Failed to consider the complaints holistically, did not scrutinise the employers claims and mishandled the ‘confidential reference’ exemption
16. Mr C told us he brought nine cases to the ICO, each one about a different organisation but all with a common theme relating to the type of data that was processed. He wanted the ICO to look at them in a holistic way believing they showed a systemic pattern of misuse of his data. He explained that this data is very personal, falls under the special category data provision and the impact of the continued processing of it was harmful and upsetting to him. We are sorry to hear that is the case.
17. Special category data is personal data that needs more protection because it is sensitive.
18. When Mr C submitted some of the cases in mid-December 2023, he said he would send others as well. He asked the ICO to look at them all together and the ICO confirmed by email that it would allocate all the case to a single point of contact. It asked Mr C to contact them when he had submitted the final case he wanted considering.
19. An ICO case officer began to investigate and reach a conclusion on the individual complaint assigned to her. This was not in line with the agreement to wait and not in line with our Principles of Good Administration which say:
20. Public bodies should do what they say they are going to do. If they make a commitment to do something, they should keep to it, or explain why they cannot.
21. This is an indication of maladministration on the part of the ICO. We can see how this would be frustrating for Mr C as the ICO had not kept to its agreement with him. When we identify something went wrong and can see it had an impact on the complainant, we look to see if the organisation has done anything to put this right. Our Principles of good administration say:
‘When mistakes happen, public bodies should acknowledge them, apologise, explain what went wrong and put things right quickly and effectively.’
22. We have seen that it acknowledged the error in its letter of May 2024, explained how it came about and assured Mr C that the remaining eight of his nine complaints would be given to a single case officer. While we might expect to see an apology for the error, we do not consider it proportionate to request it provide one now. We take the view that the impact on Mr C has been addressed by the ICO’s action.
23. When Mr C brought this to the attention of the ICO it agreed it would wait for Mr C to provide further details of the individual complaints and in April 2025 it assigned all the complaints to a new case officer. She wrote to Mr C and explained the possible outcomes for a complaint in line with the guidelines set out on the ICO website ‘How we handle data protection complaints.’ She also said:‘It is for the ICO to decide how an individual's complaints are handled and what action, if any, is necessary. It should be noted that any decisions made by the ICO about an organisation's compliance are used to inform our own regulatory work, rather than being used to enforce an individual's rights or evidence their own opinion.’
24. This is taken from the UK GDPR Article 57(f).
25. The case officer provided Mr C with a decision on each of the complaints.
26. We appreciate that Mr C wanted the ICO to approach his complaints in a specific way and was frustrated that it said it could not do so. We are sorry to hear that.
27. We have seen that the UK GDPR allows the ICO discretion in how it handles an individual’s complaints. The ICO investigated Mr C’s complaint and considered the evidence provided. It then provided a response to him. We cannot therefore say that it acted with maladministration when it decided to respond to each complaint individually rather than holistically as Mr C had asked it to. Its action is also in line with our UK Government Complaint Standards which say organisations should ‘take a thorough, proportionate, and balanced look into the issues raised in a complaint. Give service users fair and open answers to their questions based on the facts.’
28. We will not take any further action on this part of the complaint.
29. Mr C told us that the ICO did not adequately scrutinise the responses provided by the employers about whom he had complained. He told us it just took them at their word that data may have been corrupted in a cyber-attack or was no longer held due to its retention policies. He found this to be disappointing and frustrating which we are sorry to hear.
30. As we have previously referred to ‘It is for the ICO to decide how an individual's complaints are handled and what action, if any, is necessary.’ The ICO has followed it guidance in this aspect of the complaint, and we will not take any further action.
31. Returning to the confidential reference exemption, Mr C had complained to the ICO that employer references had included special category data that was in breach of his rights and none of the organisations would provide him a copy when he requested it.
32. The case officer said:
‘I do appreciate that your complaints are of a common theme and that you would like the ICO to appreciate the 'patterns of non-compliance around subject access requests and misuse of the confidential reference exemption.' I am afraid I can only advise that the General Data Protection Regulations does provide an exemption for the disclosure of references given in confidence. The exemption applies to organisations both giving and receiving references.’
33. The case officer is referring to the provision in the UK GDPR Article 13 for employers to issue Confidential References.
