICO was also transparent about what it could and could not archive for Mr I. However, we note that the ICO could done better in the way it responded to Mr I’s complaint, which we cover below.
50. We have seen that the ICO had apologised to Mr I when it had identified that it could have done better when dealing with his complaint. This was evidenced in a call note with Mr I on December 2023. The ICO apologised for taking longer than it should have to reply to emails and said it would be providing training to staff to mitigate this. The ICO also sent a further apology to Mr I in January 2025 and reiterated its focus on training to ensure that complaints were responded to effectively.
51. We have found the ICO’s actions to be in line with our Principles of Good Administration, putting things right. This principle sets out that we expect organisations to provide a range of remedies when it has got something wrong. In Mr I’s case we have found that apologising and providing additional training to staff was enough to put this right.
52. When we consider complaints about the ICO, our role is limited to examining whether the ICO handled the complaint reasonably and in accordance with the law and its procedures. We have found this to be the case and as the ICO advised, Mr I may wish to seek independent legal advice if he wishes to challenge the accuracy of the data held by the construction company. We also cannot recommend that the ICO takes regulatory action in complaints regarding individual data disputes.
53. As we are satisfied the ICO acted in line with the duties set out in the Data Protection Act 2018 and its service standards, we do not consider there is any further action we can take. We recognise these matters are important to Mr I and that his daughter experienced financial and emotional strain as a result of the situation. We hope the explanation above helps clarify how we reached our decision in this case, and we thank Mr I for bringing his concerns to us.