Information Commissioner's Office

4. Mr L complains the ICO did not challenge a Local Authority (LA) about the £730.90 cost it wanted to charge him for a hard copy of his data, following a Data Subject Access Request (DSAR).

5. A DSAR is a way for you to ask an organisation for a copy of the personal information they hold about you. It’s your legal right under data protection laws, helping you see how your information is used and make sure it’s handled properly.

6. Mr L says the charge prevented him from including the requested information in a tribunal appeal and so had to request this be delayed.

7. In bringing the complaint to us, Mr L wants the ICO to hold the LA accountable to ensure it handles similar requests by him or others, differently in the future.

8. In June, Mr L contacted the ICO via email about a request to access to his personal information from a LA, dating back to January 2023. He explained he was unhappy about the administration fee of £730.90 for receiving 3,498 pages of information as a hard copy.

9. In October, the ICO replied and said it had received a copy of the emails sent to him regarding the cost of his information and had reviewed these. It said the LA had offered different ways to access his data, including email at no cost and was satisfied that the LA had explained and broken down the charges.

10. It said as there was no indication the LA had misunderstood the requirements of the legislation that would warrant further involvement by ICO, it would not be taking any further action. It advised Mr L of his rights to pursue the matter through the courts.

11. Mr L was unhappy with the decision and so wrote back to the ICO. He said he believed it had not considered a reasonable adjustment request to not charge him for his data because of his disability.

12. The ICO responded to Mr L the same day. It explained the LA had offered different ways for him to access his information, which included via email free of charge, and a hard copy recognised as a reasonable adjustment, even though it would incur a cost, of which it had explained.

13. Mr L was unhappy with the further response so wrote back to the ICO to ask for a review of the decision.

14. Two weeks later, the ICO reviewed the case and found no issues with how it had been handled. It confirmed that it was satisfied the complaint had been dealt with appropriately.

15. It said it did not intend to pursue this further and again advised Mr L of his rights to progress his complaint through the courts should he wish to pursue this further. It also advised him of our service.

16. Mr L remained unhappy so he escalated his complaint to us.

19. Before we decide if we should conduct a detailed investigation of a complaint, we look at whether there are signs the organisation has got something wrong. We do this by comparing what should have happened with what did happen. We have done this and have found no indications that something has gone wrong.

20. The Data Protection Act, 2018 (the DPA) sets out how the ICO should handle any data protection concerns. Section 165 of the DPA provides some clearer detail on how the ICO should act when it receives a complaint, and its complaint procedure is based on this. Section 165 (4) explains that the ICO should:

a) take appropriate steps to respond to the complaint b) inform the complainant of the outcome of the complaint c) inform the complainant of their rights under section 166 of the DPA d) if asked to do, provide the complainant with information on where to go next.

21. Section 165 (5) goes on to clarify that the ‘appropriate steps’ referred to in (4)(a) include investigating the subject matter to an appropriate extent and informing the complainant of the progress. It is key to note that the ICO has considerable discretion in determining what constitutes ‘appropriate steps’ in this context and is not required to investigate every complaint that it receives.

22. The ICO Service Charter says, ‘The Equality Act does not define what is "reasonable". Guidance from the Equality and Human Rights Commission suggests that the most relevant factors include, how much will it cost and is this proportionate to the adjustment being requested’.

23. The ICO has discretion as to what constitutes an ‘appropriate extent’ in responding to a data concern/complaint. Its role is not to investigate or adjudicate on every aspect of a complaint and it is not obliged to take specific action (such as contacting an organisation), even if the complainant requests this.

24. In most cases, the ICO will start by considering the information the complainant has provided and whether there is an opportunity to improve the data practices of the organisation concerned.

25. Depending on the case, the ICO may decide to take no further action at this point. This can include cases where it considers that nothing has gone wrong or if it considers that the organisation has made a mistake, but its response shows it is working to put things right. If no further action is taken, the ICO will keep the details of the complaint on file to allow it to build up a picture of the organisation’s information rights practices.

26. In some cases, as is the case here, the ICO may decide to contact the organisation to ask it to explain what it has done to respond to the concerns raised or ask it to do more work. Depending on the response received, the ICO will then decide on whether it should take further action to improve the organisation’s information rights practices.

27. It is important to note that the type of action the ICO decides to take is also discretionary. This can include issuing an organisation with advice and instruction to ensure better future practice or specific enforcement action such as fines.

28. The ICO cannot achieve a financial remedy or any other outcome for a complainant. Any action is taken with an intention to improve data practices rather than remedying a complaint for the person affected.

29. Regardless of what decision the ICO reaches, it is required to inform a complainant of the outcome and of their rights to progress certain complaints to a tribunal.

30. Our role is not to consider the charges Mr L may incur as we have no jurisdiction over the LA or any issues relating to the amount it charges for administration fees of correspondence. Instead, our role is to look at the processes the ICO followed to reach its decision and determine whether it acted in line with its guidance and legislation.

31. The ICO acknowledged Mr L’s complaint, contacted the LA for further information, gathered and carefully reviewed evidence from all parties, and reached a decision by balancing the information appropriately. It concluded that the LA and its explanation were reasonable and explained its decision to Mr L, providing the reasons. While we understand that Mr L disagreed with the outcome, the ICO acted appropriately and in line with legislation, as we would have expected.

32. The ICO also responded to Mr L’s additional concerns. It explained that it believed the LA had appropriate measures in place, as it had offered free access to the data via email, as well as a reasonable adjustment by the offer of a hard copy (even though it would incur a cost).

33. The ICO advised that if Mr L continued to disagree with its view, he could seek legal advice and pursue this further by way of the court.

34. When considering complaints about the ICO, we focus on whether it handled the complaint reasonably and followed the law and its procedures.

35. The ICO’s service standards explain that its role is to decide whether regulatory action is required and to assess whether an organisation’s practices indicate wider compliance issues. It is not the ICO’s role to resolve every individual dispute and it may close a complaint if satisfied that an organisation has responded appropriately, even if the individual remains unhappy.

36. Mr L may wish to seek independent legal advice if he wishes to challenge the LA’s decision to charge him for a hard copy of his information. We also cannot recommend that the ICO takes regulatory action in complaints regarding individual data disputes.

37. After reviewing the evidence, we find the ICO’s decision was consistent and in line with the Data Protection Act 2018. As we are satisfied the ICO acted in line with the law and its service standards, we do not consider there is any further action we can take.

38. We understand Mr L feels strongly about the ICO and believes it has treated him unfairly. We hope our consideration reassures him that the ICO acted appropriately and within its guidance. We thank Mr L for bringing his concerns to us.

1. We have carefully considered Mr L’s complaint about the Information Commissioner’s Office (the ICO).

2. We have not seen any indication the ICO acted incorrectly when it decided to take no further action on Mr L’s complaint. We consider the ICO acted in line with its policy and guidance and correctly advised Mr L on how to take his concerns further.

3. We understand these events have been worrying for Mr L, particularly as he feels the issue he raised with the ICO is still ongoing. We would advise Mr L to follow the ICO’s advice and consider pursuing this matter legally if he still has concerns.