34. In the investigation report from the end of April 2025, the case officer says:
‘While the ICO can address the matter if tangible evidence exists that sensitive personal data has been shared inappropriately in a reference, regrettably, we are unable to act without the evidence to support the complaint.
I recognise your concerns that the information must have been shared within a reference, and then further shared within organisations, but at this point the evidence does not exist to support this.’
35. Mr C told us that in his view, the exemption should not apply when it appears to be harassing, excessive and discriminatory based on special category data. We can appreciate that Mr C feels the ‘blanket’ application of this exemption by employers has denied him his rights. We can also understand his frustration that he is unable to provide the evidence sought as the employers who have it have either said it is no longer on file or have used the exemption.
36. As the case office goes on to explain in the report:
‘The ICO is unable to demand that organisations provide the data to you where an exemption has been applied lawfully. However, you do have the right to ask the courts to consider your concerns about the harassment and abuse you have received at work. The clerk to the courts can ask for the references withheld using data protection law to be provided as evidence of the possible route cause of the abuse. Where data is required for court proceedings the exemptions available in data protection law do not apply.’
37. The Complaint Standards say:
If you establish that it may not be possible to achieve an appropriate outcome using your complaints process, tell the person who has complained. Give them information about any other process that may give the outcomes they are seeking.
38. Mr C has told us that he feels the burden of responsibility has been shifted back to him to take legal action. We are sorry to hear that and recognise this can be a lengthy process.
39. As the ICO explained, it cannot provide the outcome he is seeking so it directed him to an alternative route that might do so. This is in line with the Standards, so there are no indications it got anything wrong. Therefore, we will not take any further action on this part of the complaint.
Failed to acknowledge the impacts on him of unfair data processing and did not request additional evidence
40. Our Principles say:
Public bodies should always deal with people fairly and with respect. They should be prepared to listen to their customers
41. In the response to Mr C in April 2025, the ICO acknowledged that it was sorry to ‘read of the repeated inappropriate and suggestive comments’ and said it recognised ‘how distressing this must have been for him and how this has affected his ability to feel supported and valued at his workplace’.
42. We appreciate that the impacts Mr C experienced have had a continued effect on him over a long period of time and that he feels strongly that the ICO needed to understand that. We can see from the evidence that the ICO listened to Mr C’s concerns and acknowledged the impact of some of those concerns.
43. This is in line with our Principles, and we find no indications that anything went wrong. Therefore, we will not take any further action on this part of the complaint.
44. Mr C complains the ICO did not request further information. The ICO guidance on handling complaints says:
What happens if we decide to look into a complaint in more detail?
If … we need to investigate further before providing an outcome, we allocate the complaint to a case officer. They:
weigh up the facts of what has happened, fairly and impartially.
asks the complainant and the organisation for further information, if they think they need it; and provides an outcome.
45. We can appreciate that Mr C feels strongly that the ICO should have requested more evidence from him and by not doing so it led to him feeling frustrated and distressed. We are sorry to hear that.
46. The evidence shows that the ICO case officer decides what if any additional evidence is required on a case-by-case basis. In this instance, it reached a decision based on the evidence Mr C had provided with the complaint as well as the evidence it received back from the individual organisations. That is in line with its guidance, and we will not take any action on this part of the complaint.
Act reasonably, fairly, and in accordance with its statutory role as a regulator
47. We have shown in the consideration above that the ICO has acted in line with our Principles when allocating all his cases to a single case officer which is not how it normally works. It then considered his complaints in line with its guidance and provided him with an outcome for each. It explained to Mr C that he could take his cases to court under data protection legislation.
48. We understand that it remains distressing and frustrating for Mr C that he did not get the outcomes he sought from his complaint to the ICO and that he feels it needed to do more. We are sorry he continues to feel this way.
49. When considering all the aspects of the complaint Mr C brought to us, we have not seen any evidence that the ICO did not act reasonably, fairly or in line with its role as a regulator. Therefore, we will not take any further action on this aspect of the complaint.
50. We acknowledge that Mr C was disappointed with the ICO’s investigation and that he expected more from it. We hope that by showing it has acted in line with its legislation and guidance, he is reassured about the service provided.